Thin Clients are often used (lower costs) is currently not the case anymore in many cases. Using a traditional workstation for connecting to a SBC/VDI infrastructure is getting more and more logical, although the users is working on Full Desktop where all applications are running in the data center.
The most important step is to lock-down the workstation. It depends on requirements and wishes of the organization/customer how many settings should be removed out of the user interface.There are scenarios where you would like to remove as much as possible, but also offering some applications or configuration settings are pretty logical. Think again of adjust screen resolution, keyboard/mouse settings and regional settings.
While there are both very good third parties as freeware products available to use a standard workstation as a Thin Client you can do it also using default Microsoft technologies, when there is no budget or freeware is not allowed in the company. With the article I would like to show you an example configuration to change your workstation to ThinBasedPC with group policy only.
NL_GPO_MGT_ThinbasedPC | |
Data collected on: 7/8/2014 11:46:35 AM |
Domain | Raylin.local |
Owner | raylin\Domain Admins |
Created | 6/19/2014 11:38:14 AM |
Modified | 7/8/2014 11:17:52 AM |
User Revisions | 141 (AD), 141 (sysvol) |
Computer Revisions | 244 (AD), 244 (sysvol) |
Unique ID | {CDAAEC72-0CDF-4A24-A1FE-2F71FB694E23} |
GPO Status | Enabled |
Location | Enforced | Link Status | Path |
---|---|---|---|
ThinBasedPC | No | Enabled | raylin.local/Computers/ThinBasedPC |
This list only includes links in the domain of the GPO.
Name |
---|
NT AUTHORITY\Authenticated Users |
Name | Allowed Permissions | Inherited |
---|---|---|
raylin\Domain Admins | Edit settings, delete, modify security | No |
raylin\Enterprise Admins | Edit settings, delete, modify security | No |
NT AUTHORITY\Authenticated Users | Read (from Security Filtering) | No |
NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS | Read | No |
NT AUTHORITY\SYSTEM | Edit settings, delete, modify security | No |
Policy | Setting |
---|---|
Allow users to select new root certification authorities (CAs) to trust | Enabled |
Client computers can trust the following certificate stores | Third-Party Root Certification Authorities and Enterprise Root Certification Authorities |
To perform certificate-based authentication of users and computers, CAs must meet the following criteria | Registered in Active Directory only |
Policy | Setting |
---|---|
Policy version | Not Configured |
Disable stateful FTP | Not Configured |
Disable stateful PPTP | Not Configured |
IPsec exempt | Not Configured |
IPsec through NAT | Not Configured |
Preshared key encoding | Not Configured |
SA idle time | Not Configured |
Strong CRL check | Not Configured |
Policy | Setting |
---|---|
Firewall state | Off |
Inbound connections | Not Configured |
Outbound connections | Not Configured |
Apply local firewall rules | Not Configured |
Apply local connection security rules | Not Configured |
Display notifications | Not Configured |
Allow unicast responses | Not Configured |
Log dropped packets | Not Configured |
Log successful connections | Not Configured |
Log file path | Not Configured |
Log file maximum size (KB) | Not Configured |
Policy | Setting | Comment | ||
---|---|---|---|---|
Force selected system UI language to overwrite the user UI language | Enabled | |||
Restricts the UI language Windows uses for all logged users | Enabled | |||
|
Policy | Setting | Comment |
---|---|---|
Apply the default account picture to all users | Enabled |
Policy | Setting | Comment |
---|---|---|
Allow BITS Peercaching | Disabled | |
Do not allow the computer to act as a BITS Peercaching client | Enabled | |
Do not allow the computer to act as a BITS Peercaching server | Enabled |
