Disable NTLM

Disable NTLM KB ID 0001880

Problem

NTLM (NT LAN Manager) is a suite of Microsoft security protocols intended to provide authentication, integrity, and confidentiality to users in a network. It is an older protocol that has been largely replaced by Kerberos, (since Server 2008 and windows Vista!) In modern Windows environments due to its enhanced security features. NTLM is a challenge-response authentication protocol used to authenticate a client to a resource on a network. It operates in three versions: NTLMv1, NTLMv2, and NTLMv2 Session Security.

Key Components

Authentication Process:

    • Challenge-Response Mechanism: NTLM uses a challenge-response mechanism where the server challenges the client, and the client responds with a value that proves its knowledge of the user’s password.
    • Session Security: Provides confidentiality (encryption) and integrity (signing) for data sent over the network.

NTLM Versions:

    • NTLMv1:
      • Uses DES (Data Encryption Standard) for encryption.
      • The client sends a hashed password, and the server compares it to the stored hash.
      • Known for its vulnerabilities, including susceptibility to replay attacks and weak password hashes (LM hashes).
    • NTLMv2:
      • Introduced to address the security shortcomings of NTLMv1.
      • Uses HMAC-MD5 for cryptographic operations.
      • Provides stronger encryption and better resistance to replay attacks.
      • Supports mutual authentication where both client and server authenticate each other.
    • NTLMv2 Session Security:
      • Provides additional security by creating a session key based on both client and server challenge-response pairs.
      • Ensures integrity and confidentiality for the session.

Components of NTLM:

    • User Authentication: Verifies the identity of a user or system requesting access.
    • Message Integrity: Ensures that messages are not tampered with during transmission.
    • Message Confidentiality: Encrypts messages to protect sensitive information.

Security Weaknesses

  1. NTLMv1:
    • Weak Hashing (LM Hash): The LM hash is derived from passwords in a way that is susceptible to brute-force attacks.
    • Replay Attacks: Can be exploited to reuse valid authentication tokens.
    • Lack of Mutual Authentication: Only the client is authenticated, not the server.
  2. NTLMv2:
    • Improved but Still Vulnerable: While it significantly improves upon NTLMv1, it is still not as secure as Kerberos and can be vulnerable to certain types of attacks, especially in environments where NTLMv1 is still supported for backward compatibility.

Deprecation and Modern Alternatives

  • Kerberos: Introduced in Windows 2000, Kerberos provides stronger security features, including mutual authentication, and is now the default authentication protocol in Active Directory environments.
  • Recommendations: Organizations are encouraged to disable NTLM where possible, particularly NTLMv1, and to use Kerberos or other modern authentication protocols.

In Summary

NTLM played a crucial role in early Windows network security, providing a means of authenticating users and securing communications. However, due to its security vulnerabilities, especially in NTLMv1, it has been largely replaced by more secure protocols like Kerberos. NTLMv2 offers improvements but is still not as robust as modern alternatives, making it advisable for organizations to phase out NTLM in favour of stronger authentication methods.

As of Jun 2024 Microsoft has declared that NTLM (all versions) are depreciated.

Solution : Disable NTLM

Developers are being encouraged to STOP using NTLM, and the advice is to set your systems to ONLY use NTLM if Kerberos is not available. You first challenge is to find out what (if anything) is still using NTLM.

On your server(s) look in the (Security) Event logs for Event ID 4624 That mentions NTLM.

But there’s thousands of Event ID 4624 events, so let’s narrow the search with some PowerShell.

[box]

$query= @"
    <QueryList> 
           <Query Id="0"> 
              <Select Path="Security"> 
                *[System[(EventID='4624')]] 
                 and 
                *[EventData[Data[@Name='AuthenticationPackageName'] and (Data='NTLM')]]
               </Select> 
           </Query> 
    </QueryList>
"@
Get-WinEvent -FilterXml $query

[/box]

Now I can review each of those events (by their time stamp!) and I’ve only got two offenders to investigate.

