Dell recommends Windows 8.

Windows 8 Group Policy Settings That You Should Know

Brien Posey, Freelance Writer and Former CIO | 4/11/2013 | 6 comments

Brien Posey
By and large, Windows 8 supports the same collection of group policy settings as Windows 7, so organizations that already have Windows 7 in place can move to Windows 8 with relative confidence that their existing group policy structure will continue to work.

While this is certainly good news for those tasked with keeping Windows secure, there is a bit of bad news. Even though Windows 8 can use Windows 7 group policy settings, those settings alone will likely prove to be inadequate to keep Windows 8 secure.

As you no doubt know, Windows 8 has two widely used modes. On one hand, there is the new modern user interface (formerly known as Metro), but there is also a desktop mode that looks suspiciously like Windows 7. Windows 7 group policy settings do a great job of locking down Windows 8's desktop mode, but they have little impact on the modern user interface.

Thankfully, Microsoft has created a number of new group policy settings that are specifically designed for Windows 8 and Windows Server 2012. There are 169 new policy settings in all (plus some extra settings for Internet Explorer 10). In order to use these new policy settings you will need to either have a Windows Server 2012 domain controller or you can add the policy settings to Windows 8's local security policy.

Windows store policy settings
Some of the most useful new policy settings are related to the Windows store. For organizations that operate managed desktops, the thought of users going into the Windows store and downloading unapproved applications can be stomach churning. Fortunately, Microsoft provides group policy settings that can be used to control access to the store. Group policy settings can be applied at either the user or the computer level and exist at \Administrative Templates\Windows Components\Store. The policy settings themselves are self-explanatory. They include turning off automatic downloads of updates, allowing the store to install apps on Windows To Go workspaces, turning off store applications.

Connected accounts
One of the things that makes Windows 8 really unique is its use of connected accounts. When a user gets ready to log on, Windows 8 gives them the option of logging in using a Microsoft connected account (such as a Windows Live account or a Hotmail account). This account links Windows 8 to online services such as Hotmail, SkyDrive, or even Xbox Live. Of course, these are all consumer-grade services that have no place in most business environments. Worse yet, connected accounts are often tied into social networking sites, such as Facebook.

One of an administrator's first tasks in planning for a Windows 8 deployment should be to prevent users from being able to provide Windows 8 with a connected account. As you have probably already guessed, this can be accomplished through group policy settings.

The policy settings exist at the computer level of the Group Policy hierarchy. You can find them at Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Accounts: Block Microsoft Accounts.

There are actually a couple of different options that you can use when enabling this policy setting. You can either choose the Users Can't Add Microsoft Accounts option or you can choose the Users Can't Add Or Log On With Microsoft Accounts option. The secondary option will prevent Microsoft accounts from being used, even if a user has already added the account to their Windows 8 desktop.

Preventing the accidental removal of modern apps
Windows 8 makes it easy for users to remove modern UI apps. Maybe a little too easy. A user needs only right-click on the app's tile and then tap Uninstall. If you'd rather that users not be able to remove the apps that you have placed on their start screen, you can use group policy settings to prevent them from doing so.

The option to prevent users from uninstalling modern apps is a user-level group policy setting. The option is quite ironically located at: User Configuration\Administrative Templates\Start Menu and Taskbar. This section of the group policy hierarchy contains a number of different settings. The specific group policy setting that you must enable is named Prevent Users From Uninstalling Applications From Start.

Obviously there is no way to discuss hundreds of individual policy settings within the confines of a blog post. While I have tried to discuss some of the more useful policy settings, there are many others. You can access the full list of new group policy settings here. Chances are, there's a policy you need to know about that I couldn't get to.

View Comments: Newest First | Oldest First | Threaded View
anthony.nima   Windows 8 Group Policy Settings That You Should Know   6/29/2013 11:33:15 PM
Re: Group Policy
@SaneIT: Normally Im not used to read those policies which are lengthy but I will read it this time.          
SaneIT   Windows 8 Group Policy Settings That You Should Know   4/18/2013 7:05:24 AM
Re: Group Policy
As OS features are added it's a must that you take a look at Group Policy.  Yes it would be nice if MS could keep all the policy settings consistent across the new versions but with the number of changes between Windows versions I"m happy that very few Group Policy objects break.
anthony.nima   Windows 8 Group Policy Settings That You Should Know   4/18/2013 6:38:25 AM
Re: Group Policy
SaneIT: True but I feel updating the policy on a regular basis is not a good thing, especially for its customers.  
SaneIT   Windows 8 Group Policy Settings That You Should Know   4/15/2013 7:45:23 AM
Re: Group Policy
Yes Group policy needs to be looked at regularly.  We found a few funny issues with Win 7 when we upgraded.  GP objects that were supposed to carry over just fine would cause a black screen on boot up that could last up to an hour.   Imagine rolling out a bunch of desktops after having tested everything and you run into a problem like that.  Luckily we found the issue quickly but it was a tense situation.
Trek   Windows 8 Group Policy Settings That You Should Know   4/12/2013 1:17:28 PM
Re: Group Policy
Yes, thank you for pointing all this out, especially about the connected accounts. 

I guess this goes to show that group settings should be audited throughly, at least once a year and especially during upgrades. 
SaneIT   Windows 8 Group Policy Settings That You Should Know   4/11/2013 7:57:14 AM
Group Policy
Thank you for teh quick list, Group Policy is one of those under used utilities that make managing a Windows network so much easier.  A lot of us take if for granted, I know I have GP objects and settings that are close to a decade old without being changed.  I haven't looked into this yet, but are there ways to differentiate between portable devices like phones and tablets in Group Policy or will that be more of a manual process of separating them out in Active Directory?

The blogs and comments posted on do not reflect the views of TechWeb,, or its sponsors., TechWeb, and its sponsors do not assume responsibility for any comments, claims, or opinions made by authors and bloggers. They are no substitute for your own research and should not be relied upon for trading or any other purpose.

More Blogs from Brien Posey
Brien Posey   9/5/2013   10 comments
One of the main benefits of virtual desktop infrastructure is the ability to run many virtual machines on a single host, making the most efficient possible use of the resources available. ...
Brien Posey   8/28/2013   57 comments
By now you know that Windows 8.1 will release to the public on October 18. You may not know that with Windows 8.1, Microsoft is releasing a brand new version of Internet Explorer, IE 11.
Brien Posey   8/22/2013   22 comments
Operating system upgrades have always been something of a crapshoot. We as administrators make every effort to follow all of the recommended best practices, but it is difficult to know ...
Brien Posey   8/15/2013   20 comments
Significant changes are coming to Microsoft TechNet. If your organization uses TechNet software for planning or testing, you may need to modify your approach.
Brien Posey   8/6/2013   10 comments
The tool of choice for Microsoft operating system deployments is System Center Configuration Manager (SCCM). For those who have never worked through a bare metal Windows 8 deployment, it ...
Dell Information Resources
On-demand Video with Chat
The culture of work is changing. Tech-savvy and always-connected people want faster, more intuitive technology, uninterrupted services, and freedom to work anywhere, anytime, on a variety of devices.
Latest Archived Broadcast
Bring-Your-Own-Device (BYOD) is about more than just a device.
© 2019 UBM TechWeb - Privacy Policy