![]() ![]() For standalone systems, rules can be enforced using the Local Security Policy editor (secpol.msc). More info here: Customize and export Start layout ( is inbuilt into Windows OS enterprise-level edition and needs no additional installation onto the system. This can be done using this powershell command: You can create your own Start Menu layout file by exporting the layout from your own Start Menu. I stored the layout file in an accessible share and pointed the policy at that. USER Configuration\Policies\Administrative Templates\Start Menu and Taskbar\Start Layout File To deploy the Star Menu layout I enabled the following policy: Using another group such as 'IT Support Staff' works much better). (NOTE: I found that using the Administrators group didn't work well for this as you would need to elevate your account/run as administrator to use anything which was blocked. DOMAIN\IT Support) to stop it from preventing us access to everything my first rule blocks. I then created another rule which allowed all packages with no exceptions and applied it to a security group which contains myself and my colleges (E.g. Publisher: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US You could just configure a Deny rule for the Cortana package instead. I chose to Allow all packages by default and create exceptions for anything I wanted to disable. Under Packaged app Rules I created a policy with the following settings. Note: For those who have never used AppLocker, it can be found hereĬOMPUTER Configuration\Policies\Windows Settings\Security Settings\Application Control Policies\AppLocker To configure AppLocker to block the search function I created the following rule: I know you didn't want to completely disable the search function, but maybe the Start Menu layout and desktop could be an acceptable compromise? We have also deployed a Start Menu layout which contains tiles for all of the common applications so Word, Excel etc all have a tile on the Start Menu. We have disabled the search function using AppLocker and then placed shortcuts to commonly used applications (E.g. ![]() I know it has been a long time since you posted this question, but thought I would let you know how we have dealt with this problem as it may still help you or somebody else. For example, they couldn't just start typing "Word" and have Microsoft Word open. It would prevent the users from running their programs from the Start Menu. That did disable the search function entirely, but it went too far for our needs. I tried renaming the folder C:\Windows\SystemApps\_cw5n1h2txyewy If not, is there at least a way I can prevent access to the search field? I've already found it on the task bar (even if I set it to "hidden", the user can switch it back to "show search icon" or "show search box"), in the alphabetical list of programs (under "Search") and via the Windows S and Windows Q hotkeys. Is there any way to prevent this? It is a significant security issue, and I am surprised that Windows 10, which is generally more secure, in this issue is actually less so. But in Windows 10, when a user starts typing any command in search, even with that GP setting enforced, the command runs. In previous versions of Windows the group policy setting "Remove Run menu from Start Menu" was sufficient. We have implemented Applocker, but that doesn't prevent the user from running commands beginning with rundll32.exe or regsvr32.exe. We are trying to prevent our users from running various commands that we don't specifically approve. ![]()
0 Comments
Leave a Reply. |