Policy | Setting | Comment |
---|---|---|
Prohibit use of Internet Connection Firewall on your DNS domain network | Enabled | |
Prohibit use of Internet Connection Sharing on your DNS domain network | Enabled |
Policy | Setting | Comment |
---|---|---|
Windows Firewall: Protect all network connections | Disabled |
Policy | Setting | Comment | ||
---|---|---|---|---|
Prevent use of Offline Files folder | Enabled | |||
Prohibit user configuration of Offline Files | Enabled | |||
|
||||
Policy | Setting | Comment | ||
Remove “Make Available Offline” command | Enabled | |||
Turn off reminder balloons | Enabled |
Policy | Setting | Comment |
---|---|---|
Prohibit access of the Windows Connect Now wizards | Enabled |
Policy | Setting | Comment | ||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Always render print jobs on the server | Enabled | |||||||||||||||||||
Disallow installation of printers using kernel-mode drivers | Enabled | |||||||||||||||||||
Execute print drivers in isolated processes | Enabled | |||||||||||||||||||
Point and Print Restrictions | Enabled | |||||||||||||||||||
|
Policy | Setting | Comment |
---|---|---|
Do not allow compression on all NTFS volumes | Enabled | |
Do not allow encryption on all NTFS volumes | Enabled |
Policy | Setting | Comment | ||
---|---|---|---|---|
Configure user Group Policy loopback processing mode | Enabled | |||
|
Policy | Setting | Comment |
---|---|---|
Restrict Internet communication | Enabled |
Policy | Setting | Comment |
---|---|---|
Disallow changing of geographic location | Enabled |
Policy | Setting | Comment | ||||
---|---|---|---|---|---|---|
Assign a default domain for logon | Enabled | |||||
|
||||||
Policy | Setting | Comment | ||||
Do not display the Getting Started welcome screen at logon | Enabled | |||||
Hide entry points for Fast User Switching | Enabled | |||||
Run these programs at user logon | Enabled | |||||
|
||||||
Policy | Setting | Comment | ||||
Turn off Windows Startup sound | Enabled |
Policy | Setting | Comment | ||
---|---|---|---|---|
Select the Power button action (on battery) | Enabled | |||
|
||||
Policy | Setting | Comment | ||
Select the Power button action (plugged in) | Enabled | |||
|
Policy | Setting | Comment | ||
---|---|---|---|---|
Turn Off the hard disk (plugged in) | Enabled | |||
|
Policy | Setting | Comment | ||
---|---|---|---|---|
Turn off the display (plugged in) | Enabled | |||
|
Policy | Setting | Comment |
---|---|---|
Configure Offer Remote Assistance | Disabled | |
Configure Solicited Remote Assistance | Disabled |
Policy | Setting | Comment |
---|---|---|
Add the Administrators security group to roaming user profiles | Enabled | |
Delete cached copies of roaming profiles | Enabled | |
Do not log users on with temporary profiles | Enabled | |
Only allow local user profiles | Enabled | |
Wait for remote user profile | Enabled |
Policy | Setting | Comment |
---|---|---|
Prevent access to 16-bit applications | Enabled |
Policy | Setting | Comment | ||
---|---|---|---|---|
Turn off Autoplay | Enabled | |||
|
Policy | Setting | Comment |
---|---|---|
Turn off desktop gadgets | Enabled |
Policy | Setting | Comment |
---|---|---|
Do not allow Flip3D invocation | Enabled | |
Do not allow window animations | Enabled |
Policy | Setting | Comment |
---|---|---|
Turn off downloading of game information | Enabled | |
Turn off game updates | Enabled | |
Turn off tracking of last play time of games in the Games folder | Enabled |
Policy | Setting | Comment |
---|---|---|
Prevent the computer from joining a homegroup | Enabled |
Policy | Setting | Comment |
---|---|---|
Turn off Accelerators | Enabled |
Policy | Setting | Comment |
---|---|---|
Turn off Print Menu | Enabled |
Policy | Setting | Comment | |||||
