Five must-have Group Policy settings to make people productive with Windows 8 on day one

Reading Time: 3 minutes

cup_coffee-256Being one of the first companies to roll out Windows 8 to our employees and aiming to be done with the deployment before October 26nd 2012 (the date Windows 8 becomes available to everyone on new computers), we’re looking at Group Policy settings to make Windows 8 as usable and recognizable as possible to our colleagues.

In this blogpost I’ll show you the Five new must-have Group Policy settings I’ve been contemplating on using to make our colleagues productive with Windows 8 as much as possible, by allowing them to logon securely, providing them with a consistent user interface that doesn’t distract them from their work and helping them out when they run into problems.

This is not a complete list. Since some features are enabled by default (the password reveal button, for instance) I didn’t include them in this list. Also, I’ve not written down any of the pre-Windows 8 Group Policy settings, since I think you’ve probably already use them, or can find them somewhere else.

1. Turn off picture password sign-in

Windows 8 introduces a new feature for user authentication. The Picture password allows users to log on by performing three actions on a picture of their choice. While this feature is certainly useful for tablets and demo machines, it makes shoulder surfing extremely easy and in our organization has already been misused in that way. I vote to disable picture password logon on the Organizational Unit containing our desktops.

This setting can be found in Computer Configuration, Administrative Templates, System, Logon.

2. Open Internet Explorer tiles on the desktop

In our experience, many new Windows 8 users feel thrown in and out of the modern user interface on desktops and laptops. While my tip to simply close your eyes when you press the keyboards Start button works to cope with the new Start Screen initially, this tip does not work when suddenly weblinks are opened in the modern Internet Explorer. Also, the absence of plug-ins in the modern Internet Explorer might break your web-based business application(s) and people might feel the App Bar is a bit clunky.

Two policy settings, both located in Computer Configuration, Administrative Templates, Windows Components, Internet Explorer, Internet Settings  can be used to configure the Internet Explorer flavor used to open Internet Explorer tiles on the desktop and clicked links:

  1. Set how links are opened in Internet Explorer
  2. Open Internet Explorer tiles on the desktop

When you enable the first setting and configure it as ‘Always on Internet Explorer on then desktop’ and also enable the second setting, Internet Explorer on the desktop will be used, with all its plugins. That’s how I think my colleagues will like it.

3. Customize message for Access Denied errors

When Windows 8 machines communicate with Windows Server 2012-based File Servers, they use SMB 3.0. One of the benefits of using SMB 3.0 is the availability of Access Denied Remediation. When a user hits an authorization wall, instead of being hit with an Access Denied (error code 5) message, the user is confronted with a message where the user can immediately request access to the resource (with valid arguments) and this message gets sent to the file administrator as specified in the File Server Resource Manager (FSRM) and the folder owner.

The default message might not apply in your organization, may not appeal to your colleagues to actually use this functionality, or you want to change the messaging functionality, so you can use this message to make it more personally.

This setting is found within Computer Configuration, Administrative Templates, System, Access-Denied Assistance.

4. Allow domain users to log on using biometrics

While most of our laptops are equipped with a fingerprint reader, I deem the use of this device for logon purposes too weak. Therefore, I vote to not allow domain users to log on using the fingerprint reader with this policy setting.

The setting is located within Computer Configuration, Administrative Templates, Windows Components, Biometrics.

5. Turn off the Store application

Since the purpose of this set of Group Policy settings is to make colleagues productive, I’d vote to turn off the Windows Store in the Start Screen for now. That way, our colleagues are using the applications they’re used to using and report problems with these earlier, instead of them wandering off to the Windows Store and try every imaginable app there.

This setting can be found in Computer Configuration, Administrative Templates, Windows Components, Store.


Further reading

Group Policy Settings Reference for Windows and Windows Server
New Group Policy Settings in Windows 8 Consumer Preview
New Windows 8 Group Policy – Prohibit connection to non-domain networks when …
How to Install Apps Outside from Windows 8 App Store
What exactly do you get with Windows 8 Pro?

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.