Windows 10 is not only a new operating system with a new User Interface but has a new logic, starting from Kernel designed to be only one for all devices, called OneCore, like Windows 10, Windows 10 Mobile, Windows IoT and Xbox.
One of the main core of Windows 10 is Universal Windows App, but this “mode” is not loved by end-users because Windows means “Desktop” not “Apps” like iOS or Android.
By the way, these kind of apps, make IT Admins very hard because, sometime, there’s no way to manage them via Group Policy. UWA are not the only problem, some new features are not present into GPO and this means create registry key and other tricks to standardize corporate infrastructure.
During this article, I will show some tips to manage Windows 10 better via GPO.
Remove Default Apps
Remove un-necessary app, like Solitaire or Candy Crush, is easy for one single machine, boring for 10, out of mind for 20 or more. To resolve this, we can use a PowerShell script to remove all these apps:
$AppsList = "Microsoft.BingNews", "Microsoft.Office.Sway", "Microsoft.WindowsPhone", "Microsoft.Office.OneNote", "Microsoft.Messaging", "Microsoft.CommsPhone","Microsoft.XboxApp","Microsoft.SkypeApp","Microsoft.MicrosoftSolitaireCollection","Microsoft.BingSports", "Microsoft.BingFinance", "Microsoft.MicrosoftOfficeHub","Microsoft.Getstarted","Microsoft.3DBuilder"
ForEach ($App in $AppsList)
{
$PackageFullName = (Get-AppxPackage $App).PackageFullName
$ProPackageFullName = (Get-AppxProvisionedPackage -Online | where {$_.Displayname -eq $App}).PackageName
if ($PackageFullName)
{
Remove-AppxPackage -package $PackageFullName
}
else
{
}
if ($ProPackageFullName)
{
Remove-AppxProvisionedPackage -online -packagename $ProPackageFullName
}
else
{
}
}If you want remove other apps, run the cmdlet Get-AppxPackage | ft and add the Name value into variable $AppsList.
Apps are managed per user and this means add the script into Logon Script area, as PowerShell Scripts, as showed into figure 1.
Figure 1 – Logon Script
Quick Access and Show Recent
Another new feature, very ugly IHMO, is Quick Access a new mode to view last opened files and folders. For the classic end-user who move from Windows 7/8.1 this kind of view could be dangerous in particular because as IT Admin, we spend, years to explain the Jump List.
To disable these two features, it’s necessary create 3 different registry key. Once again we work per User, as showed in figure 2.
Figure 2 – Registry Key
Disable Quick Access
Action: Replace
Hive: HKEY_CURRENT_USER
Key Path: Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Value Name: LaunchTO
Value Type: REG_DWORD
Value Data: 1
Base: Decimal
Disable Show Frequent
Action: Replace
Hive: HKEY_CURRENT_USER
Key Path: Software\Microsoft\Windows\CurrentVersion\Explorer
Value Name: ShowFrequent
Value Type: REG_DWORD
Value Data: 0
Base: Decimal
Disable Show Recent
Action: Replace
Hive: HKEY_CURRENT_USER
Key Path: Software\Microsoft\Windows\CurrentVersion\Explorer
Value Name: ShowRecent
Value Type: REG_DWORD
Value Data: 0
Base: Decimal
Disable OneDrive
Small companies use file server, sometime OneDrive for Business if there’s Office 365 subscription and if the boss is “smart” and understand the potential of technology. Instead the medium/large companies use SharePoint, on-premises or on-cloud. This means that OneDrive could be a big risk because there’s no control from IT, so in the most of cases could be better disable from each PC.
This kind of task is available from classic GPO, figure 3, and we can also disable OneDrive from Computer Configuration (Administrative – Windows Components – OneDrive).
Figure 3 – Disable OneDrive
Windows Store for Business
One of the most important new add-on for Windows 10 is Windows Store for Business, figure 4, that allows to create a corporate repository with the approved apps that all internal users can download and use. WSB is totally free and the good thing is the compatibility with Windows 10 Mobile.
Figure 4 – Windows Store for Business
To disable WSB to Microsoft Account is necessary use a Mobile Device Management platform, like Microsoft Intune. More information are available at this link: https://technet.microsoft.com/en-us/itpro/windows/manage/manage-access-to-private-store
Turn Off Windows Store
For all companies who want disable Windows Store, maybe because they don’t need it, it possible set GPO: User Configuration>Administrative Templates>Windows Components>Store>Turn off the Store
NB: Starting Windows 10 build 1511 it’s required SKU Enterprise or Educational to disable the store!
Windows 10 is a new great operating system with a new management approach. It’s clear that the classic GPO are not enough, not more, and this means re-think everything and implement also MDM solution Microsoft Intune.