You can also have a reconnoitre with WireShark, and scan for ntlmssp.

Disable NTLM v1

It’s considered best practice to disable NTLM version 1 first, then wait for a while (a period of a few weeks,) then you can attempt to disable NTLM version 2 also.

Edit the Default Domain Controller Policy and Navigate to.

[box]

Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options >  
Network Security: LAN Manager Authentication Level

[/box]

Settings;

  • Send LM and NTLM responses
  • Send LM and NTLM (use NTLMv2 session security if negotiated)
  • Send NTLM response only
  • Send NTLMv2 response only
  • Send NTLMv2 response only, Refuse LM: Domain controllers offer only NTLMv2 but still accept NTLMv1 authentication.
  • Send NTLMv2 response only, Refuse LM and NTLM: Domain controllers refuse LM and NTLMv1, accepting only NTLMv2.

To keep NTLM v2 and disable NTLM v1 choose the last option.

WARNING: This will effectively tattoo this setting into registry of the domain controller(s), even if you have a problem and revert the setting back to not defined, it will remain. If that happens to you, you can manually change the setting in the registry at.

[box]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa

[/box]

 

There’s six settings (0 to 5) that correspond to the ones in the group policy for further information see this article.

Disable NTLM Completely

Before proceeding its a good idea to enable the “Restrict NTLM: Audit NTLM authentication in this domain” policy then waiting a while longer and reviewing the logs, if something does appear you can simply add it to the “Restrict NTLM: Add server exceptions in this domain” policy

This time in the default domain controller’s policy navigate to.

[box]

Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options >  
Network Security: Restrict NTLM: NTLM authentication in this domain

[/box]

  • Disable: the policy is disabled (NTLM authentication is allowed in the domain).
  • Deny for domain accounts to domain servers: the domain controllers reject NTLM authentication attempts for all servers under the domain accounts, and the “NTLM is blocked” error message is displayed.
  • Deny for domain accounts: the domain controllers are preventing NTLM authentication attempts for all domain accounts, and the “NTLM is blocked” error appears.
  • Deny for domain servers: NTLM authentication requests are denied for all servers unless the servername is on the exception list in the “Network security: Restrict NTLM: Add server exceptions for NTLM authentication in this domain” policy.
  • Deny all: the domain controllers block all NTLM requests for all domain servers and accounts.

To stop client computers attempting to connect with NTLM you can edit the Default Domain Policy.

  • Network security: Restrict NTLM: Incoming NTLM traffic = Deny all accounts
  • Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers = Deny all

Related Articles, References, Credits, or External Links

NA

Auto Update ADMX Files

Auto Update ADMX KB ID 0001824

Problem

It’s been a long time since I ran through setting up a central policy definitiosn store. In that time, you’ve probably had to copy ADMX (and ADML) files into your central store manually. Microsoft updates typically DO download updates but puts them (usually) in C:\Windows\PolicyDefinitions, There’s probably a sensible reason for that.

When someone cleverer than I has scripted this,  and included support not just for Windows, but for;

  • Adobe Acrobat
  • Adobe Reader
  • Base Image Script Framework (BIS-F)
  • Citrix Workspace App
  • FSLogix
  • Google Chrome
  • Microsoft Desktop Optimization Pack
  • Microsoft Edge (Chromium)
  • Microsoft Office
  • Microsoft OneDrive (installed or Evergreen)
  • Microsoft Windows 10 (1903/1909/2004/20H2/21H1/21H2/22H2)
  • Microsoft Windows 11 (21H2/22H2)
  • Mozilla Firefox
  • Zoom Desktop Client

Solution: Auto Update ADMX

Execute the following command.

[box]

Install-Script -Name EvergreenADMX

[/box]

Answer any questions with a ‘Y’.

