Thursday, April 9, 2020

10 Ways Windows Group Policy Can Make Your PC Better

windows-group-policy-better

Do you wish you could change some of the ways Windows 10 behaves? Maybe you want more control over certain features, or want to make tweaks that aren’t available in the Settings panel.

A great way to get more control over your computer is using Group Policy. There are tons of useful Group Policy settings that home users can employ to tweak how Windows 10 works. Let’s look at some of the best Group Policy settings for making your system better.

What Is Windows Group Policy?

Group Policy provides a centralized way to configure and enforce all kinds of settings across computers on an Active Directory network. These settings are maintained by a domain controller and individual computers can’t override them.

Thus, Group Policy is most common on Windows domains in business settings. However, computers that aren’t on an Active Directory network (meaning most home machines) can still have their settings tweaked locally using the Local Group Policy Editor.

Think of this like the Control Panel, except much more powerful. With Group Policy, you can restrict access to parts of the system, force a certain home page for all users, and even run certain scripts whenever a computer starts up or shuts down.

Behind the scenes, most of the options in the Group Policy Editor simply make tweaks to the Windows Registry. The Group Policy Editor provides a much friendlier interface for managing these options without having to manually scour the Registry, though.

The one downside is that by default, Group Policy is only available to computers running Professional or higher editions of Windows. If you’re on Windows Home, this omission may convince you to upgrade to Windows 10 Pro—though there is a workaround that we mention below.

Accessing the Group Policy Editor

Accessing the Group Policy Editor is easier than you think, especially on Windows 10. As with most utilities in Windows, there are multiple ways to access it.

Here’s one reliable method:

  1. Open the Start Menu.
  2. Search for group policy.
  3. Launch the Edit group policy entry that comes up.

Windows Open Group Policy Editor

For another way, press Win + R to open the Run dialog box. There, enter gpedit.msc to launch the Group Policy Editor.

While we mentioned that Group Policy is not normally available on Home editions of Windows, there is a workaround you can try. It involves some basic system tweaks and the installation of a third-party Group Policy Editor.

If you’re interested, check out our step-by-step guide to installing the Group Policy Editor on Windows Home.

Applying Group Policy Updates

For some Group Policy settings, you’ll have to reboot your computer before they take effect. Otherwise, once you’re done making changes, launch an elevated Command Prompt and run the following command:

gpupdate /force

This forces any updates you made to Group Policy to take effect immediately.

Cool Things to Do With Group Policy

Group Policy Editor Home

The Group Policy Editor allows you to change hundreds of different options, preferences, and settings, so it’s impossible to cover everything here.

You can feel free to look around, but if you’re not confident, it’s probably to avoid experimenting with random policies. One bad tweak could cause problems or unwanted behavior. Check out our introduction to Group Policy to become more familiar first.

Now, we’ll look at some recommended Group Policy settings to get you started.

1. Restrict Access to Control Panel and Settings

Control Panel Restricted

Control Panel restrictions are vital for business networks and school environments. However, they can also be useful at home for computers shared between multiple users. If you want to prevent children from changing settings, this is a good step to take.

To completely block the Control Panel altogether, enable this object:

User Configuration > Administrative Templates > Control Panel > Prohibit access to Control Panel and PC Settings

If you want to instead provide access to only certain parts of the Control Panel, you can set that up using one of the two following items:

User Configuration > Administrative Templates > Control Panel > Hide specified Control Panel items
User Configuration > Administrative Templates > Control Panel > Show only specified Control Panel Item

Enable them and you’ll be able to indicate which Control Panel Applets you want to show or hide. Use Microsoft’s Canonical Names of Control Panel Items to list them.

2. Block the Command Prompt

Despite how useful the Command Prompt can be, it can become a nuisance in the wrong hands. Allowing users to run undesirable commands and circumventing other restrictions you might have in place isn’t a good idea. As such, you can disable it.

To disable the Command Prompt, browse to this value:

User Configuration > Administrative Templates > System > Prevent access to the command prompt

Note that enabling this restriction means that cmd.exe can’t run at all. Thus, it also prevents the execution of batch files in CMD or BAT formats.

3. Prevent Software Installations

Turn Off Windows Installer

You have many ways to block users from installing new software. Doing so can help reduce the amount of maintenance you need to do when people carelessly install junk. It also reduces the chances of malware getting on your system.

To prevent software installations using Group Policy, visit:

Computer Configuration > Administrative Templates > Windows Components > Windows Installer > Turn off Windows Installer

Note that this only blocks the Windows installer, so people can still install apps using the Windows Store.

