Restrict access to Safe Mode RRS feed

  • Question

  • This problem seems so simple I was surprised I couldn’t find the answer anywhere.

    We have a customer who's spent a bunch of time locking down various items in Windows Vista with Group Policy.  The environment is a school, and kids being the smart kids that they are, reboot the computer and login to the PC with Safe Mode with Networking and access otherwise restricted features.

    How can we prevent this?

    Some facts:
    -) The students are Standard-Users
    -) We don't want to break safe mode
    -) I'm not sure what "things" or features they are accessing.  It could be related to the preferences extensions - not the normal policies.  Are GPOs applied normally during Safe Mode with Networking?  What about the cached credentials version of this?

    The ideal answer would be to limit Safe Mode to Administrators only.  I haven’t found this to be an option anywhere.

    Saturday, October 17, 2009 12:58 AM


All replies

  • a) I don't think the Group Policy is not in effect during Safe Mode. Although some new policy cannot be applied, the previously applied policy is still in effect, because its settings are normally persistent in registry from its previous application.

    b) yes, I can image some components (such as those preferences) that do not run in safe mode which would mean they are not REapplied after the users changed them.

    But in fact, all the preferences affect matters that are considered part of user profiles, which is by its definition, left for users to be freely modified and adjusted according to their own preferences. Preferences are also called preferences, because they are not considered policies.

    My opinion is, that general best practice to let the students log in with their own user accounts not being members of local administratos must be sufficient to keep them from doing any harm to local computers and would also let them work freely and freely adjust their own settings.

    If this problem was related to some other restriction software, which can be the case (monitoring, restrictions etc.) then the problem should be consulted with its own vendor which could make sure it is started even in safe mode.

    Saturday, October 17, 2009 10:25 AM
  • it is also a matter of policy. the students can always sing a statement that they will not boot safe mode before accesing the classroom. validation could lead to some penalty (such as not being permitted to access the school for some time ;-) and being forced to stay on holiday ;-) ).


    Saturday, October 17, 2009 10:27 AM
  • Hello Mike,

                  May be we can manuplate the F8 menu where we can remove the safemode option or else follow Darrel  Gorters (MSFT) suggestion

    ll don't think there is a way to change the Advanced Startup Menu to remove the Safe Mode options. However there may be way to change what loads in the Safe Mode with Networking option.Please can we try this on the test machine first,, this should not be considered a supported option and make these changes at your own risk. Make a Restore Point before making any changes. Had to put some disclaimers in because I don't what this all may affect: This registry key and the subkeys control what loads when you boot into Safe Mode with Networking
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network You should be able to go down this list of subkeys and disable the network srvices and Device classes.

    • Marked as answer by Mike Crowley Tuesday, October 20, 2009 4:42 AM
    Saturday, October 17, 2009 11:11 AM
  • Prevent standard users from rebooting PCs (via Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Shut down the system Group Policy setting). Obviously this implies that your students do not have physical access to computers - but if this is NOT the case, then any security measures you are trying to implement are pretty much meaningless anyway...

    Saturday, October 17, 2009 2:12 PM
  • Hello Marcin,
                 Your Idea is good but still if the Users give a hard restart (Power off and Power on ) Then ??
    Sunday, October 18, 2009 6:43 AM
  • Syed - that's the reason I stated "Obviously this implies that your students do not have physical access to computers - but if this is NOT the case, then any security measures you are trying to implement are pretty much meaningless anyway..."

    best regards,
    Sunday, October 18, 2009 11:19 AM
  • Marcin Did you happened to see the links which I have provided and the post ?? Please comment on it
    Sunday, October 18, 2009 11:55 AM
  • Syed - it'd be up to Mike to evaluate which solution is most appropriate in his situation...

    Sunday, October 18, 2009 11:58 AM
  • Thanks to all who replied.  I'll discuss these options with my customer and report back any decisions!
    Tuesday, October 20, 2009 4:36 AM
  • Syed, thank you for those links.  The 2nd one does what I would call "break" safe mode, so I am trying to avoid doing that.  The NoSafeMode software looks like its on track with what I'm after as it DOES allow access to safe mode but only after another password.

    Sadly however shareware like this will likely not scale to the environment I am working in.  I've marked this post as the answer because it seems to be the closest thing to it, however I wish there was a more scalable solution.

    Tuesday, October 20, 2009 4:42 AM
  • Thanks Mike I will sure look forward to the issue if i can get more on it.

    Tuesday, October 20, 2009 7:02 AM
  • Local Policies seem to be enforced in Safe Mode, even though Group Policies are not.  So for our most vulnerable machines, we will set the Local Policy as necessary.  Perhaps even find a way to automate the setting of these policies... (yes i realize this is what GPOs are generally for anyway)
    Monday, November 23, 2009 10:33 PM
  • We ended up doing this:

    even though it didn't satisfy my "don't break  it" requirement...

    Mike Crowley
    Check out My Blog!

    • Marked as answer by Mike Crowley Wednesday, November 17, 2010 2:58 PM
    Wednesday, November 17, 2010 2:58 PM