Now to test the script you can simply run Evergreenadmx.ps1 and it should run though manually. Once you’ve ascertained that it runs without error you can use the following syntax to update you central store*

[box]

EvergreenAdmx.ps1 -Windows11Version "22H2" -PolicyStore "C:\Windows\SYSVOL\domain\Policies\PolicyDefinitions"

[/box]

*Note: Assuming you’re on a domain controller!

Scheduling Auto Update ADMX

Here I’m creating a Scheduled task (If you feeling lazy simply import this one) Give it a sensible name > I would set it to run monthly Unless you are downloading browser and application ADMX files also > I’ve scheduled it for the second Wednesday of the month (See what I did there?)

Set the task to ‘Start a Program‘.

Program/script: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Arguments: -ExecutionPolicy ByPass -Command “&amp; ‘C:\Scripts\EvergreenAdmx\EvergreenAdmx.ps1′ -Windows11Version ’22H2’ -PolicyStore ‘C:\Windows\SYSVOL\domain\Policies\PolicyDefinitions'”

Related Articles, References, Credits, or External Links

OneDrive GPO (Domain Group Policy)

Windows LAPS

Windows LAPS KB ID 0001822

Problem

We used to have Microsoft LAPS, now we have Windows LAPS! LAPS is a solution that lets’ you store admin passwords ‘elsewhere‘ be that in your local Active Directory or Azure Active Directory*. Unlike previously, where you had to deploy/install client software, it’s now built into Windows from the following versions.

  • Windows 11 22H2 – April 11 2023 Update
  • Windows 11 21H2 – April 11 2023 Update
  • Windows 10 – April 11 2023 Update
  • Windows Server 2022 – April 11 2023 Update
  • Windows Server 2019 – April 11 2023 Update

*Note: Is in the pipeline at time of writing traditional (on-premises) AD only is supported.

The premise is that instead of having a single (easily compromised) local admin password (or DSRM password on a DC) for your assets you can have a different password (that can be controlled with a complexity policy) for each client/server and that password is stored securely in Active Directory, (as an attribute of the computer object).

  Backup to Azure AD Backup to Local  (On-Premises) AD
Azure AD Joined Yes No
Local (On-Premises)  Joined No Yes
Hybrid Joined Yes (if not backed up to on-premises AD) Yes (if not backed up to Azure AD)
Workplace Joined No No

Solution: Windows LAPS

Firstly, FULLY update all the domain controllers in the domain.

On a DC you can load the LAPS module and look at the commandlets.

[box]

ipmo LAPS
gcm -Module

[/box]

From these commandlets the first one we need to use is Update-LapsAdSchema, this will extend the active directory schema and add the LAPS attributes to the computer objects.

[box]

Update-LapsAdSchema

[/box]

It will ask you con conform you can watch each step by pressing Y – or if you’re lazy (like me) simply press A {Enter}.

You can’t really see what it is doing, but if you’re interested, you can run the same command again with a -verbose switch on it to see exactly what going on.

OK, but what has that done? Well as I said above, the computer objects have been extended and they now have ALL have the following attributes.

Note: Yes, there’s now a LAPS tab also, but there won’t be anything in there yet.

The next commandlet we need, Set-LapsADComputerSelfPermission, will grant the computer object the rights to manage its own LAPS password, You can set this on the root of the domain if you wish. Here I have all my computer objects in an OU called PNL so I’m applying that right at the TOP LEVEL OU, and it will apply to all children OUs.

[box]

Set-LapsADComputerSelfPermission -Identity "OU=PNL,DC=pnl,DC=com"

[/box]

Setting Windows LAPS Settings via Group Policy

Create a new GPO (or edit an existing one) that links to the OU where your COMPUTER objects live. (remember if managing DSRM passwords you will also need to link the policy to the Domain Controllers OU also).

Edit the Policy and navigate to;

[box]

Computer configuration > Policies > Administrative Templates > System > LAPS

[/box]

Note: If you have a LAPS folder directly under Administrative Templates, that’s for the older Microsoft LAPS settings!

