Windows 10

Disable Windows Defender Summaries via Registry

Windows Defender does some great stuff, but in my opinion one of the more ‘noisy’ things it doesin Windows 10 is provide a frequent notification to say it’s working but hasn’t found anything.

Many users may find this notification unnecessary and breaking their work focus just to be told that their PC is fine. Especially in a business environment, they’d think that is someone else’s problem.

Windows Defender Security Center Settings

A user can turn these off themselves of course, in the Windows Defender Security Settings page under Virus & threat protection notifications. It’s possible to turn off all informational notifications, or untick certain types.

Although there is an inbuilt Group Policy to also turn off informational notifications, to me I’d still want users knowing a threat was found or something was blocked – those are useful to the user. However the recent activity and scan results is the one I’d suggest disabling, but there’s no Group Policy for that.

Luckily this is just a single registry key which I’ve found through using Procmon:


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center\Virus and threat protection\

REG_DWORD: SummaryNotificationDisabled

Value: 1 (decimal)

This setting can be rolled out through Group Policy (even as a run once and don’t reapply) if you’d like users to have control over turning the setting on.

“This page wants to run the following add-on…” won’t go away in Internet Explorer

In the last few weeks, I found that a lot of users were complaining about IE11 on Windows 10, and the prompt “This page wants to run the following add-on” with the add-on name, and the allow button:

This webpage wants to run the following add-on ‘Adobe Flash Player’ from Microsoft Windows Third Party Application Compon…

However, clicking the ‘Allow’ button, or using the drop down arrow to choose ‘Allow for all sites’ did nothing, and the prompt would show again and again.

I ended up working out this was due to the Add-On List GPO to list IE add-ons that was being used to manage the add-ons I wanted disabled or enabled https://docs.microsoft.com/en-us/internet-explorer/ie11-deploy-guide/enable-and-disable-add-ons-using-administrative-templates-and-group-policy

The policy explicitly states “The ‘Deny all add-ons unless specifically allowed in the Add-on List’ policy setting will still determine whether add-ons not in this list are assumed to be denied.”

However, since a recent update (either Windows 10 1803, or a recent security patch  – unsure which!), anything not listed in the Add-On List was being blocked. 

Adding an update to the list and allowing it with the ‘1’ value fixes the issue for that particular add-in, but it shouldn’t be working this way.

I even tried disabling the Group Policy setting ‘Deny all add-ons unless specifically allowed in the Add-on List’ but that made no difference. That policy also states: ‘If you disable or do not configure this policy setting, users may use Add-on Manager to allow or deny any add-ons that are not included in the ‘Add-on List’ policy setting.’

Something wacky’s going on – if I find out more I’ll update this post, but if you do use the ‘Add-On List’ GPO for Internet Explorer, be aware of this potential issue. You may need to list all your add-ins into the policy to avoid this.

I’ve also updated all my ADMX files for Win10 1803.

OneDrive for Business – Turn Off ‘Allow Editing’ By Default

Every organisation has their own requirements and standards. For mine, I see a risk when the default action of sharing a document via OneDrive for Business is the ability to ‘Allow editing’ of any document sent out. It’s worse because that option is hidden behind the main popup when sharing a file, and you don’t actually see that you’re giving ‘modify’ access rather than ‘read only’:

OneDrive for Business default sharing popup
OneDrive for Business ‘Allow editing’ on by default

There is a way to change this default behavior though, and it’s not in the OneDrive admin center.

Instead, you’ll need to head to the SharePoint admin center (since the backend of OneDrive is SharePoint Online, this makes some sense). From here, go into ‘sharing’ and there’s an option around ‘Default link permissions’. You can change this to ‘View’ rather than ‘Edit’:

SharePoint admin center

The change was immediate from my testing, as soon as I went to share another file via OneDrive for Business, the ‘Allow editing’ option was unticked. This is only changing the default too, someone can still decide they want to allow editing and tick the box.

It’s worth considering what you should have as your default. The new versioning in OneDrive/SharePoint Online is really good, and will let a user easily roll back to a previous version of a document if something accidentally gets changed – but will your users be aware if something does change? It’s possible to set up an alert, but it’s a bit tedious: http://itgroove.net/brainlitter/2016/05/16/creating-alerts-documents-new-onedrive-business/

Hope this helps anyone considering rolling out OneDrive, or wants to start allowing external sharing.

Clipboard History Is Coming In Windows 10

I play with and use Windows 10 Insider builds but don’t often blog about them – there’s plenty of other people that do that already. However, I saw this notification come up which seemed very useful; Clipboard History!