---|---|---|---|---|---|---|---|
Use Policy List of Internet Explorer 7 sites | Enabled | ||||||
|
Policy | Setting | Comment |
---|---|---|
Allow deleting browsing history on exit | Enabled |
Policy | Setting | Comment |
---|---|---|
Disable the Advanced page | Enabled | |
Disable the Connections page | Enabled | |
Disable the Content page | Enabled | |
Disable the General page | Enabled | |
Disable the Privacy page | Enabled | |
Disable the Programs page | Enabled | |
Disable the Security page | Enabled |
Policy | Setting | Comment | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|
Intranet Sites: Include all network paths (UNCs) | Enabled | |||||||||||
Intranet Sites: Include all sites that bypass the proxy server | Enabled | |||||||||||
Site to Zone Assignment List | Enabled | |||||||||||
|
Policy | Setting | Comment | ||
---|---|---|---|---|
Launching applications and files in an IFRAME | Enabled | |||
|
Policy | Setting | Comment | ||
---|---|---|---|---|
Allow active scripting | Enabled | |||
|
||||
Policy | Setting | Comment | ||
Launching applications and files in an IFRAME | Enabled | |||
|
Policy | Setting | Comment | ||
---|---|---|---|---|
Prevent specifying cipher strength update information URLs | Enabled | |||
|
Policy | Setting | Comment | ||
---|---|---|---|---|
Prevent specifying the update check interval (in days) | Enabled | |||
|
Policy | Setting | Comment |
---|---|---|
Turn off Data Execution Prevention | Enabled |
Policy | Setting | Comment |
---|---|---|
Hide the Command bar | Enabled | |
Lock all toolbars | Enabled | |
Turn off Developer Tools | Enabled | |
Turn off toolbar upgrade tool | Enabled |
Policy | Setting | Comment |
---|---|---|
Prevent IIS installation | Disabled |
Policy | Setting | Comment |
---|---|---|
Disable remote Desktop Sharing | Enabled |
Policy | Setting | Comment |
---|---|---|
Turn off Connect to a Network Projector | Enabled |
Policy | Setting | Comment |
---|---|---|
Turn off Active Help | Enabled |
Policy | Setting | Comment |
---|---|---|
Do not allow passwords to be saved | Enabled |
Policy | Setting | Comment |
---|---|---|
Prevent access to feed list | Enabled | |
Prevent automatic discovery of feeds and Web Slices | Enabled | |
Prevent downloading of enclosures | Enabled | |
Prevent subscribing to or deleting a feed or a Web Slice | Enabled | |
Turn off background synchronization for feeds and Web Slices | Enabled | |
Turn on Basic feed authentication over HTTP | Enabled |
Policy | Setting | Comment |
---|---|---|
Turn on Security Center (Domain PCs only) | Disabled |
Policy | Setting | Comment |
---|---|---|
Do not allow Sound Recorder to run | Enabled |
Policy | Setting | Comment |
---|---|---|
Turn off Windows Calendar | Enabled |
Policy | Setting | Comment |
---|---|---|
Allow Corporate redirection of Customer Experience Improvement uploads | Disabled |
Policy | Setting | Comment |
---|---|---|
Turn off Windows Defender | Enabled |
Policy | Setting | Comment |
---|---|---|
Disable logging | Enabled | |
Disable Windows Error Reporting | Enabled |
Policy | Setting | Comment | ||
---|---|---|---|---|
Prevent Internet Explorer security prompt for Windows Installer scripts | Enabled | |||
Turn off Windows Installer | Enabled | |||
|
Policy | Setting | Comment |
---|---|---|
Turn off Windows Mail application | Enabled |
Policy | Setting | Comment |
---|---|---|
Do not allow Windows Media Center to run | Enabled |
Policy | Setting | Comment |
---|---|---|
Prevent Windows Media DRM Internet Access | Enabled |
Policy | Setting | Comment |
---|---|---|
Do Not Show First Use Dialog Boxes | Enabled | |
Prevent Automatic Updates | Enabled | |
Prevent Desktop Shortcut Creation | Enabled | |
Prevent Media Sharing | Enabled | |
Prevent Quick Launch Toolbar Shortcut Creation | Enabled |
Policy | Setting | Comment |