Policies to edit;

  1. Enable Password Backup for DSRM accounts : Enable
  2. Name of administrator account to manage : Enable  > laps.admin
  3. Configure Password Backup Directory : Enable > Active Directory

Note: If you already have a local admin account, built into you master computer image for example, you can use that account instead.

Further policy to edit;

  1. Password settings : Enable > (I accept the defaults)

The screen shot below shows how the policy should look before you exit the group policy editor.

Windows LAPS Local Admin

Here I’ve manually created the local user, you can either roll this out by script, GPO, or building the account into the your default image for OS deployment.

Retrieving Windows LAPS Passwords

Below you can see we can retrieve both a local Windows LAPS password for a client, or a DSRM password for a domain controller.

Simply click Show password and Copy password, and the password will be on the clipboard (as shown).

To get the password via PowerShell use the Get-LapsADPassword commandlet.

[box]

Get-LapsADPassword "PNL-Win11" -AsPlainText

[/box]

Troubleshooting Windows LAPS

The update also allows you to view LAPS event logs in the Event Viewer, like so.

Interoperability Microsoft LAPS and Window LAPS

If you have the older Microsoft LAPS running (i.e. Your end clients have the LAPS client software being deployed to them, then when the Apr 23 LAPS update is deployed to them and used, BOTH Systems may stop working. To fix this you need to disable Legacy LAPS by setting the following registry key on your clients.

[box]

HKLM > Software > Microsoft > Windows > CurrentVersion > LAPS > Config

[/box]

Create a new 32 bit DWORD value called BackupDirectory and set its value to 0 (zero).

Once the Azure AD element is fully released and supported, I’ll loop back and include that also.

Related Articles, References, Credits, or External Links

Microsoft LAPS – Deployment and Configuration

MS: What is Windows LAPS Overview

OneDrive GPO (Domain Group Policy)

OneDrive GPO KB ID 0001821

Problem

The administrative template that you get with Win11 is somewhat out of date, so if you want to manage OneDrive with domain group policy your options are limited, if only there was a newer administrative template!

Well, there is, and it gets updated and sent to you quite regularly. Microsoft just do a good job of hiding it.

Solution OneDrive GPO

Depending on your deployment the files you need can be in different locations, the biggest challenge is finding them. execute the following PowerShell to locate them.

[box]

$OnePath = ("$env:LOCALAPPDATA\Microsoft\OneDrive", `
"$env:ProgramFiles(x86)\Microsoft\OneDrive", `
"$env:ProgramFiles\Microsoft OneDrive")
$OnePath | foreach{
    Get-ChildItem "$_\*\adm\onedrive.adm?" -ErrorAction SilentlyContinue
}

[/box]

As you can (above) see mine are in my user profile. The folder that they are in will also give you the build number, so you can check occasionally for updates (that will get pulled down when your OneDrive client gets updated).

Go to that directory and you will find the ADMX and ADML files.

Note: For anyone who is not English speaking, there may be a different ADML file in the locale folders you can see above.

Copy the OneDrive.admx file into your PolicyDefinitions folder (if unsure of the path, see below. obviously substitute your own domain name and here I’m on a domain controller so the SYSVOL volume on my local drive).

Now change to the INPUT LOCALE folder (in my case en-US) and copy the OneDrive.adml file into that folder.

Then when you are in the Group Policy Management Editor you will see the updated OneDrive options.

[box]

Computer Configuration > Policies > Administrative Templates > OneDrive

[/box]

If you can’t see them ensure your policy definitions have been setup correctly.

Related Articles, References, Credits, or External Links

Setup up a Central ‘PolicyDefinitions’ Store (for ADMX files)

Microsoft Edge Multiple Statup Pages (via GPO)

Microsoft Edge KB ID 0001818

Problem

Controlling Microsoft Edge with Group Policy is pretty straight forward, you just need to ensure the msedge.admx and msedgeupdates.admx files have been added to your policy definitions store in the right folders. If you have no idea what I’m talking about, see the following article.

