Content:
Recommended Group Policy Settings.
Quicklaunch Settings.
Windows Settings
Skype For Business Settings
Other Policy Settings
Edge
Chrome
Office
Appendix - How to set a registry key using Group Policy Preferences.
Recommended Group Policy Settings
For organizations that manage their meeting rooms and the Quicklaunch meeting room account centrally (Domain Attached and managed via Group Policy) we generally recommend applying the settings below that are relevant to your configuration.
In practice for large numbers of rooms it will usually be easier to manage these types of settings via group policy than to attempt to manage each PC individually.
Quicklaunch Settings
The following Group Policy and registry settings are configurable from within Quicklaunch Settings under System > General
* Where appropriate these should be integrated into the Group Policy for the appropriate Organizational Unit and/or User
Remove Change Password
Removes the Change Password option for the Current User in Windows 10.
GPO
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options | Domain member: Disable machine account password changes | Enabled |
Registry:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies | DisableChangePassword | DWORD | 1 |
Remove Lock Computer
Removes the Lock Computer option for the Current User in Windows 10.
GPO
User Configuration > System > Ctrl+Alt+Del Options | Remove Lock Computer | Enabled |
Registry:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System | DisableLockWorkstation | DWORD | 1 |
Remove Task Manager
Removes access to the Windows task manager.
GPO
User Configuration > Administrative Templates > System > Logon/Logoff | Disable Task Manager | Enabled |
Registry:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System | DisableTaskMgr | DWORD | 1 |
Remove Logoff
Removes the option to select logoff in Windows.
GPO
User Configuration > Administrative Templates > Start Menu and Taskbar | Remove Logoff on the Start Menu | Enabled |
Registry:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion \Policies\Explorer | StartMenuLogoff | DWORD | 1 |
Remove Switch User
Removes the option for Fast Switching of Users in Windows
GPO
Computer Configuration > Administrative Templates > System > Logon | Hide entry points for Fast User Switching | Enabled |
Registry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | HideFastUserSwitching | DWORD | 1 |
Remove Power Options
Removes the option for powering down the Computer in Windows
GPO
User Configuration > Administrative Templates > Start Menu and Taskbar | Remove and prevent access to the Shut Down, Restart, Sleep, and Hibernate commands" to Enabled | Enabled |
Registry:
HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Policies\ Explorer | NoClose | DWORD | 1 |
Disable Edge Swipe
Removes access to the Edge Swipe feature in Windows 10.
GPO
Computer Configuration > Administrative Templates > Windows Components > Edge UI | Allow edge swipe | Disabled |
Registry:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EdgeUI | AllowEdgeSwipe | DWORD | 1 |
Disable USB Access
Removes the ability to mount USB Drives
GPO
User Configuration > Policies > Administrative Templates > System > Removable Storage Access | Disable USB Access | Enabled |
Registry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR | Start | DWORD | 4* |
* Set the value to 4 to disconnect the USB ports. If you need to re-enable USB ports, change to default value 3.
Prohibit Access to Control Panel and PC Settings
Removes access to the Control Panel and Settings in Windows
GPO
User Configuration > Administrative Templates > Control Panel | Prohibit access to Control Panel and PC settings | Enabled |
Registry:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | NoControlPanel | DWORD | 1 |
Do not cache ‘work or school’ Accounts
See FAQ - Do Not Cache Microsoft 'Work or School' Accounts
GPO
Computer Configuration > Administrative Templates > Windows Components >Device Registration | ??? | Enabled |
Registry:
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WorkplaceJoin | BlockAADWorkplaceJoin | DWORD | 1 |
Block Consumer account for Microsoft Apps
GPO
Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options | Accounts: Block Microsoft accounts | Enabled |
Registry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | NoConnectedUser | DWORD | 1 |
Disable Notification Center
GPO
User Configuration > Administrative Templates > Start Menu and Taskbar | Remove Notifications and Action Center | Enabled |
Registry:
HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\Explorer |
| DWORD | 1 |
Hide People Bar
GPO
User Configuration > Administrative Templates > Start Menu and Taskbar | remove the People Bar from the taskbar | Enabled |
Registry:
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Explorer | HidePeopleBar | DWORD | 1 |
Show the Touch Keyboard when not in tablet mode and there’s no Keyboard attached
GPO
??? | ???? | ??? |
Registry:
HKEY_CURRENT_USER\Software\Microsoft\TabletTip\1.7 | EnableDesktopModeAutoInvoke | DWORD | 1 |
Restrict Zoom Desktop Client Login
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Zoom\Zoom Meetings\General or HKEY_CURRENT_USER\SOFTWARE\Policies\Zoom\Zoom Meetings\General | DisableFaceBookLogin | Dword | 1 |
| DisableGoogleLogin | Dword | 1 | |
| DisableLoginWithSSO | Dword | 1 | |
| KeepSignedIn | Dword | 0 |
Force Ephemeral Mode
| Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge | ForceEphemeralprofiles | Dword | 1 |
| Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome | ForceEphemeralprofiles | Dword | 1 |
Disable Browser Password Manager
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome | PasswordManagerEnabled | Dword32 | 0 |
