Group Policy Objects – VDA User Settings – Carl Stalhood. Navigation? = Recently Updated. User Lockdown. The following is a list of Group Policy Settings recommended by Microsoft to lockdown a Remote Desktop Session Host / Citrix Session. These settings should go in the Citrix VDA Non- Admin Users GPO. All settings are located at User Configuration > Policies. This page assumes the GPOs have already been created and Loopback Processing has already been enabled. Some of the settings in this section might require the newer Windows Group Policy Templates. ![]() Update: I had discovered that this original ADMX template were missing some Internet Explore 11 Group Policy settings. As a result the ADMX/ADML pack has now been re. ![]() Download and install the Office Policy Templates. The Group Policy Administrative Templates and documentation files are specific for each Office version.![]() Navigation. Create Group Policy Objects (separate article) VDA Group Policy Computer Settings (separate article) User Lockdown; File Explorer; Internet Explorer/Edge. Control Panel GPO Settings. User Configuration | Policies | Administrative Templates | Control Panel. Always open All Control Panel Items when opening Control Panel = enabled. Show only specified Control Panel items = enabled, canonical names = Microsoft. Region. And. Language. Microsoft. Notification. Area. Icons. MLCFG3. CPLMicrosoft. Personalization. Microsoft. Mouse. Microsoft. Devices. And. Printers. Microsoft. System (lets users see the computer name)User Configuration | Policies | Administrative Templates | Control Panel | Add or Remove Programs. Remove Add or Remove Programs = enabled. User Configuration | Policies | Administrative Templates | Control Panel | Programs. Hide the Programs Control Panel = enabled. Desktop GPO Settings. User Configuration | Policies | Administrative Templates | Desktop. Hide Network Locations icon on desktop = enabled. Prohibit user from manually redirecting Profile Folders = enabled. Remove Properties from the Computer icon context menu = enabled. Remove Properties from the Recycle Bin icon context menu = enabled. If you prevent access to the Properties of the Computer icon then users might not be able to determine the name of the machine they are connected to. Start Menu & Taskbar GPO Settings. User Configuration | Policies | Administrative Templates | Start Menu & Taskbar. Clear the recent programs list for new users = enabled. Do not allow pinning Store app to the taskbar = enabled. Remove and prevent access to Shut Down, Restart, Sleep, and Hibernate commands = enabled. Remove common program groups from Start Menu = enabled (only if you have some other means for putting shortcuts back on the user’s Start Menu/Desktop. Also, enabling this setting might prevent Outlook 2. Microsoft 3. 01. 48. Remove Help menu from Start Menu = enabled. Remove links and access to Windows Update = enabled. Remove Network Connections from Start Menu = enabled. Remove Network icon from Start Menu = enabled. Remove Run menu from Start Menu = enabled. Remove the Action Center icon = enabled (not in Windows 1. Remove the networking icon = enabled. Remove the Security and Maintenance icon = enabled (Windows 1. Remove user folder link from Start Menu = enabled. If you hide common program groups, then you will need some other method of creating application shortcuts for each user. Group Policy Preferences Shortcuts is the typical method. Removing the Run menu also prevents users from entering drive letters in Internet Explorer. CTP Eric Haavarstein Customize Windows 1. Start Screen and Optimize for Higher User Density contains the following: Lock down a section of the Start Menu. Configure Citrix Profile Management to roam the Start Menu. Remove Provisioned Apps. Tune Windows using OS Optimization Tool. Disable Telemetry services. Microsoft Technet Customize Windows 1. Start with Group Policy. From René Bigler at UPM 5. Server 2. 01. 