Microsoft Edge on Server 2019/2016 (and Citrix)

Then you can deploy group policies to your server’s/client’s Microsoft Edge browsers.

Solution: Microsoft Edge ‘Start Pages’

Create a new GPO (or edit an existing one) that’s linked to your target COMPUTERS OU > Navigate to.

[box]

Computer configuration > Policies > Administrative Templates > Microsoft Edge > Sites to Open When the Browser Starts

[/box]

Enable the policy > Show > Enter the URLs you want to open line by line > OK > Exit the group policy editor.

Then wait, or force a policy update to test.

Related Articles, References, Credits, or External Links

NA

Microsoft Edge on Server 2019/2016 (and Citrix)

KB ID 0001657

Problem

In a fit of lunacy Microsoft have called ‘their’ new browser Microsoft Edge, so we can spend the next few months confusing it with Edge. Plus every Google search for GPO settings, error messages etc will all now show search results for the old Edge Browser not the new Microsoft Edge browser! Perhaps the same doofus at Microsoft who called the Exchange sync Active Sync when Microsoft already had a product called Active Sync was involved?

Anyway I got a request from a client this week to have Microsoft Edge on their Citrix environment, there was some confusion (imagine that), because Edge does not work on server 2016, (and it’s not shipped as part of server 2016), but would Microsoft Edge work?

Installing Microsoft Edge on Server 2019/2016 (With IE11)

Why is Internet explorer still alive? Anyway If you want to install Edge on a modern Windows server firstly ensure you are fully up to date with updates! Then open IE. Internet Options > Security > Custom > Scripting > Enable Active Scripting > OK > Yes > Apply > OK.

 Then go to https://www.microsoft.com/en-us/edge/business and install it manually.

Microsoft Edge on Server 2019/2016

The first test was, ‘would it run on Server 2016’, it detected the OS as Windows 10 (unsurprisingly), and installed fine;

Microsoft Edge on Remote Desktop Services

Well Citrix is really just Remote Desktop Services in a leather jacket, so the next test was,’ would it work in RDS?’ I span up an RDS farm on the bench, and was pleased to see I could select Microsoft Edge as a RemoteApp, (not that I needed to deploy it using RemoteApp, but it being detected was promising).

And in an RDS session it worked faultlessly.

Deploy Microsoft Edge on Citrix (Server 2016)

Here’s where we had a problem, it installed fine, but every time I went to open it, all I got was a ‘white screen’ for about 5 minutes, after this it burst into life, which I couldn’t really ask the client to put up with!

As this was happening when I launched the browser I ‘wrongly’ assumed it was a ‘first run‘ problem (for the uninitiated, previous Microsoft browsers got an annoying ‘how do you want to set the browser up’ routine, then finally dumped you on the MSN webpage, (does anyone actually use the MSN webpage?) While it didn’t cure my problem it’s worth mentioning how I stopped the first run dialog happening);

Controlling Microsoft Edge with Group Policies

If you are used to importing ADMX and ADML files then this will be a breeze to you. If you are really interested I cover the subject in great deal in the following post;

Setup up a Central ‘PolicyDefinitions’ Store (for ADMX files)

Essentially download the latest msedge.adml and msedgeupdate.adml files and (on a Domain controller,) copy them to;

[box]

C:\Windows\SYSVOL\{domain-name}\Policies\PolicyDefinitions\en-US

[/box]

Note: Other Input locales are available, my servers are using English (US).

