I put my Windows 10 computers in the same OU as my other computers.
You also need to import the Windows 10 Group Policies into your Central Store. You can read about how to do this on Technet here.
Create a Windows 10 WMI Filter
For your WMI filter, you'll want to use this query:select * from Win32_OperatingSystem where Version like "10.%"
Now, create a Windows 10 GPO, link that WMI filter to it, and link it to your OU.
With that accomplished, we can now begin setting up the Windows 10 GPO.
First GPO setting: Loopback Processing
I'll split these GPOs up to apply to user/computer OUs later, but right now I want everything together, and I want any user that logs into a Windows 10 box to get the same settings. To do this, I will use loopback processing. This can be a tricky feature, so I always refer to this handy guide when I do it. Basically, you use this when you want a set of "user" group policies to apply to computers in an OU no matter who logs in. Loopback processing is usually used when you have a single-purpose computer that is locked down, like a kiosk, but in this case it's a test machine. You will find the policy in Computer\Policies\Administrative Templates\System\Group Policy, and it's called "Configure Group Policy loopback processing mode. I set that the to enabled and replace (see the article linked above).
Now how about some settings?
Ok, Ok. Here's what I'm using so far:Computer\Policies\Administrative Templates\System\Logon
Show first sign-in animation, Disabled
Turn off picture password sign-in, Enabled
Turn on PIN sign-in, Disabled
Computer\Policies\Administrative Templates\Windows Components\Data Collection and Preview Builds
Disable pre-release features or settings, Disabled (this one is confusing, pay attention to the description!)
Toggle user control over Insider builds, Disabled
Computer\Policies\Administrative Templates\Windows Components\Delivery Optimization
Download Mode: Enabled (None)
We're still talking about what we're going to do about Windows 10's bittorrent-like ability to propagate downloads. It seems really cool, but we need to do our due diligence and all of that.
Computer\Policies\Administrative Templates\Windows Components\Internet Explorer\Security Features
Allow fallback to SSL 3.0 (Internet Explorer), Enabled (No Sites)
Beware the Poodle!
Computer\Policies\Administrative Templates\Windows Components\Microsoft Edge
Send all intranet traffic over to Internet Explorer, Enabled
Computer\Policies\Administrative Templates\Windows Components\OneDrive
Prevent the usage of OneDrive for file storage, set to HELL YES.
These turn off Cortana, and also disable the "web" part of the start menu search. I only want to search my computer.
Computer\Policies\Administrative Templates\Windows Components\Search
Allow Cortana, Disabled
Do not allow web search, Enabled
Don't search the web or display web results in search, Enabled
Tomorrow, I'll post some Group Policy Preferences, covering some registry entries that turn off some undesired features.
No comments:
Post a Comment