How to prevent the saving of Remote Desktop Credentials in Windows

It is worth noting that you do not have to do anything for Remote Desktop Connection (RDP) to have your credentials saved. This is done by default. This can have some security implications when a lot of users utilize a single device.

See how to remove saved RDP credentials / entries in Windows 10
https://techdirectarchive.com/2020/03/17/how-to-remove-saved-rdp-credentials-in-windows-10/

Se how to Allow Saved Credentials for RDP Connection?
https://techdirectarchive.com/2020/03/17/how-to-allow-saved-credentials-for-rdp-connection/

Below are the steps to disable Remote Desktop Connection Credentials. To achieve this, launch the gpedit.msc from the command prompt, run or Windows search.

gpedit.msc

Navigate to the following location.
          – User Configuration
          – Administrative Templates
         – Windows Components
          – Remote Desktop Services

On the “Remote Desktop Connection Client” under Remote Desktop Services as shown below

In the Setting list on the right, double-click on the “Do not allow passwords to be saved” setting.

– Note: This can also be done via the Group Policy Management console for Domain Devices centrally.

To ensure this applies immediately, run GPUpdate. For more information on GPO switches, see all about GPUpdate switches – GPUpdate vs GPUpdate /force https://techdirectarchive.com/2020/02/26/all-about-gpupdate-switches-gpupdate-vs-gpupdate-force/

How to permit (run) only certain apps in windows

In this guide, I will be demonstrating how to permit users on the computer to be able to run only a list of allowed programs. This can be achieved via the group policy and by tweaking the registry settings.

These steps are similar to how to block apps from running in windows. https://techdirectarchive.com/2020/03/14/how-to-block-apps-from-running-in-windows/

Via the Registry Settings: Launch the registry settings using “regedit.exe” from the search button and accept the UAC.

This will open the Registry Editor. Navigate through the registry hive to the following key as shown below.

– HKEY_CURRENT_USER
– SOFTWARE
– Microsoft
– Windows
– CurrentVersion
– Policies

Next, create a new sub-key inside the Policies key.
– Right-click the Policies key,
– Select New
– Select Key

– Name the new key Explorer

Next, create a value inside the new Explorer key by right-clicking on the Explorer key and
– Select New
– Select DWORD (32-bit) value
– Name the new value RestrictRun

Next, double click the new “RestrictRun” value (This will open its properties window)
– Change the value from 0 to 1 in the “Value data” box as shown below.

– Finally, click on then click “OK.”

Next, you will have to create a new sub-key in the Explorer key by performing the following below.
– Right-click on the Explorer key
– Select New
– Select Key.
– Name the new key RestrictRun

In the next steps, we will start populating (adding) the apps we wish to allow. Below are the steps to achieve this.

– Create a new string value inside the RestrictRun key. Here, you will do this for every application you desire to permit (allow).
– Right-click on the RestrictRun value
– Select New
– Select String-Value.

and Enter the value of 1 as shown below.

Next, double click and enter the application you wih to permit as shown below

Click on ok and the key will be appear as shown below.

Repeat this process, for as many times you desire using the number format of “2,” “3,” etc. followed by the executable file names you you wish to run as shown above.

When you are done, ensure you restart your device to have the settings applied.
Note: If you do not restart, the settings will not be applied.

To test, this will successfully launch Notepad++ and some UWP applications. But when to try to launch other desktop apps and some Win32 tools, you will be prompted with the following restriction message below.

This can be achieved via Group policy as well. I will be testing with iexplorer++ using group policy.

Via Group Policy Object: Launch “group policy and navigate to the following location as shown below.

In the Group Policy window navigate through the
– User Configuration
– Administrative Templates
– Click on System.

On the right pane,
– Double chick on “Run only specified Windows Applications”

This will open up the s”Show Contents” dialog box

Populate the content of the “Show Contents” as shown below.

Click on okay and
– Finally apply the settings and click on okay.

To ensure the settings applies immediately, run “gpupdate” via the command prompt as shown below.

Note: When you click on notepad++, this will execute correctly, but when you click on other applications outside the permitted apps, you will

For how to block an app from running in windows, see the following link https://techdirectarchive.com/2020/03/14/how-to-block-apps-from-running-in-windows/

How to block apps from running in windows

In this guide, I will be demonstrating how to block certain apps from running on this computer. This can be achieved via the group policy and by tweaking the registry settings.

Block Apps: I will be demonstrating how this is done via the registry and group policy.

– Via the Registry Settings: Launch the registry settings using “regedit.exe” from the search button and accept the UAC as shown below

This will open the Registry Editor. Navigate through the registry hive to the following key as shown below.

