Contents

Recommended Group Policy Settings.

Quicklaunch Settings.

Windows Settings

Skype For Business Settings

Other Policy Settings

     Edge

     Chrome

     Office

Appendix  - How to set a registry key using Group Policy Preferences. 1



Recommended Group Policy Settings

For organizations that manage their meeting rooms and the Quicklaunch meeting room account centrally (Domain Attached and managed via Group Policy) we generally recommend applying the settings below that are relevant to your configuration.

In practice for large numbers of rooms it will usually be easier to manage these types of settings via group policy than to attempt to manage each PC individually.


Quicklaunch Settings

The following Group Policy and registry settings are configurable from within Quicklaunch Settings under System > General 

* Where appropriate these should be integrated into the Group Policy for the appropriate Organizational Unit and/or User





Remove Change Password

Removes the Change Password option for the Current User in Windows 10.

GPO

Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options

Domain member: Disable machine account password changes

Enabled


Registry: 

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies

DisableChangePassword

DWORD

1


Remove Lock Computer

Removes the Lock Computer option for the Current User in Windows 10.

GPO

User Configuration > System > Ctrl+Alt+Del Options

Remove Lock Computer

Enabled


Registry: 

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System

DisableLockWorkstation

DWORD

1


Remove Task Manager

Removes access to the Windows task manager.

GPO

User Configuration > Administrative Templates > System > Logon/Logoff

Disable Task Manager

Enabled


Registry: 

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System

DisableTaskMgr

DWORD

1


Remove Logoff

Removes the option to select logoff in Windows.

GPO

User Configuration > Administrative Templates > Start Menu and Taskbar

Remove Logoff on the Start Menu

Enabled


Registry: 

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion \Policies\Explorer

StartMenuLogoff

DWORD

1


Remove Switch User

Removes the option for Fast Switching of Users in Windows

GPO

Computer Configuration > Administrative Templates > System > Logon

Hide entry points for Fast User Switching

Enabled


Registry: 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System

HideFastUserSwitching 

DWORD

1


Remove Power Options

Removes the option for powering down the Computer in Windows

GPO

User Configuration > Administrative Templates > Start Menu and Taskbar

Remove and prevent access to the Shut Down, Restart, Sleep, and Hibernate commands" to Enabled

Enabled


Registry: 

HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Policies\ Explorer 

NoClose 

DWORD

1


Disable Edge Swipe

Removes access to the Edge Swipe feature in Windows 10.

GPO

Computer Configuration > Administrative Templates > Windows Components > Edge UI

Allow edge swipe

Disabled


Registry: 

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EdgeUI

AllowEdgeSwipe

DWORD

1


Disable USB Access

Removes the ability to mount USB Drives

GPO

User Configuration > Policies > Administrative Templates > System > Removable Storage Access

Disable USB Access

Enabled



Registry: 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR

Start

DWORD

4*


* Set the value to 4 to disconnect the USB ports. If you need to re-enable USB ports, change to default value 3.


Prohibit Access to Control Panel and PC Settings

Removes access to the Control Panel and Settings in Windows

GPO

User Configuration > Administrative Templates > Control Panel

Prohibit access to Control Panel and PC settings

Enabled


Registry: 

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

NoControlPanel

DWORD

1


Do not cache ‘work or school’ Account

See FAQ - Do Not Cache Microsoft 'Work or School' Accounts

GPO

Computer Configuration > Administrative Templates > Windows Components >Device Registration

???

Enabled


Registry: 

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WorkplaceJoin

BlockAADWorkplaceJoin

DWORD

1


Block Consumer account for Microsoft Apps

GPO

Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options

Accounts: Block Microsoft accounts

Enabled


Registry:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System

NoConnectedUser

DWORD

1


Disable Notification Center

GPO

User Configuration > Administrative Templates > Start Menu and Taskbar

Remove Notifications and Action Center

Enabled


Registry: 

HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\Explorer

 

DWORD

1


Hide People Bar

GPO

User Configuration > Administrative Templates > Start Menu and Taskbar

remove the People Bar from the taskbar

Enabled


Registry: 

HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Explorer

HidePeopleBar

DWORD

1


Show the Touch Keyboard when not in tablet mode and there’s no Keyboard attached

GPO

???

????

???


Registry: 

HKEY_CURRENT_USER\Software\Microsoft\TabletTip\1.7

EnableDesktopModeAutoInvoke

DWORD

1




Windows Settings


Item

Description

Recommended Value

AutoLogin

There are 3 methods of enabling autologin (First 2 will not works with domain attached):


  • NetPlWiz
  • Hardcode Plain text username and password into WINNT hive
  • Microsoft SysInternals Autologon tool


https://docs.microsoft.com/en-us/sysinternals/downloads/autologon


Note this can be run from the command line with Powershell:

Account has to exist on PC prior to running command.


