Five must-have Group Policy settings to create an uniform look for your Windows 8 clients

theme-editor-iconFor ages, organizations deploying Windows installations wanted a uniform look for their machines, to work on their professional image towards employees, partners and customers.

Now, in Windows 8, a couple of new Group Policy settings have been introduced to centrally manage the new user interface features.

In this blogpost I’ll discuss the five new Group Policy settings and how you can use them to give your Windows 8 installations a uniform look.

You can use these settings in addition to your current set of uniformity settings:

1. Prevent changing lock screen image

For a consistent image to the outside world, we might want our company-owned machines to display the company logo on the lock screen. This is easily achieved in the image in combination with this Group Policy setting. If you want to use your company-owned bitmap, make sure to place a file with sufficient dimensions in *.jpg, *.bmp or *.png format in C:\Windows\Web\Screen.

This setting is found within Computer Configuration, Administrative Templates, Control Panel, Personalization.

When this policy is enabled and the user goes to the Personalization settings in the Modern Control Panel, he/she will see the message “Some settings on this page have been disabled by group policy.” on the “Lock Screen” tab.

2. Prevent changing start menu background

This Group Policy setting prevents users from changing the look of their Start screen background, such as its color or accent. If you enable this setting, users will no longer be able to change the look of their Start screen background and they will instead see the Start screen background set prior to enabling this setting, for instance the choice you’ve made for the Default User profile.

When this policy is enabled and the user goes to the Personalization settings in the Modern Control Panel, he/she will see the message “Some settings on this page have been disabled by group policy.” on the “Start screen” tab, as depicted below:

Start Screen Personalization Managed with Group Policy (click for a larger screenshot)

Just like the previous Group Policy setting, this setting can also be found within Computer Configuration, Administrative Templates, Control Panel, Personalization.

3. Always use custom logon background

This setting, while located somewhere completely different within the Group Policy hierarchy, complements the above two settings, by changing the background color of the logon screen to the background color of the Start screen of the default user profile.

This setting is located in Computer Configuration, Administrative Templates, System, Logon.

4. Apply the default account picture to all users

Note:
This Group Policy setting is useful in environments with local and domain accounts, only. Microsoft accounts (previously known as Windows Live IDs) already have an account picture.

While this is not particularly a new Group Policy setting for Windows 8 (it applies to Windows Vista and above), the implications of this setting are more prominently visible in Windows 8 and its behavior has changed.

Not only is the account picture in Windows 8 located on the Logon screen, also, every time you open the Start screen it is displayed in the top right corner and you click it to log off and switch user accounts. In contrast to Windows Vista and Windows 7, where the account picture was displayed on the top right of the Start menu, but the buttons to log off, etc. were located in the bottom right.

Also, the way to change this setting is different from earlier versions of Windows, where you would (re)place jpg files. Using this setting you can enable Windows to display a default User Account Picture from C:\ProgramData\Microsoft\Default Account Pictures. It is enabled by default, but when you overwrite the three default user.png and guest.png pictures with 448 x 448 pixel, 20 x 20 pixel and 200 x 200 pixel representations of your company logo, be sure to force this setting to enabled.

5. Do not sync personalize

Note:
This Group Policy setting is useful in environments where users log on with Microsoft accounts, like environments relying heavily on Office 365.

‘Sync your Settings’ is a new feature, that Microsoft Marketing uses to label Windows 8 as ‘cloud optimized’. This feature allows Microsoft accounts (previously known as Windows Live IDs) to synchronize settings, passwords and favorites between Windows 8 installations.

Of course, these settings might interfere with the defaults you might have set to make the desktops of your Windows installations look nice.

Since disabling all Windows 8 synchronizations is a bit like shooting at a mosquito with a cannon, this Group Policy setting can be used to only deactivate the synchronization of the desktop personalization settings (like the theme, background image(s) and sound scheme used on the Windows 8 desktop) and personalize (which includes the user account picture), while leaving the other synchronization options intact.