4. Disable Forced Restarts

While you can enable some options to postpone it, Windows 10 will eventually restart your computer on its own if you have updates pending. You can take back control by enabling a Group Policy item. Once you do, Windows will only apply pending updates when you restart on your own.

You’ll find it here:

Computer Configuration > Administrator Templates > Windows Components > Windows Update > No auto-restart with logged on users for scheduled automatic update installations

5. Disable Automatic Driver Updates

Prevent Driver Installation

Did you know that Windows 10 also updates device drivers without your explicit permission? In many cases, this is useful, as it aims to keep your system as up-to-date as possible.

But what if you’re running a custom driver? Or perhaps the latest driver for a certain hardware component has a bug that causes your system to crash. These are times when automatic driver updates are more harmful than helpful.

Enable this to disable automatic driver updates:

Computer Configuration > Administrative Templates > System > Device Installation > Device Installation Restrictions > Prevent installation of devices that match any of these device IDs

Once enabled, you’ll have to provide hardware IDs for the devices that you don’t want automatic driver updates for. You’ll need to get these through the Device Manager, which takes a few steps. Follow our guide to controlling driver updates in Windows 10 for full instructions.

6. Disable Removable Media Drives

Windows Deny Storage Access

Removable media, like USB flash drives, can come in handy. But unknown USB devices can also pose a risk. Someone with access to your computer could load malware onto a flash drive and try to execute it.

While not necessary in most cases, you can prevent Windows from reading removable drives altogether to protect your system. This is especially important in business settings.

To disable removable media drives, enable this value:

User Configuration > Administrative Templates > System > Removable Storage Access > Removable Disks: Deny read access

In this folder, you’ll also see options for other kinds of media like CDs and DVDs. Feel free to disable all of these as well, but USB drives are the main concern.

7. Hide Balloon and Toast Notifications

Desktop notifications can be handy, but only when they have something useful to say. Most of the notifications you see aren’t worth reading, which often leads to them distracting you and breaking your concentration.

Enable this value to disable balloon notifications in Windows:

User Configuration > Administrative Templates > Start Menu and Taskbar > Turn off all balloon notifications

Starting with Windows 8, most system notifications switched over to toast notifications. You should thus disable them too:

User Configuration > Administrative Templates > Start Menu and Taskbar > Notifications > Turn off toast notifications

This is an easy way to block a lot of popup distractions.

8. Remove OneDrive

OneDrive is baked into Windows 10. While you can uninstall it like any other app, it’s also possible to prevent it from running using a Group Policy item.

Disable OneDrive by enabling this:

Computer Configuration > Administrative Templates > Windows Components > OneDrive > Prevent the usage of OneDrive for file storage

This will remove the ability to access OneDrive from anywhere on the system. It also erases the OneDrive shortcut in the sidebar of File Explorer.

9. Turn Off Windows Defender

Windows Defender manages itself, so it will stop running if you install a third-party antivirus app. If this doesn’t work properly for some reason or you want to fully disable it, you can enable this Group Policy item:

Computer Configuration > Administrative Templates > Windows Components > Windows Defender > Turn off Windows Defender

While it’s easy to disable, Windows Defender is a good enough security solution for most people. Make sure to replace it with another trusted Windows antivirus program if you remove it.

10. Run Scripts at Logon/Startup/Shutdown

Group Policy Startup Script

Our last tip is a bit more advanced, so it probably won’t be useful to you unless you’re comfortable with batch files and/or writing PowerShell scripts. But if you are, then you can actually run said scripts automatically with Group Policy.

To set up a startup/shutdown script, visit:

Computer Configuration > Windows Settings > Scripts (Startup/Shutdown)

To set up a logon or logoff script, head here:

User Configuration > Windows Settings > Scripts (Logon/Logoff)

Doing this lets you select the actual script files and provide parameters for those scripts, so it’s pretty flexible. You can also assign multiple scripts to each trigger event.

Note that this isn’t the same as launching a specific program on startup. To do that, see how to use the Windows startup folder.

The Most Useful Group Policy Settings for You

Group Policy provides you with a lot of control of how Windows 10 works. We’ve only looked at a few instances here; there’s a lot more functionality to find if you know where to look. As you can see, though, most of the options revolve around removing or blocking functionality, not adding new tools.

Don’t have access to Group Policy or want to keep tweaking Windows? Have a look at our introduction to the Windows Registry.

Read the full article: 10 Ways Windows Group Policy Can Make Your PC Better



from MakeUseOf https://ift.tt/2JU2uNL

No comments:

Post a Comment