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge | PasswordManagerEnabled | Dword32 | 0 |
How to force install Google Chrome extensions: https://quicklaunch.ucworkspace.com/a/solutions/articles/3000105710?portalId=3000000352
Windows Settings
Item | Description | Recommended Value |
AutoLogin | There are 3 methods of enabling autologin (First 2 will not works with domain attached):
https://docs.microsoft.com/en-us/sysinternals/downloads/autologon Note this can be run from the command line with Powershell: Account has to exist on PC prior to running command. $autologon = "C:\Users\robert\Downloads\autologon.exe" $username = "robert" $domain = "my.domain" $password = "password " Start-Process $autologon -ArgumentList $username, $domain, $password,"/accepteula" | |
Show Keyboard on Taskbar | Computer\HKEY_LOCAL_MACHINE\Software\Microsoft\TabletTip\1.7 | "TipbandDesiredVisibility "=dword:00000001 |
Disable ADAL for Office | Computer\HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Identity\ | "EnableADAL "=dword:00000000 |
Settings - Internet Options - Advanced - Security - | Computer\HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings | "EnableNegotiate"=dword:00000000 |
Settings - Internet Options – Delete on Exit | Computer\HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache | "Persistent"=dword:00000000 |
Show the touch keyboard when not in tablet mode and keyboard not plugged in | Computer\HKEY_CURRENT_USER\SOFTWARE\Microsoft\TabletTip\1.7 | “EnableDesktopModeAutoInvoke"=dword:00000001 |
Show Touch Keyboard on Taskbar | Computer\HKEY_CURRENT_USER\SOFTWARE\Microsoft\TabletTip\1.7 | “TipbandDesiredVisibility"=dword:00000001 |
Hide Notification Center | Computer\HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Explorer | "DisableNotificationCenter"=dword:00000001 |
Hide Taskview | Computer\HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced | "ShowTaskViewButton"=dword:00000000 |
Hide PeopleBar | Computer\HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Explorer | "HidePeopleBar"=dword:00000001 |
Disable Windows Updates | Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU | "AUOptions"=dword:00000002” |
Skype For Business Settings
Note that Skype For Business Client Settings are configured using the Set-CsClientPolicy in powershell
https://docs.microsoft.com/en-us/powershell/module/skype/set-csclientpolicy?view=skype-ps
Text | Description | Variable | Recommended Value |
Save IM conversations in my email Conversation History | When set to True, a transcript of every instant message session that a user takes part in will be saved to the Conversation History folder in Outlook. When set to False, these transcripts will not be saved automatically. (However, users will have the option to manually save instant message transcripts.) | -EnableIMAutoArchiving | False |
Save Call logs in my email | When set to True, information about your incoming and outgoing phone calls is automatically saved to the Conversation History folder in Outlook. (The actual call itself is not recorded. What is recorded is information such as who took part in the call; the length of the call and whether this was an incoming or an outgoing call.) When set to False, this information is not saved to Outlook. | -EnableCallLogAutoArchiving | False |
Show IM | option in Skype for business under “Skype Meetings” | NO Setting Available | NA |
Show the participants list | option in Skype for business under “Skype Meetings” | NO Setting Available | NA |
Ask me which audio device I want to use | option in Skype for business under “Skype Meetings” | HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Lync | DWORD: AllowOverridingDeviceAtJoinTime = 0 |
Disable Prompt for Rating | The RateMyCallDisplayPercentage setting adjusts how often users are prompted for feedback, ranging from 0 to 100. The default value is 10, meaning that users will get prompted for feedback 10% of the time after they finish a call. Setting this to 0 means users will never get prompted. When set to 100, users will get prompted after every call. | -RateMyCallDisplayPercentage | 0 |
Other Policy Settings
Edge
https://docs.microsoft.com/en-us/microsoft-edge/deploy/group-policies/
Computer Configuration\Administrative Templates\Windows Components\Microsoft Edge\
Configure Start Pages
Allow clearing browsing data on exit : 1
Allow Saving History : 0
Configure Autofill : 0
Do not sync : 2
Allow Extensions : 0
Prevent turning off required extensions : 1
Prevent changes to Favorites on Microsoft Edge : 1
Set Home Button URL: string
Unlock Home Button : 0
Do not sync browser settings : 0
Prevent users from turning on browser syncing : 1
Chrome
Chrome Administrative Templates: https://support.google.com/chrome/a/answer/187202?hl=en
HomepageLocation: set to appropriate location
ForceEphemeralProfiles : True
SyncDisabled : True
Disable Offer to Save Passwords in Chrome
GPO
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome] | PasswordManagerEnabled | dword:00000000 |
Registry:
Office
Note: Office 2016) templates from Microsoft can be found here:
Office 2016 Administrative Template files (ADMX/ADML) and Office Customization Tool
Appendix - How to set a registry key using Group Policy Preferences
Step 1. Edit a Group Policy Object that is applied to the computers you want this setting applied.
WARNING: Make sure you have not applied this policy to any computers before you begin as this will obviously logon any computer that this policy is applied to automatically.
Step 2. Navigate to Computer Configuration > Preferences > Windows Settings > Registry
Step 3. In the Menu click on Action > New > Registry Item