These settings can be found in Computer Configuration, Administrative Templates, Windows Components, Sync your settings, along with all the other fine-grained synchronization Group Policy settings. I suggest you enable both the ‘Do not personalize’ and ‘Do not sync desktop personalization settings’ to keep the uniform standard intact as much as possible.

 

Further reading

The Complete Guide To Personalizing Windows 8
How to personalize Windows 8–Change your lock screen
Sync it up: Hands on with the preview of Windows 8’s cloud sync service
Sync Your Settings – Enable or Disable in Windows 8
Windows 8: Control and Limit Syncing between Computers
How to Sync Windows 8 Settings with Microsoft Account
Troubleshoot sync problems
Windows 8 Tip: Syncing Settings and Files with Multiple PCs

7 Responses to Five must-have Group Policy settings to create an uniform look for your Windows 8 clients

  1.  

    Could you please point me to the setting that completely disables the ability to log-in with Microsoft Accounts, this is not something we want in our controlled domain environment.

  2.  

    Hi CypherBit,

    Thank you for your reply.

    The Group Policy to prevent users from connecting their domain accounts to a Microsoft Account (previously known as a Windows Live ID) and prevent them from creating user accounts based on Microsoft Accounts is located in Computer Configuration, Windows Settings, Security Settings, Local Policies Security Options and is called Accounts: Block Microsoft accounts.

    Possible settings are:

    • This policy is disabled
    • Users can’t add Microsoft accounts
    • Users can’t add or log on with Microsoft accounts

    Good luck!

  3.  

    Thank you so much for your reply Sander, it’s exactly what I was after.

    With my MDT almost ready I only need an answer to the question posted here http://www.sdmsoftware.com/gpmc/managing-group-policy-in-a-windows-8-world/ and I’m almost good to go with Win8 deployments.

    Much appreciated.

  4.  

    I’ve read the question you posted on Darren’s blogpost on managing Group Policy in a Windows 8 World. I’ll repeat it here for others to read:

    What if I don’t have any 2012 servers, just 2008 R2, but want to manage Windows 8 clients, is it enough to just copy the ADMX files to the Central Store? Will all settings (which ones not) apply?


        

    You don’t need Windows Server 2012-based Domain Controllers.

    You only need a Windows 8 or Windows Server 2012-based Group Policy Management station to manage the new Group Policy settings.

    If you go with management option 1, you only need to update the *.admx files in the Central Store and add the *.adml files of the languages you want to manage Group Policies in (These can all be found in the C:WindowsPolicyDefinitions folder of your clients) on the System Volume (SYSVOL) of one of the Domain Controllers. (preferrably the one holding the PDC emulator FSMO role.)

    There is a property for each Group Policy setting, that defines to which Operating System versions it applies. Obviously, if you apply a Group Policy setting to an unsupported Operating System, the setting will have no effect. As an example, all the Group Policy settings in this blogpost will have no effect on Windows 7. Luckily, they won’t break stuff either.

    Good luck!

  5.  

    Wow, this is all sorted out then as well, thank you so much.

    One of the comments in that blog mentiones you need to do a forestprep and a adprep, have you perhaps tested this yourself, is this really required for GPO alone?

  6.  

    At a customer, today, a Central store was created in a production Windows Server 2008 (R2) domain using the C:WindowsPolicyDefinitions folder of a Windows 8 box. After SYSVOL replication, a new Group Policy object was created for an Organizational Unit with Windows 8 test machines and a couple of existing Group Policy objects were checked for consistency and resulted functionality on both the Domain Controller and the Windows installations affected by the policy settings. 

    Everything works like a charm, without the need for Active Directory preparation.

    Note
    I have not tested it in an environment with Windows 2000 Server or Windows Server 2003-based Domain Controllers and/or corresponding functional levels.

  7.  

    Thank you Sander, that clears it all up.

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.