 

Something I’ve been wanting for many years. I currently use Ditto which I recommended in another writeup of free sysadmin tools for TechTarget. However, if a native solution does enough for me I’d rather use that – I’m on that many different systems and devices, having non-native apps is a pain that I’m not going to bother with.

I might be a bit late to the party – on May 9th 2018, Build 17666 was announced with this feature. I’ve had a quick play and like it… so how does it work?

First, go into Settings > System > Clipboard. You’ll need to toggle the ‘Save multiple items’ to ‘On’. This is probably good being off by default, I can imagine complaints about Microsoft tracking what people do or someone finding something in the history that another person did.

Once that option is on, you can use Windows Key + V to bring up the clipboard history window:

It will be blank at the start, unless you’ve used the clipboard since enabling the feature. Text and images are both supported which is great! Selecting the history item will immediately paste it as well as put it onto your clipboard. It’s basic but does the job

On top of this, there’s also a ‘Sync across devices’ option for the clipboard history. You can enable that in the same settings area, and your clipboard will be available from all devices that support it. Right now that seems to only be Windows 10 on this insider build or newer, but I’d expect it to go further to mobile devices when released properly. This is a great way to send a small bit of information such as a long URL from one device to another.

However, if you use a password manager where you copy and paste usernames and passwords from, they’ll get added to this history also. If someone were able to gain access to this history, it could be a quick gateway to accessing a lot of your other stuff – so use multi-factor authentication wherever you can.

Still, it’s a great feature albeit simple – it’s nice to see Windows 10 getting loaded with different mini-utilities that add to it’s usefulness, while leveraging a centralised Microsoft account to keep and sync information.

 

OneDrive for Business Auto Sign In – Windows 10

If you’re looking at starting to use OneDrive for Business and you’re working with a PCs joined to a local domain, you can now have a seamless sign in experience for end users (Note that the Group Policy setting for this is in preview according to the documentation).

OneDrive for Business from the client’s perspective has been dropped. It’s just OneDrive now, even though the backend is OneDrive for Business as part of an Office 365 subscription.

You’ll need Windows 10 1709+ for this, as that’s the first version of Windows 10 that has OneDrive baked in. There’s no deployment of the app required then, so you won’t need to use or modify OneDrive for Business. The newer client has much less syncing issues too – if you’re not sure what one you’re using, check what executable is running. OneDrive.exe is the new client, where Groove.exe is the older.

Since OneDrive is part of Windows 10 now, if you aren’t ready for this or don’t want it yet, you’ll need to use the Group Policy setting ‘Prevent the usage of OneDrive for file storage’ which is found in Computer Settings > Policies > Administrative Tempates > Windows Components > OneDrive (note that this is different to the location of where the above new policies sit for OneDrive, which is one level down straight under Administrative Templates).

If you’re migrating from an existing install, then you’ll need to follow this process. Otherwise if you’re starting fresh, there’s a great guide here to go through.

 

The short version of these steps is:

  1. Windows 10 1709 already has OneDrive, so no deployment required.
  2. Get the ADML and ADMX Group Policy files and deploy them in your environment. Make sure they’re the latest ones too, which you should be able to get from any Windows 10 1709 PC in the path %localappdata%\Microsoft\OneDrive\BuildNumber\adm\
  3. Configure your Group Policies to the settings you want, but the one you’ll need for auto sign in is “Silently configure OneDrive using Windows 10 or domain credentials“. This setting should set the regsitry key [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\OneDrive] “SilentAccountConfig”=dword:00000001. With this setting, there’s an extra registry settings to configure:[HKEY_CURRENT_USER\SOFTWARE\Microsoft\OneDrive] “EnableADAL”=dword:00000001 – This setting enables Modern Authentication for OneDrive.

That’s it!

After this is configured and you log on, the OneDrive client will automatically sign in as the logged on user – assuming you’re properly set up on the Azure AD and Office 365 side of things. There’s no prompt, no notification and users can start using it straight away at their convenience.

Note that if you disabled OneDrive from running at first user login (usually via the registry key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run with something like “C:\Windows\SysWOW64\OneDriveSetup.exe /silent”, you’ll need to retrigger the install. That /silent switch will make OneDrive install and sign in automatically with the above settings.

If you’re planning on moving user’s home drives to OneDrive, you’ll need to manually move the files or run a script like this to migrate the data – or find a paid solution.