$autologon = "C:\Users\robert\Downloads\autologon.exe"

$username = "robert"

$domain = "my.domain"

$password = "password "


Start-Process $autologon -ArgumentList $username, $domain, $password,"/accepteula"





Show Keyboard on Taskbar

HKLM\Software\Microsoft\TabletTip\1.7

"TipbandDesiredVisibility "=dword:00000001

Disable ADAL for Office

Computer\HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Identity\


"EnableADAL "=dword:00000000

Settings - Internet Options - Advanced - Security -
Enable Integrated Windows Authentication


Computer\HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings

"EnableNegotiate"=dword:00000000

Settings - Internet Options – Delete on Exit


Computer\HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache

"Persistent"=dword:00000000

Show the touch keyboard when not in tablet mode and keyboard not plugged in


Computer\HKEY_CURRENT_USER\SOFTWARE\Microsoft\TabletTip\1.7

“EnableDesktopModeAutoInvoke"=dword:00000001

Show Touch Keyboard on Taskbar


Computer\HKEY_CURRENT_USER\SOFTWARE\Microsoft\TabletTip\1.7

“TipbandDesiredVisibility"=dword:00000001

Hide Notification Center

Computer\HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Explorer

"DisableNotificationCenter"=dword:00000001

Hide Taskview

Computer\HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced

"ShowTaskViewButton"=dword:00000000

Hide PeopleBar

Computer\HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Explorer

"HidePeopleBar"=dword:00000001




Disable Windows Updates

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU

"AUOptions"=dword:00000002”



Skype For Business Settings

Note that Skype For Business Client Settings are configured using the Set-CsClientPolicy in powershell         

https://docs.microsoft.com/en-us/powershell/module/skype/set-csclientpolicy?view=skype-ps


Text

Description

Variable 

Recommended Value

Save IM conversations in my email Conversation History


When set to True, a transcript of every instant message session that a user takes part in will be saved to the Conversation History folder in Outlook. When set to False, these transcripts will not be saved automatically. (However, users will have the option to manually save instant message transcripts.)


-EnableIMAutoArchiving

False

Save Call logs in my email

When set to True, information about your incoming and outgoing phone calls is automatically saved to the Conversation History folder in Outlook. (The actual call itself is not recorded. What is recorded is information such as who took part in the call; the length of the call and whether this was an incoming or an outgoing call.) When set to False, this information is not saved to Outlook.


-EnableCallLogAutoArchiving

False

Show IM

option in Skype for business under “Skype Meetings”

NO Setting Available

NA

Show the participants list

option in Skype for business under “Skype Meetings”

NO Setting Available

NA

Ask me which audio device I want to use


option in Skype for business under “Skype Meetings”

HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Lync

DWORD: AllowOverridingDeviceAtJoinTime = 0

Disable Prompt for Rating

The RateMyCallDisplayPercentage setting adjusts how often users are prompted for feedback, ranging from 0 to 100. The default value is 10, meaning that users will get prompted for feedback 10% of the time after they finish a call. Setting this to 0 means users will never get prompted. When set to 100, users will get prompted after every call.


-RateMyCallDisplayPercentage

0



Other Policy Settings


Edge


https://docs.microsoft.com/en-us/microsoft-edge/deploy/group-policies/

Computer Configuration\Administrative Templates\Windows Components\Microsoft Edge\

Configure Start Pages

Allow clearing browsing data on exit : 1

Allow Saving History : 0

Configure Autofill : 0

Do not sync : 2

Allow Extensions : 0

Prevent turning off required extensions : 1

Prevent changes to Favorites on Microsoft Edge : 1

Set Home Button URL: string

Unlock Home Button : 0

Do not sync browser settings : 0

Prevent users from turning on browser syncing : 1


Chrome


Chrome Administrative Templates: https://support.google.com/chrome/a/answer/187202?hl=en

HomepageLocation: set to appropriate location

ForceEphemeralProfiles : True

SyncDisabled : True


Disable Offer to Save Passwords in Chrome


GPO

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome]

PasswordManagerEnabled

dword:00000000


Registry:



Office

Note: Office 2016) templates from Microsoft can be found here:

Office 2016 Administrative Template files (ADMX/ADML) and Office Customization Tool



Appendix  - How to set a registry key using Group Policy Preferences

 

Step 1. Edit a Group Policy Object that is applied to the computers you want this setting applied.

 

WARNING: Make sure you have not applied this policy to any computers before you begin as this will obviously logon any computer that this policy is applied to automatically.

 

Step 2. Navigate to Computer Configuration > Preferences > Windows Settings > Registry


 

 

 

Step 3. In the Menu click on Action > New > Registry Item