2 R2 Startlayout at discussions. To include Explorer, IE, and Computer icons in the Start Layout XML, “create shortcuts to this standard items in C: \Program. Data\Microsoft\Windows\Start Menu\Programs and use this new shortcuts to create the tiles in your start layout xml”. System GPO Settings. User Configuration | Policies | Administrative Templates | System. Prevent access to registry editing tools = enabled, Disable regedit from running silently = No Prevent access to the command prompt = enabled, Disable command prompt script processing = No. Disabling registry editing tools also disables reg. This is true even if silently is set to No. Explorer GPO Settings. User Configuration | Policies | Administrative Templates | Windows Components | File Explorer (Windows 8+) or Windows Explorer (Windows 7). Hide these specified drives in My Computer = enabled, Restrict A, B, C, and D drives only. Hides the Manage item on the File Explorer context menu = enabled. Prevent access to drives from My Computer = enabled, Restrict A, B, C, and D drives only. If this setting is enabled, you can’t use Start Menu’s search to find programs. Prevent users from adding files to the root of their Users Files folder = enabled. Remove “Map Network Drive” and “Disconnect Network Drive” = enabled. Remove Hardware tab = enabled. Remove Security Tab = enabled. Turn off caching of thumbnail pictures = enabled. From Citrix Discussions: To hide specific drive letters: User Configuration => Preferences => Windows Settings => Drive Maps => New Mapped Drive. Choose Action Update => Drive Letter Existing C => Hide this drive. Common Tab: Run in logged- on users’s Security. Windows Update GPO Settings. User Configuration | Policies | Administrative Templates | Windows Components | Windows Update. Remove access to use all Windows Update features = enabled, 0 – Do not show any notifications. Hide Favorites, Libraries, Network and redirected local drives. Terence Luk Hide Favorites, Libraries, Network and redirected local drives for Citrix and RDS published Remote. App applications: See the Blog Post for instructions to edit the registry on the VDA to hide these items. Similar instructions are provided by David Wilkinson at Remove Quick Access from File Explorer in Windows Server 2. File Explorer. From Ten. Forums How to Hide or Show Sync Provider Notifications within File Explorer in Windows 1. Windows 1. 0 1. 60. File Explorer. To stop these, use Group Policy Preferences to set the following registry value: Key = HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Current. Version\Explorer\Advanced. Value = Show. Sync. Provider. Notifications (DWORD) = 0. Windows Spotlight. Windows 1. 0 1. 70. Windows (Start Menu, lock screen, Action Center, Explorer, etc.). These notifications are configurable at User Configuration | Policies | Administrative Templates | Windows Components | Cloud Content. Also see Richard Hay Windows 1. Creators Update: Turn Off Suggestions, Tips, and Ads Throughout the Operating System and Chris Hoffman How to Disable All of Windows 1. Built- in Advertising. Explorer Replacement. Instead of locking down Windows File Explorer, you can run a 3rd party Explorer like Tablacus Explorer. The tool is detailed by Marco Hofmann at Tablacus Explorer is an awesome replacement for explorer. Xen. App published Application! Flickering Icons. If you published a desktop on Windows Server 2. Desktop folder to a network share, then desktop icons might flicker. Helge Turk at Xen. App 7. 1. 2/1. 3, Server 2. Citrix Discussions resolved it be creating the following Registry Key using Group Policy Preferences: HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{0. E4. 82. 5- 7. B9. B1. 31- E9. 46. B4. C8. DD5}Internet Explorer / Edge Settings. This section assumes the GPOs have already been created. Internet Explorer First Run Wizard. When a new user launches Internet Explorer, the first run wizard appears. To prevent this from occurring, edit the Citrix VDA All Users GPO. Internet Explorer First Run GPO Settings. User Config | Policies | Administrative Templates | Windows Components | Internet Explorer. Prevent managing Smart. Screen Filter = enabled, on. Prevent running First Run Wizard = enabled, Go directly to home page. Specify default behavior for a new tab page = enabled, Home page. Turn on Suggested Sites = disabled. User Config | Policies | Administrative Templates | Windows Components | Internet Explorer | Compatibility View. Include updated Web site lists from Microsoft = enabled. User Config | Policies | Administrative Templates | Windows Components | Internet Explorer | Internet Control Panel | Advanced Page. Turn on Enhanced Protected Mode = disabled. Enhanced Protected Mode might disable Internet Explorer add- ons. Read the text to determine if it should be disabled. Users might see a message that Protected mode is turned off for the Local intranet zone. To prevent this message, do the following: Edit the Citrix VDA All Users GPO. Go to User Configuration > Preferences > Windows Settings > Registry. Create a new Registry Item.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. Archives
September 2018
Categories |