none
Group Policy

    Question

  • Hi

    I'm seeting up group policy for our windows 10 rollout.

    Is there a way not to lock yourself out when wokring GP?

    I also want to block metro apps and store in GP.....if you couls show where this is?  Not evident on windows 10.

    Thanks

    Tuesday, November 03, 2015 2:14 AM

All replies

  • Hi,

    Firstly, I would like to know what the meaning of "lock yourself out when working GP". Do you mean the GPO works for every user except you?

    If it does, I recommend you use AppLocker in group policy to block apps which you want to block.

    http://www.verboon.info/2012/03/how-to-prevent-a-metro-app-from-running-using-applocker/

    Please Note: Since the website is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.

    Hope that can help you.

    Best Regards

    Simon

     


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Wednesday, November 04, 2015 5:26 AM
  • Hi Simon,

    I installed the admx files on the server and have been editing policies there.  When I create a package app, there is nothing populated in the Select Applications dialogue.  If I run gpedit on the local pc which I'm using for testing the Select Applications is populated.

    As mentioned, my policies are configured on the server so di I need reconfigure the policies on the workstation and copy the admx files to the server "Policy Definitions" dir?  Will this over ride any other policies?

    thanks

    albert

    Tuesday, November 10, 2015 12:49 AM
  • Hi,

    Thank you for your reply.

    If you have finished editing the domain-based GPO via admx files, you can push it into the domain environment. You can read more information in the link below. The policy will applied to the domain account if you use the account to logon in other workstations.

    https://technet.microsoft.com/en-us/library/cc748955(v=ws.10).aspx

    Wish you have a nice day.

    Best Regards

    Simon 


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Tuesday, November 10, 2015 2:15 AM
  • okay get that, but how do I get the app locker stuff in there........I need to block/disable metro apps.

    cheers

    Albert

    Tuesday, November 10, 2015 3:43 AM
  • Hi,

    Thank you for your reply.

    If you just want to block metro apps for domain account users, Why don't you use domain policy directly?

    Please follow the steps in the link below to know how to set domain policy.

    https://technet.microsoft.com/en-us/library/dd277396.aspx

    After you click "Edit", you will find the AppLocker in domain policy which under the same path as local group policy.

    Then refer the link in my first post to know how to set this policy.

    Wish you have a nice day.

    Best Regards

    Simon   


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Tuesday, November 10, 2015 9:38 AM
  • Hi,

    We're a large school, staff can have metro apps, but want to block them for students.

    I'm configuring policies on Server 2012 R2......maybe I'm not seeing the same things you are?  I can see app locker under Application Control Policies, but when I create a rule and selesct "Use an installed packaged aoo as a reference" the application list is empty because the apps are not installed on the server.   Can I edit the GPO - applocker  on the local machine and copy the admx files to the server??  I assume this may overrwrite whats there?

    Regards

    Albert



    • Edited by asabadin Wednesday, November 11, 2015 12:48 AM
    Tuesday, November 10, 2015 11:26 PM
  • Hi,

    Thank you for your reply.

    When you add the admx file, it will not overwrite the old policy object and will generate the new template in group policy.

    Wish you have a nice day.

    Best Regards

    Simon


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Wednesday, November 11, 2015 1:17 AM
  • Hi,

    I'm using AppLocker to "deny" access to the metro apps, but whether it's one or some apps it baciscally disables the start button!

    Cheers

    Albert

    Thursday, November 12, 2015 12:30 AM
  • Hi,

    Thank you for you reply.

    Could you please tell me how you set the policy? Do you just set the local policy or add other things to the domain group policy?

    If you added admx file, we suggest you remove it temporarily and then test if the Start button still disabled.

    If it works after you remove, we would like to know where is the admx file from.

    Please kindly tell us the result.

    Best Regards

    Simon 


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Thursday, November 12, 2015 9:40 AM
  • Not sure what you mean.

    Policy is in the domain i.e on the domain controller....I edit the policy in AD.

    What admx file do I remove??  not sure what you mean???

    I downloaded the msi and extracted it on the above server...in Policy Definitions DIR.

    Thanks

    Thursday, November 12, 2015 11:31 PM
  • Hi,

    Thank you for your reply.

    As my understanding, you used the admx file to edit domain group policy. I would consider the start button blocked may related to the policy which you have edited. Therefore, I suggest you use the original policy before edited to test if the start button still blocked. If the start button doesn't be blocked after you test, maybe there is something wrong with the policy which you edited.

    If my understanding is right, please check the result as I mentioned above. If my understanding is not right, please do not hesitate to let me know how you set your group policy.

    Wish you have a nice day.

    Best Regards

    Simon  


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Friday, November 13, 2015 6:19 AM
  • Note that you’ve asked this question about Group Policy for Windows 10 in the Windows 8.1 forums, rather than the Group Policy forum or the Windows 10 forums. I will move this thread to the Group Policy forum for you to receive better support for your issue.

    Brandon
    Windows Outreach Team- IT Pro
    Windows for IT Pros at TechNet

    Thursday, December 10, 2015 7:02 PM