---|---|---|
Do not allow Windows Messenger to be run | Enabled |
Policy | Setting | Comment |
---|---|---|
Turn off Windows Mobility Center | Enabled |
Policy | Setting | Comment | ||
---|---|---|---|---|
Turn on Script Execution | Enabled | |||
|
Action | Replace |
Properties
Hive | HKEY_LOCAL_MACHINE |
Key path | SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon |
Value name | AutoAdminLogon |
Value type | REG_SZ |
Value data | 1 |
Options
Stop processing items on this extension if an error occurs on this item | No |
Remove this item when it is no longer applied | Yes |
Action | Replace |
Properties
Hive | HKEY_LOCAL_MACHINE |
Key path | SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon |
Value name | DefaultDomainName |
Value type | REG_SZ |
Value data | raylin.local |
Options
Stop processing items on this extension if an error occurs on this item | No |
Remove this item when it is no longer applied | Yes |
Action | Replace |
Properties
Hive | HKEY_LOCAL_MACHINE |
Key path | SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon |
Value name | DefaultUserName |
Value type | REG_SZ |
Value data | Kiosk |
Options
Stop processing items on this extension if an error occurs on this item | No |
Remove this item when it is no longer applied | Yes |
Action | Replace |
Properties
Hive | HKEY_LOCAL_MACHINE |
Key path | SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon |
Value name | DefaultPassword |
Value type | REG_SZ |
Value data | Kiosk1! |
Options
Stop processing items on this extension if an error occurs on this item | No |
Remove this item when it is no longer applied | Yes |
Action | Replace |
Properties
Hive | HKEY_LOCAL_MACHINE |
Key path | SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System |
Value name | DisableLockWorkstation |
Value type | REG_SZ |
Value data | 1 |
Options
Stop processing items on this extension if an error occurs on this item | No |
Remove this item when it is no longer applied | Yes |
Action | Replace |
Properties
Hive | HKEY_CURRENT_USER (HKU\.DEFAULT) |
Key path | Software\Microsoft\Internet Explorer\Main |
Value name | FullScreen |
Value type | REG_SZ |
Value data | yes |
Options
Stop processing items on this extension if an error occurs on this item | No |
Remove this item when it is no longer applied | Yes |
Action | Create |
Make this the active Power Plan: | Enabled |
Name | Balanced |
When computer is: | Plugged in | Running on batteries |
---|---|---|
Require a password on wakeup: | No | No |
Allow hybrid sleep: | Off | Off |
Lid close action: | Do nothing | Do nothing |
Power button action: | Shutdown | Shutdown |
Start menu power button: | Shutdown | Shutdown |
Link State Power Management: | Moderate power savings | Maximum power savings |
Minimum processor state: | After 5 minutes | After 5 minutes |
Maximum processor state: | After 100 minutes | After 100 minutes |
Adaptive display: | On | On |
Critical battery action: | Do nothing | Do nothing |
Low battery level: | After 10 minutes | After 10 minutes |
Critical battery level: | After 5 minutes | After 5 minutes |
Low battery notification: | Off | Off |
Low battery action: | Do nothing | Do nothing |
Options
Stop processing items on this extension if an error occurs on this item | No |
Remove this item when it is no longer applied | No |
Apply once and do not reapply | No |
Policy | Setting | Comment | |||||
---|---|---|---|---|---|---|---|
Always open All Control Panel Items when opening Control Panel | Enabled | ||||||
Show only specified Control Panel items | Enabled | ||||||
|
Policy | Setting | Comment |
---|---|---|
Hide Add/Remove Windows Components page | Enabled |
Policy | Setting | Comment | ||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Enable screen saver | Disabled | |||||||||||||||||||