Then copy the msedge.admx and msedgeupdates.admx files to;

[box]

C:\Windows\SYSVOL\{domain-name}\Policies\PolicyDefinitions

[/box]

Microsoft Edge Stop ‘First Run’ With Group Policy

The two policies I used are both located at;

[box]

Computer configuration > Policies > Administrative Templates > Microsoft Edge

[/box]

Microsoft Edge: Stop Importing of Bookmarks/Favourites

Locate: ‘Automatically import another browser’s data and settings at first run‘ > Enable the policy, and select ‘Disable automatic import and the import section of the first run experience is skipped‘ > Apply > OK.

Microsoft Edge: First Run

This will disable the entire first run dialog;

Locate: ‘Hide the First-run experience and splash screen‘ > Enable the policy > Apply > OK.

Then either wait or force a policy refresh.

Deploy Microsoft Edge on Citrix

As it was working in RDS and not working on Citrix, then the problem was probably Citrix*. Citrix is one of my weaker subjects, so credit for the actual fix should go to my colleague (Dan Brookes). 

*After I had discounted existing group policies, and other installed applications.

Running Microsoft Edge while it was ‘hanging’ and looking at what was going on in ‘Process Monitor’ showed a lot of hook64.dll entries;

This pointed to the culprit, open the registry Editor (regedit) and navigate to;

[box]

HKEY_LOCAL_MACHINE > System > CurrentControlSet > Services > CtxUvi

[/box]

Locate the UviProcesExcludes REG_SZ value, edit it and add ‘msedge.exe;‘ to the end.

Theres probably one service you can restart, but I simply rebooted the server, (problem solved).

FSLogix and Microsoft Edge

If you are running FSLogix you should also add an ‘exclusion’ to the Redirections.xml file, (located in your \\{domain-name}\NETLOGON folder).

[box]

<Exclude>AppData\Local\Microsoft\Edge Dev\User Data\Default\Cache</Exclude>

[/box]

 

Related Articles, References, Credits, or External Links

Microsoft Edge (macOS) Migrate Bookmarks from Safari

Windows Error Code 0x800F0954

KB ID 0001626

Problem

Seen when attempting to add a Windows Optional Feature;

Windows couldn’t complete the required changes.
The changes could not be completed. Please reboot your computer and try again
Error code: 0x800F0954

Solution

Typically you see this error if your machine is set to get its updates from WSUS. You can change the way Windows operates to get the ‘Feature addition’ files directly from Microsoft with a group policy.

  • For Local Policy: Windows Key+R > gpedit.msc {Enter}
  • For Domain Policy: (On a domain controller) > Windows Key+R > gpmc.msc {Enter} > Create a new policy or edit one that’s linked to computer objects.

Navigate to;

[box]

Configuration > Administrative Templates > System 

[/box]

Locate ‘Specify Settings for optional component installation and component repair‘.

Set to Enabled > Tick ‘Download repair content and optional features directly from Windows Update instead of Windows Server Update Services (WSUS) > Apply > OK > Close the policy editor.

Then either wait or Windows – Forcing Domain Group Policy

Related Articles, References, Credits, or External Links

NA

Gpupdate: Windows Could Not Locate the Directory Object

KB ID 0001625

Problem

Saw this on a Windows client on my test network;

User Policy update has completed successfully.
Computer policy could not be updated successfully. The following errors were encountered:

The processing of Group Policy failed. Windows could not locate the directory object OU=Top-Level,OU=computers,DC=PeteNetLive,DC=com. Group Policy settings will not be enforced until this event is resolved. View the event details for more information on this error.

To diagnose the failure, review the event log or run GPRESULT /H GPReport.html from the command line to access information about Group Policy results.

Note: You may also see Event ID 1101

Event ID 1101

Log Name: System
Source: Microsoft-Windows-GroupPolicy
Event ID: 1101
Task Category: None
Level: Error
Keywords:
User: SYSTEM
Computer: PNL-PROD-WIN10.pnl.com
Description:
The processing of Group Policy failed. Windows could not locate the directory object OU=PNL,DC=pnl,DC=com. Group Policy settings will not be enforced until this event is resolved. View the event details for more information on this error.

