Windows 10: Advanced Management

Windows 10 is not only a new operating system with a new User Interface but has a new logic, starting from Kernel designed to be only one for all devices, called OneCore, like Windows 10, Windows 10 Mobile, Windows IoT and Xbox.

 

One of the main core of Windows 10 is Universal Windows App, but this “mode” is not loved by end-users because Windows means “Desktop” not “Apps” like iOS or Android.

 

By the way, these kind of apps, make IT Admins very hard because, sometime, there’s no way to manage them via Group Policy. UWA are not the only problem, some new features are not present into GPO and this means create registry key and other tricks to standardize corporate infrastructure.

 

During this article, I will show some tips to manage Windows 10 better via GPO.

 

Remove Default Apps

Remove un-necessary app, like Solitaire or Candy Crush, is easy for one single machine, boring for 10, out of mind for 20 or more. To resolve this, we can use a PowerShell script to remove all these apps:

If you want remove other apps, run the cmdlet Get-AppxPackage | ft and add the Name value into variable $AppsList.

 

Apps are managed per user and this means add the script into Logon Script area, as PowerShell Scripts, as showed into figure 1.

 

2016_06_12_W10-01

Figure 1 – Logon Script

 

Quick Access and Show Recent

Another new feature, very ugly IHMO, is Quick Access a new mode to view last opened files and folders. For the classic end-user who move from Windows 7/8.1 this kind of view could be dangerous in particular because as IT Admin, we spend, years to explain the Jump List.

To disable these two features, it’s necessary create 3 different registry key. Once again we work per User, as showed in figure 2.

 

2016_06_12_W10-02

Figure 2 – Registry Key

 

Disable Quick Access

Action: Replace
Hive: HKEY_CURRENT_USER
Key Path: Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Value Name: LaunchTO
Value Type: REG_DWORD
Value Data: 1
Base: Decimal

 

Disable Show Frequent

Action: Replace
Hive: HKEY_CURRENT_USER
Key Path: Software\Microsoft\Windows\CurrentVersion\Explorer
Value Name: ShowFrequent
Value Type: REG_DWORD
Value Data: 0
Base: Decimal

 

Disable Show Recent

Action: Replace
Hive: HKEY_CURRENT_USER
Key Path: Software\Microsoft\Windows\CurrentVersion\Explorer
Value Name: ShowRecent
Value Type: REG_DWORD
Value Data: 0
Base: Decimal

 

Disable OneDrive

Small companies use file server, sometime OneDrive for Business if there’s Office 365 subscription and if the boss is “smart” and understand the potential of technology. Instead the medium/large companies use SharePoint, on-premises or on-cloud. This means that OneDrive could be a big risk because there’s no control from IT, so in the most of cases could be better disable from each PC.

 

This kind of task is available from classic GPO, figure 3, and we can also disable OneDrive from Computer Configuration (Administrative – Windows Components – OneDrive).

 

2016_06_12_W10-03

Figure 3 – Disable OneDrive

 

Windows Store for Business

One of the most important new add-on for Windows 10 is Windows Store for Business, figure 4, that allows to create a corporate repository with the approved apps that all internal users can download and use. WSB is totally free and the good thing is the compatibility with Windows 10 Mobile.

 

2016_06_12_W10-04

Figure 4 – Windows Store for Business

 

To disable WSB to Microsoft Account is necessary use a Mobile Device Management platform, like Microsoft Intune. More information are available at this link: https://technet.microsoft.com/en-us/itpro/windows/manage/manage-access-to-private-store

 

Turn Off Windows Store

For all companies who want disable Windows Store, maybe because they don’t need it, it possible set GPO: User Configuration>Administrative Templates>Windows Components>Store>Turn off the Store

 

NB: Starting Windows 10 build 1511 it’s required SKU Enterprise or Educational to disable the store!

 

Windows 10 is a new great operating system with a new management approach. It’s clear that the classic GPO are not enough, not more, and this means re-think everything and implement also MDM solution Microsoft Intune.

Do you like the article? Post it via social!