Force a specific visual style file or force Windows Classic | Enabled | |||||||||||||||||||
|
||||||||||||||||||||
Policy | Setting | Comment | ||||||||||||||||||
Prevent changing color and appearance | Enabled | |||||||||||||||||||
Prevent changing color scheme | Enabled | |||||||||||||||||||
Prevent changing desktop background | Enabled | |||||||||||||||||||
Prevent changing desktop icons | Enabled | |||||||||||||||||||
Prevent changing mouse pointers | Enabled | |||||||||||||||||||
Prevent changing screen saver | Enabled | |||||||||||||||||||
Prevent changing sounds | Enabled | |||||||||||||||||||
Prevent changing theme | Enabled | |||||||||||||||||||
Prevent changing visual style for windows and buttons | Enabled | |||||||||||||||||||
Prohibit selection of visual style font size | Enabled |
Policy | Setting | Comment |
---|---|---|
Prevent addition of printers | Enabled | |
Prevent deletion of printers | Enabled |
Policy | Setting | Comment |
---|---|---|
Hide “Get Programs” page | Enabled | |
Hide “Installed Updates” page | Enabled | |
Hide “Programs and Features” page | Enabled | |
Hide “Set Program Access and Computer Defaults” page | Enabled | |
Hide “Windows Features” | Enabled | |
Hide “Windows Marketplace” | Enabled | |
Hide the Programs Control Panel | Enabled |
Policy | Setting | Comment |
---|---|---|
Do not add shares of recently opened documents to Network Locations | Enabled | |
Don’t save settings at exit | Enabled | |
Hide and disable all items on the desktop | Enabled | |
Hide Internet Explorer icon on desktop | Enabled | |
Hide Network Locations icon on desktop | Enabled | |
Prevent adding, dragging, dropping and closing the Taskbar’s toolbars | Enabled | |
Prohibit adjusting desktop toolbars | Enabled | |
Prohibit User from manually redirecting Profile Folders | Enabled | |
Remove Computer icon on the desktop | Enabled | |
Remove My Documents icon on the desktop | Enabled | |
Remove Properties from the Computer icon context menu | Enabled | |
Remove Properties from the Documents icon context menu | Enabled | |
Remove Properties from the Recycle Bin context menu | Enabled | |
Remove Recycle Bin icon from desktop | Enabled | |
Remove the Desktop Cleanup Wizard | Enabled | |
Turn off Aero Shake window minimizing mouse gesture | Enabled |
Policy | Setting | Comment |
---|---|---|
Disable Active Desktop | Disabled |
Policy | Setting | Comment |
---|---|---|
Prohibit access of the Windows Connect Now wizards | Enabled |
Policy | Setting | Comment |
---|---|---|
Clear history of recently opened documents on exit | Enabled | |
Clear the recent programs list for new users | Enabled | |
Do not allow pinning items in Jump Lists | Enabled | |
Do not allow pinning programs to the Taskbar | Enabled | |
Do not display any custom toolbars in the taskbar | Enabled | |
Do not display or track items in Jump Lists from remote locations | Enabled | |
Do not keep history of recently opened documents | Enabled | |
Do not search communications | Enabled | |
Do not search for files | Enabled | |
Do not search Internet | Enabled | |
Do not search programs and Control Panel items | Enabled | |
Do not use the search-based method when resolving shell shortcuts | Enabled | |
Do not use the tracking-based method when resolving shell shortcuts | Enabled | |
Hide the notification area | Enabled | |
Lock all taskbar settings | Enabled | |
Lock the Taskbar | Enabled | |
Pin Apps to Start when installed | Disabled | |
Prevent changes to Taskbar and Start Menu Settings | Enabled | |
Prevent users from adding or removing toolbars | Enabled | |
Prevent users from customizing their Start Screen | Enabled | |
Prevent users from moving taskbar to another screen dock location | Enabled | |
Prevent users from rearranging toolbars | Enabled | |
Prevent users from resizing the taskbar | Enabled | |
