Active Directory, DISM, Group Policy Objects, Group Policy Preferences, Uncategorized, Windows 10

Setting Acrobat Reader DC as the default PDF viewer on Windows 10 with a GPO

  1. Create a AdobeReaderAssociations.xml file that’s in the Adobe Enterprise Administration Guide or create your own using DISM
  2. Copy that file on a shared location. Using group policy preferences copy the XML file to the local device
  3. Apply the XML file by opening up the group policy and navigate to Computer Configuration\Administrative Templates\Windows Components\File Explorer\Set a default associations configuration file
  4. Select Enabled and specify the path for the XML file and click Apply
  5. The corresponding registry entry is HKLM\Software\Policies\Microsoft\Windows\System\DefaultAssociationsConfiguration
Thanks to the GuruPackager
GPMC, Group Policy Objects, Windows 10

Fixing Folder Redirection on Windows 10 1709

Upgrading devices from Windows 8.1 to Windows 10 1709. Folder Redirection and Offline Files was not applying to Windows 10 devices. After searching we found a registry setting that reapplied the Folder Redirection link:

  1. Go into regedit.
  2. Locate the registry subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
  3. Create a new DWORD Value.
  4. Type EnableLinkedConnections, and then click Modify.
  5. In the Value data box, type 1, and then click OK.
  6. Exit the registry and then restart the device.

By default folders that are redirected should be offline by default. We found this wasn’t the case in the environment.

So next we needed to specify administratively assigned Offline Files. This can be found at: Computer Configuration/Administrative Templates/Network/Offline Files

Add in your UNC path for the home drive/redirected folders and we were back in business.

GPMC, Group Policy Objects, Group Policy Preferences, Registry, Windows 10

How to: Enable Windows 10 Biometrics (Facial and Fingerprint) Logon

Enable all of these policies and set the registry key to enable the Windows 10 facial and fingerprint logon feature.

Group Policy settings:

Computer Configuration\Administrative Templates\System\Logon

  • Turn on convenience PIN sign-in (Enabled)

Computer Configuration\Administrative Templates\Biometrics

  • Allow the use of biometrics (Enabled)
  • Allow users to log on using biometrics (Enabled)
  • Allow domain users to log on using biometrics (Enabled)

Computer Configuration\Administrative Templates\Biometrics\Facial Features

  • Use enhanced anti-spoofing when available (Disabled)

Computer Configuration\Administrative Templates\Windows Hello for Business

  • Use a hardware security device (Enable)
  • Use biometrics (Enabled)

Group Policy Preference settings:



Administration, Group Policy Objects

Group Policy Setting – Delete user profiles older than a specified number of days on system restart

A great user policy that purges old user profiles from devices on reboot. Staggering the setting at 180 on week one, then 90 on week two and finally 30 days in the third week.

This setting can be found under Computer Configuration \ Policies \ Administrative Templates \ System \ User Profiles

Active Directory, Deployment, Group Policy Objects

Microsoft Local Administrator Password Solution (LAPS)

To setup the Microsoft Local Administrator Password Solution (LAPS) in Active DirectoryMicrosoft is offering the Local Administrator Password Solution (LAPS) that provides a solution to the issue of using a common local account with an identical password on every computer in a domain. LAPS resolves this issue by setting a different, random password for the common local administrator account on every computer in the domain. Domain administrators using the solution can determine which users, such as help desk administrators, are authorized to read passwords.

LAPS simplifies password management while helping customers implement recommended defenses against cyber attacks. In particular, the solution mitigates the risk of lateral escalation that results when customers use the same administrative local account and password combination on their computers.

LAPS stores the password for each computer’s local administrator account in Active Directory, in a confidential attribute in the computer’s corresponding Active Directory object. The computer is allowed to update its own password data in Active Directory, and domain administrators can grant read access to authorized users or groups, such as workstation helpdesk administrators.

The solution is built on Active Directory infrastructure and does not require other supporting technologies. LAPS uses a Group Policy client-side extension (CSE) that you install on managed computers to perform all management tasks. The solution’s management tools provide easy configuration and administration.

How to: To setup the Microsoft Local Administrator Password Solution (LAPS) in Active Directory



Administration, Group Policy Objects, Group Policy Preferences, Internet Explorer, Microsoft

Missing Internet Explorer Maintenance settings for Internet Explorer 11

Internet Explorer Maintenance settings have been deprecated in favour of Group Policy Preferences, Administrative Templates and the IE Administration Kit 11.

Because of this change, Internet Explorer Maintenance configured settings will no longer work on computers running Internet Explorer 10 or newer.

Have a look at these Microsoft article for more details:


Active Directory, Group Policy Objects, Group Policy Preferences, Windows 10

Windows 10 Group Policy Settings

Microsoft has released the latest Windows 10 Group Policy settings. As usual there is a handy spreadsheet with all the settings, plus new filtering capabilities that make find the new polices easier.

Download the spreadsheet:

Get all the templates from any Windows 10 machine. They are located in the C:\Windows\PolicyDefinitions folder. Then copy them into your domain central store (C:\Windows\SYSVOL\sysvol\{domain}\Policies\PolicyDefinitions).

Group Policy Objects, Kiosk, Windows 7

Remove Computer icon on the Desktop

For a kiosk I need to remove the Computer icon from the Start Menu.

The group policy location is: User Configuration, Administrative Templates, Desktop then Remove computer icon on the desktop


This setting hides computer from the desktop and from the new Start menu. It also hides links to computer in the Web view of all Explorer windows, and it hides computer in the Explorer folder tree pane. If the user navigates into computer via the “Up” button while this setting is enabled, they view an empty computer folder. This setting allows administrators to restrict their users from seeing computer in the shell namespace, allowing them to present their users with a simpler desktop environment.

If you enable this setting, computer is hidden on the desktop, the new Start menu, the Explorer folder tree pane, and the Explorer Web views. If the user manages to navigate to computer, the folder will be empty.

If you disable this setting, computer is displayed as usual, appearing as normal on the desktop, Start menu, folder tree pane, and Web views, unless restricted by another setting.

If you do not configure this setting, the default is to display computer as usual.