Recommendations - asktechsupport/windows-gpo GitHub Wiki

Here are some common Group Policy settings that are recommended:

Security

Disable USB Drives Set Desktop Wallpaper Prevent Software Installation Set the password policies: Prevent Software Installation & Minimum password length Disable Control Panel Access Enable Windows Defender Antivirus Disable Command Prompt Disable Task Manager Force a lock screen image

1. Disable USB Drives

  • Path: 
    Computer Configuration\Administrative Templates\System\Removable Storage Access
  • Setting: Deny All Access
  • Description: Prevents users from accessing USB drives and other removable storage devices.

2. Set a Custom Lock Screen

  • Path: 
    Computer Configuration\Administrative Templates\Control Panel\Personalization
  • Setting: Force a specific default lock screen image
  • Description: Allows administrators to set a custom lock screen image for all users.

3. Prevent Software Installation

  • Path: 
    Computer Configuration\Administrative Templates\Windows Components\Windows Installer
  • Setting: Prohibit User Installs
  • Description: Restricts users from installing new software using Windows Installer.

4. Enforce Password Complexity

  • Path: 
    Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy
  • Setting: Password must meet complexity requirements
  • Description: Requires passwords to contain a mix of uppercase, lowercase, numbers, and special characters.

5. Set Minimum Password Length

  • Path: 
    Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy
  • Setting: Minimum password length
  • Description: Specifies the minimum number of characters required in a password (e.g., 14 characters).

6. Disable Control Panel Access

  • Path: 
    User Configuration\Administrative Templates\Control Panel
  • Setting: Prohibit access to Control Panel and PC settings
  • Description: Prevents users from accessing the Control Panel and changing system settings.

7. Enable Windows Defender Antivirus

  • Path: 
    Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Antivirus
  • Setting: Turn off Microsoft Defender Antivirus
  • Description: Setting this to Disabled ensures Microsoft Defender Antivirus remains active.

8. Disable Command Prompt

  • Path: 
    User Configuration\Administrative Templates\System
  • Setting: Prevent access to the command prompt
  • Description: Restricts access to the command prompt for users.

9. Set Desktop Wallpaper

  • Path: 
    User Configuration\Administrative Templates\Desktop\Desktop
  • Setting: Desktop Wallpaper
  • Description: Specifies the path to a custom wallpaper image for all users.

User Experience Enhancements

[!TIP]

Additional Tips:

Group Policies can enhance user productivity by pre-configuring settings.

Test policies in a staging environment before applying them domain-wide.

Use GPO Preferences for settings that users may want to override without IT intervention.

Here are some of the best Group Policy Object (GPO) settings to enhance user experience on Windows systems, focusing on usability, performance, and personalization:

1. Configure a Custom Start Menu Layout

  • Path: 
    User Configuration\Administrative Templates\Start Menu and Taskbar
  • Setting: Start Layout
  • Description: Predefine a clean and organized Start Menu layout with frequently used apps, making it easier for users to navigate.

2. Speed Up Start Menu and Taskbar Responsiveness

  • Path: 
    User Configuration\Administrative Templates\Start Menu and Taskbar
  • Setting: Disable Taskbar Animations
  • Description: Disabling taskbar animations can improve responsiveness, especially on older hardware.

3. Set a Default Printer

  • Path: 
    User Configuration\Preferences\Control Panel Settings\Printers
  • Setting: Default Printer
  • Description: Automatically set a default printer for users to save time and confusion.

4. Show Only Specified Control Panel Items

  • Path: 
    User Configuration\Administrative Templates\Control Panel
  • Setting: Show Only Specified Control Panel Items
  • Description: Restrict the Control Panel to display only relevant items, reducing clutter and preventing accidental misconfigurations.

5. Enable File Explorer Dark Mode

  • Path: 
    User Configuration\Administrative Templates\Windows Components\File Explorer
  • Setting: Force a Specific Default Theme
  • Description: Enforce a modern dark theme to reduce eye strain and enhance the visual experience.

6. Map Network Drives Automatically

  • Path: 
    User Configuration\Preferences\Windows Settings\Drive Maps
  • Setting: Create Network Drive Mappings
  • Description: Automatically map shared network drives for users to ensure seamless access to resources.

7. Remove Unnecessary Notifications

  • Path: 
    User Configuration\Administrative Templates\Start Menu and Taskbar
  • Setting: Turn Off All Balloon Notifications
  • Description: Eliminate distracting notifications to create a more focused workspace.

8. Configure Power Settings

  • Path: 
    Computer Configuration\Administrative Templates\System\Power Management
  • Setting: Specify a Power Plan
  • Description: Enforce balanced or performance power plans to improve battery life or system responsiveness based on user needs.

9. Redirect Known Folders (Documents, Desktop, etc.)

  • Path: 
    User Configuration\Policies\Windows Settings\Folder Redirection
  • Setting: Redirect Known Folders to Network Locations
  • Description: Redirect folders like Desktop and Documents to a central server for easier backup and management.

10. Preload Key Applications

  • Path: 
    User Configuration\Administrative Templates\System\Logon
  • Setting: Run These Programs at User Logon
  • Description: Automatically launch critical applications like email or productivity tools when users log in.

11. Enable Faster Logins by Disabling Unnecessary Services

  • Path: 
    Computer Configuration\Administrative Templates\System\Group Policy
  • Setting: Configure Group Policy Caching
  • Description: Enable Group Policy caching to reduce logon times for users on slow networks.

12. Set Default Browser

  • Path: 
    Computer Configuration\Administrative Templates\Windows Components\File Explorer
  • Setting: Set a Default Browser
  • Description: Define a default browser (e.g., Edge or Chrome) to ensure consistency in web access.

13. Show Recent Files in Quick Access

  • Path: 
    User Configuration\Administrative Templates\Windows Components\File Explorer
  • Setting: Show Recently Used Files in Quick Access
  • Description: Enable users to quickly access their most recently used files in File Explorer.

14. Force Desktop Wallpaper

  • Path: 
    User Configuration\Administrative Templates\Desktop\Desktop
  • Setting: Desktop Wallpaper
  • Description: Set a standard wallpaper to create a consistent and visually appealing workspace.

15. Configure Windows Search

  • Path: 
    User Configuration\Administrative Templates\Windows Components\Search
  • Setting: Do Not Allow Web Search
  • Description: Limit Windows Search to local files and settings for faster and more relevant search results.

Let me know if you'd like additional settings or further refinements!

PowerShell scripts to implement:

🔗Security Settings PowerShell https://github.com/asktechsupport/help/blob/main/scripts/powershell/windows-gpo-repo/recommendations-page-scripts/recommended-security-gpo-settings.md

🔗User Experience PowerShell https://github.com/asktechsupport/help/blob/main/scripts/powershell/windows-gpo-repo/recommendations-page-scripts/recommended-user-experience-gpo-settings.md