Solution

Strangely the OU that this computer was in, needed to have the ‘Read‘ right, granting to ‘Authenticated Users’ group, not sure how that got removed! Note: Remember start at the OU that’s directly on the root of the domain, of you have nested OUs.

After that everything was peachy!

Related Articles, References, Credits, or External Links

NA

Stop Windows Asking For Password After Sleep / Standby

KB ID 0001624

Problem

I’ve done a few posts that involve me demonstrating how to disable a security feature, and people have messaged me with a mix of disgust/distain/horror. But I’m sick and tired of all the machines on my test network getting locked while I’m dragged onto something else, they are test machines, with no live data on them, and there’s only me uses them anyway! 

And some people just want to log on on a morning and not have to log on again, (Oh the security horror!) But let’s be honest Tom Cruise is not going to abseil down from the rafters to steal your order forms for spanners, or whatever mundane junk you have on your PC/laptop that no one other than you, and your office is bothered about.

Note: Don’t get this confused with Windows – Disable the ‘Lock Screen’

Solution

There are two policies that control this, one is in effect if your Windows machine is plugged in, the other takes over when you are running on battery power, you can disable password prompting for one or both.

Disable Password Prompt When Computer Wakes Up

You can see this on an individual machine (local policy) or you can create a domain computer policy, and enforce this on many/all Windows clients. 

  • For Local Policy: Windows Key+R > gpedit.msc {Enter}
  • For Domain Policy: (On a domain controller) > Windows Key+R > gpmc.msc {Enter} > Create a new policy or edit one that’s linked to computer objects.

Disable When Plugged In

Navigate to;

[box]

Computer Configuration > Administrative Templates > System > Power Management > Sleep Settings

[/box]

Locate ‘Require a password when a computer wakes (plugged in)‘ > Set to Disabled > Apply > OK > Close the policy editor.

 

Disable When On Battery Power

Navigate to;

[box]

Computer Configuration > Administrative Templates > System > Power Management > Sleep Settings

[/box]

Locate ‘Require a password when a computer wakes (on battery)‘ > Set to Disabled > Apply > OK > Close the policy editor.

Then either wait or Windows – Forcing Domain Group Policy

Related Articles, References, Credits, or External Links

NA

Windows – Stop the Welcome to Internet Explorer from launching via GPO

KB ID 0000459

Problem

If your’e logging on as a new user and Internet Explorer has not yet been ran, then it wants to run the “Setup Windows Internet Explorer Wizard”.

On just one machine with one user that’s fine, but if you are logging in all over the place, with multiple credentials, this can get quite annoying. Also you might not want your domain users having to do this at all, for security reasons.

Solution

On a Single (stand alone) machine.

1. Click start and in the run/search box type gpedit.msc{enter}

2. Navigate to > Computer Configuration > Administrative Templates > Windows Components > Internet Explorer > Prevent Running First Run wizard.

Note: In older versions of Windows its called, ‘Prevent Performance of First Run Customize settings

3. If you enable the policy you can set it to either:

a. Go directly to home page.
b. Go to the “Welcome to Internet Explorer” Web page.

4. Reboot the PC or Force a Group Policy Refresh.

In a Windows Domain Environment

1. On one of your domain controllers > Start > Administrative Tools > Group Policy Management Console > Either select and existing policy or create and link one to the COMPUTERS you want this policy to affect. Then edit the policy.

2. Navigate to > Computer Configuration Policies > Administrative Templates > Windows Components > Internet Explorer > Prevent Running First Run wizard.

Note: On older Windows Platforms this is called ‘Prevent Performance of First Run Customize settings.

3. If you enable the policy you can set it to either:

a. Go directly to home page.
b. Go to the “Welcome to Internet Explorer” Web page.

4. Reboot the PC or Force a Group Policy Refresh.

Related Articles, References, Credits, or External Links

Group Policy Preferences and Client Side Extensions