Prevent users from uninstalling applications from Start | Enabled | |
Remove access to the context menus for the taskbar | Enabled | |
Remove All Programs list from the Start menu | Enabled | |
Remove Balloon Tips on Start Menu items | Enabled | |
Remove common program groups from Start Menu | Enabled | |
Remove Default Programs link from the Start menu. | Enabled | |
Remove Documents icon from Start Menu | Enabled | |
Remove Downloads link from Start Menu | Enabled | |
Remove Favorites menu from Start Menu | Enabled | |
Remove frequent programs list from the Start Menu | Enabled | |
Remove Games link from Start Menu | Enabled | |
Remove Help menu from Start Menu | Enabled | |
Remove Homegroup link from Start Menu | Enabled | |
Remove links and access to Windows Update | Enabled | |
Remove Logoff on the Start Menu | Enabled | |
Remove Music icon from Start Menu | Enabled | |
Remove Network Connections from Start Menu | Enabled | |
Remove Network icon from Start Menu | Enabled | |
Remove Pictures icon from Start Menu | Enabled | |
Remove pinned programs from the Taskbar | Enabled | |
Remove pinned programs list from the Start Menu | Enabled | |
Remove Recent Items menu from Start Menu | Enabled | |
Remove Recorded TV link from Start Menu | Enabled | |
Remove Run menu from Start Menu | Enabled | |
Remove Search link from Start Menu | Enabled | |
Remove See More Results / Search Everywhere link | Enabled | |
Remove the Action Center icon | Enabled | |
Remove the battery meter | Enabled | |
Remove the networking icon | Enabled | |
Remove user folder link from Start Menu | Enabled | |
Remove user name from Start Menu | Enabled | |
Remove user’s folders from the Start Menu | Enabled | |
Remove Videos link from Start Menu | Enabled | |
Show QuickLaunch on Taskbar | Disabled | |
Turn off all balloon notifications | Enabled | |
Turn off feature advertisement balloon notifications | Enabled | |
Turn off notification area cleanup | Enabled | |
Turn off personalized menus | Enabled | |
Turn off user tracking | Enabled |
Policy | Setting | Comment |
---|---|---|
Remove Change Password | Enabled | |
Remove Lock Computer | Enabled | |
Remove Logoff | Enabled | |
Remove Task Manager | Enabled |
Policy | Setting | Comment | ||
---|---|---|---|---|
Set the default behavior for AutoRun | Enabled | |||
|
||||
Policy | Setting | Comment | ||
Turn off Autoplay | Enabled | |||
|
Policy | Setting | Comment |
---|---|---|
Turn off desktop gadgets | Enabled |
Policy | Setting | Comment | ||
---|---|---|---|---|
Hide these specified drives in My Computer | Enabled | |||
|
||||
Policy | Setting | Comment | ||
Prevent access to drives from My Computer | Enabled | |||
|
||||
Policy | Setting | Comment | ||
Remove Search button from File Explorer | Enabled | |||
Turn off Windows+X hotkeys | Enabled |
Policy | Setting | Comment | ||
---|---|---|---|---|
Disable changing home page settings | Enabled | |||
|
||||
Policy | Setting | Comment | ||
Enforce full-screen mode | Enabled | |||
Search: Disable Find Files via F3 within the browser | Enabled | |||
Turn off the quick pick menu | Enabled |
Policy | Setting | Comment |
---|---|---|
File menu: Disable closing the browser and Explorer windows | Enabled | |
View menu: Disable Full Screen menu option | Enabled |
Policy | Setting | Comment |
---|---|---|
Turn on Caret Browsing support | Disabled |
Policy | Setting | Comment |
---|---|---|
Prevent the computer from loading toolbars and Browser Helper Objects when InPrivate Browsing starts | Enabled | |
Turn off InPrivate Browsing | Enabled |
Policy | Setting | Comment |
---|---|---|
Turn off Developer Tools | Enabled |
Policy | Setting | Comment |
---|---|---|
Restrict the user from entering author mode | Enabled |
Policy | Setting | Comment |
---|---|---|
Turn off Windows Calendar | Enabled |