– HKEY_CURRENT_USER
– SOFTWARE
– Microsoft
– Windows
– CurrentVersion
– Policies

Next, create a new sub-key inside the Policies key.
– Right-click the Policies key,
– Select New
– Select Key,

– Name the new key Explorer

Next, create a value inside the new Explorer key by right-clicking on the Explorer key and
– Select New
– Select DWORD (32-bit) value
– Name the new value DisallowRun

Next, double click the new “DisallowRun” value (This will open its properties window)
– Change the value from 0 to 1 in the “Value data” box

– Finally, click on then click “OK.”

Next, you will have to create a new sub-key in the Explorer key by performing the following below.
– Right clicking on the Explorer key
– Select New
– Select Key.
– Name the new key DisallowRun

In the next steps, we will start populating (adding) the apps we wish to block. Below are the steps to achieve this.

– Create a new string value inside the DisallowRun key (You will do this for every application you desire to block).
– Right-click on the DisallowRun value
– Select New
– Select String-Value.

Modify the value to 1 as shown below (we will have to start the numbering from 1 (one).

Now, double-click the new value to open its property windows
– Enter the name of the executable you want to block into the “Value data” as shown below. In my example, I will be blocking Internet Explorer from running.

When you hit “ok”, the string should look this way in the registry editor.

This process should be repeat by naming each string alphabetically from value “2”, “3” and “4” etc., for each and editing the properties by adding the the executable file you wish to block. I only had to block the explorer in my lab and this is enough to work you through.

When you are done, ensure you restart your device to have the settings applied.
– Note: If you do not restart, the settings will not be applied. When you try to launch Internet Explorer after restarting, you will get the following message below.

This can be achieved via Group policy as well. I will be testing with Notepad++ using group policy .

Via Group Policy Object: Launch “group policy as shown below,

In the Group Policy window navigate through the
– User Configuration
– Administrative Templates
– System.

Next, click on “Enabled”
– Click on show as shown below

In the Show Contents dialog box,
– Click on every line in the list and type the name of the executable you do not want users to run.
– Click on “OK.”

The settings will display enabled as shown below.

To ensure the settings applies immediately, run “gpupdate” via the command prompt as shown below.

for the difference between GPUpdate and GPUpdate/force, see https://techdirectarchive.com/2020/02/26/all-about-gpupdate-switches-gpupdate-vs-gpupdate-force/

Now when you try to launch Notepad++, the following restriction message will be prompted as shown below.

Note, the registry and group policy steps for blocking and apps are also similar to permitting only specific apps to run in Windows.

See the following link below on how to permit only a specify app to run https://techdirectarchive.com/2020/03/15/how-to-permit-run-only-certain-apps-in-windows/

What to note when settings up Ansible to work with Kerberos

Kerberos is reliant on a properly-configured environment to work. To troubleshoot Kerberos issues, ensure that the hostname set for the Windows host is the FQDN and not an IP address.

– The forward and reverse DNS lookups are working properly in the domain. To test this, ping the windows host by name and then use the ip address returned with nslookup. The same name should be returned when using nslookup on the IP address.

– The Ansible host’s clock is synchronized with the domain controller. Kerberos is time-sensitive, and a little clock drift can cause the ticket generation process to fail.

– Ensure that the fully qualified domain name for the domain is configured in the krb5.conf file. To check this, run:

kinit -C username@MY.DOMAIN.COM

And then klist to view the list all your active Kerberos tickets and their expiration dates.

klist

– If the domain name returned by klist is different from the one requested, an alias is being used. The krb5.conf file needs to be updated so that the fully qualified domain name is used and not an alias.

Ensure the Realms are written in CAPS because Kerberos is case sensitive, see the link below for more details.
https://techdirectarchive.com/2020/03/14/configuring-kerberos-for-ansible-authentication/

Application blocked, unable to run and apply settings – KB85494

user\tester has executed C: \lockdowntool.exe This process attempted to access HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM\DISABLETASKMGR. iolated the "Disable Registry Editor and Task Manager" rule and was therefore blocked. KB85494 explains how to respond to this event.

Like I always say! There is never a one solution fit all when troubleshooting.
I had a look at the Event Viewer and I found out that a virus scanner (McAfee) was actually blocking this application from running and applying correctly.

Solution: Below are some recommendations to fix this issue.
– Excluded the file from the virus scanner in order to allow the application to execute correctly.
– Or, temporarily disable the Anti-Virus Solution from running from a specific period of time. In this way, the application will be able to apply the desired settings correctly.

How to Activate Full-Screen (Kiosk Mode) in Internet Explorer

Full-screen mode becomes handy when you are viewing rich content (videos) without distraction or have an application run in a kiosk mode.

Via Internet Explorer settings: Here the steps below
– Click on the Settings gear

– Click on file and
– Select Fullscreen

Via the Keyboard short cut: Use F11 🙂

Note: By default, Internet explorer does not open in full screen mode. He steps above does not help in ensuring it opens in full screen mode when next we wish to run it. To ensure Internet Explorer open in full screen mode, without the unnecessary Internet Explorer’s menus, toolbars and title bar etc., the Kiosk Mode should be implemented. This can be implemented in the following ways.

The program location can be accessed as shown below.

– Click on the open file location,
– Right-click on Internet Explorer and select properties
– Add the “-k” or “k” switch as shown below.

In my case, I am using “-k” switch, i.e., Add -k to the end of that path (string), so it looks like this as shown below

“C:\Program Files\Internet Explorer\iexplore.exe” -k

Note: The next time you choose Internet Explorer from the Start menu, it will open to fill the entire screen. Pressing F11 won’t toggle Internet Explorer back to normal size; it still hogs the entire screen.

Here windows shortcut become handy and you can close your internet explorer by using Alt + F4. For other shortcuts, see below

  1. Press the Windows key to see the Start menu and taskbar, where you can launch other programs.
  2. Hold down the Windows key and press Tab to see all your open windows, as well as your desktop, displayed as thumbnails. Keep pressing tab until you’ve highlighted the window you want, then let go of the Windows key.
  3. Press Alt+Space to bring up a menu letting you minimize or close the window.
  4. Hold down the Windows key and press D to minimize all your windows, letting the desktop come into view.

Via Group Policy: Use the Group Policy Object Editor to make Internet Explorer always start in full-screen mode
– Click Start, click Run, type gpedit.msc in the Open box, and then click OK.
– Expand Computer Configuration, expand Administrative Templates, expand Windows Components, and then click Internet Explorer.
– In the right pane, double-click the Enforce full-screen mode setting.

– Click Enabled, and then click OK.
– Exit the Group Policy Object Editor.

Via the registry: The full-screen mode can also be configured via the registry settings as shown below. Locate and then click the following subkey in Registry Editor via the following hives.
– HKEY_CURRENT_USER
– Software
– Microsoft
– Internet Explorer
– Main

Locate and then double-click FullScreen in the right pane.

  • If this is not available, you can create a new string value called “FULLScreen” or FullScreen
  • Type “yes” in the data field, and then click OK.

Note: Internet Explorer is no longer the default web browser in Windows 10.

Difference between an ADM and ADMX file

Here is a brief description of ADM and ADMX. First, let’s describe what an ADM and ADMX file is.

ADM File: The ADM file was used with Group Policy before Windows Server 2008 was released. The ADM file contains all the settings that are found under Administrative Templates. Each time a new Group Policy is created, the settings for the Group Policy is stored in the SysVol share. The ADM file is also stored with the Group Policy setting.

This means that Group Policy using the ADM does not scale well as it makes the SysVol share very large. Also once a Group Policy is created it is linked to the one ADM file. The ADM file only supports one language so if multiple administrators were working on the same Group Policy one language would need to be agreed between all administrators.

ADMX File: The ADMX file replaces the old ADM file. It was first introduced in Windows Server 2008, however if you download the latest Group Policy Management software you can use the ADMX files in early Windows Servers. ADMX is an XML based format making it easy to edit. ADM is an in-house format so it is not as easy to work with as XML files are. The format is made up of two parts.

The ADMX file defines the Group Policy settings. The ADML file contains the language to be used with the file. This means the ADMX file can easily be used with any language assuming an ADML file for the language exists. Both ADM and ADMX output the same files so regardless of which format is used, they will be compatible with old and new clients.

ADM vs ADMX: Here is a brief comparison between an ADM and ADMX file and how an ADM file can be migrated.

ADMX files use less space in the SysVol. You can choose to store the ADMX and ADML files in the SysVol. The difference between ADM and ADMX files is that if you choose to store the files in the SysVol, each ADMX file only needs to be stored once where the ADM files need to be stored for each Group Policy that is created.

- ADM are text-based documents and can be created or modified via a text Editor.
- ADMX are XML based document. With an XML document, this can be viewed.

Does your system still use ADM? certainly not sure, but take a look on how to have them converted.

Note: ADM cannot be used in some Server Editions but can be converted to ADMX using ADMX migrator. This can be found in the Microsoft download center.

What is ADMX Migrator: ADMX Migrator is a snap-in for the Microsoft Management Console (MMC) that simplifies the process of converting your existing Group Policy ADM Templates to the new ADMX format and provides a graphical user interface for creating and editing Administrative templates. https://www.microsoft.com/en-us/download/details.aspx?id=15058

ADMX Migrator, which is created and supported by FullArmor, enables you to convert ADM files to the ADMX format and take advantage of the additional capabilities that it provides. The new XML-based format includes multilanguage support, an optional centralized datastore, and version control capabilities.