Skip to main content

Google MDM for Windows 10 Devices - a more in depth look.

In my previous blog post, I gave an overview of Google's new mobile device management for Windows 10 devices. A few weeks in now, we have a number of users using Windows computers managed this way. So below is a more detailed video look at deploying policies followed by some of the policies and how to configure them that we have used to date.


Policy Settings

It's important to note that unlike ChromeOS devices, you don't put machines into OUs, but the machines pick up policy based on the OU of the user used to enrol the device.

OMA-URI policies we use:
AllowManualMDMUnenrollment
./Device/Vendor/MSFT/Policy/Config/Experience/AllowManualMDMUnenrollment
Integer
0
This prevents users from unenrolling a device.

AllowVPN
./Device/Vendor/MSFT/Policy/Config/Settings/AllowVPN
Integer
0
Prevents editing the VPN settings

PageVisibilityList
./Device/Vendor/MSFT/Policy/Config/Settings/PageVisibilityList
string
hide:network-vpn
Can be used to hide bits of the settings page.

Applocker
./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/Group1/EXE/Policy
./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/Group2/MSI/Policy
./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/Group3/Script/Policy
These block the running of exe, msi and scripts from all but whitelisted locations. Defaults for each setting that I use are (you upload as XML files):

EXE
<RuleCollection Type="Exe" EnforcementMode="Enabled">
    <FilePathRule Id="921cc481-6e17-4653-8f75-050b80acca20" Name="(Default Rule) All files located in the Program Files folder" Description="Allows members of the Everyone group to run applications that are located in the Program Files folder." UserOrGroupSid="S-1-1-0" Action="Allow">
      <Conditions>
        <FilePathCondition Path="%PROGRAMFILES%\*" />
      </Conditions>
    </FilePathRule>
    <FilePathRule Id="a61c8b2c-a319-4cd0-9690-d2177cad7b51" Name="(Default Rule) All files located in the Windows folder" Description="Allows members of the Everyone group to run applications that are located in the Windows folder." UserOrGroupSid="S-1-1-0" Action="Allow">
      <Conditions>
        <FilePathCondition Path="%WINDIR%\*" />
      </Conditions>
    </FilePathRule>
    <FilePathRule Id="fd686d83-a829-4351-8ff4-27c7de5755d2" Name="(Default Rule) All files" Description="Allows members of the local Administrators group to run all applications." UserOrGroupSid="S-1-5-32-544" Action="Allow">
      <Conditions>
        <FilePathCondition Path="*" />
      </Conditions>
    </FilePathRule>
  </RuleCollection>

MSI
<RuleCollection Type="Msi" EnforcementMode="Enabled">
    <FilePublisherRule Id="b7af7102-efde-4369-8a89-7a6a392d1473" Name="(Default Rule) All digitally signed Windows Installer files" Description="Allows members of the Everyone group to run digitally signed Windows Installer files." UserOrGroupSid="S-1-1-0" Action="Allow">
      <Conditions>
        <FilePublisherCondition PublisherName="*" ProductName="*" BinaryName="*">
          <BinaryVersionRange LowSection="0.0.0.0" HighSection="*" />
        </FilePublisherCondition>
      </Conditions>
    </FilePublisherRule>
    <FilePathRule Id="5b290184-345a-4453-b184-45305f6d9a54" Name="(Default Rule) All Windows Installer files in %systemdrive%\Windows\Installer" Description="Allows members of the Everyone group to run all Windows Installer files located in %systemdrive%\Windows\Installer." UserOrGroupSid="S-1-1-0" Action="Allow">
      <Conditions>
        <FilePathCondition Path="%WINDIR%\Installer\*" />
      </Conditions>
    </FilePathRule>
    <FilePathRule Id="64ad46ff-0d71-4fa0-a30b-3f3d30c5433d" Name="(Default Rule) All Windows Installer files" Description="Allows members of the local Administrators group to run all Windows Installer files." UserOrGroupSid="S-1-5-32-544" Action="Allow">
      <Conditions>
        <FilePathCondition Path="*.*" />
      </Conditions>
    </FilePathRule>
  </RuleCollection>

Scripts
<RuleCollection Type="Script" EnforcementMode="Enabled">
    <FilePathRule Id="06dce67b-934c-454f-a263-2515c8796a5d" Name="(Default Rule) All scripts located in the Program Files folder" Description="Allows members of the Everyone group to run scripts that are located in the Program Files folder." UserOrGroupSid="S-1-1-0" Action="Allow">
      <Conditions>
        <FilePathCondition Path="%PROGRAMFILES%\*" />
      </Conditions>
    </FilePathRule>
    <FilePathRule Id="9428c672-5fc3-47f4-808a-a0011f36dd2c" Name="(Default Rule) All scripts located in the Windows folder" Description="Allows members of the Everyone group to run scripts that are located in the Windows folder." UserOrGroupSid="S-1-1-0" Action="Allow">
      <Conditions>
        <FilePathCondition Path="%WINDIR%\*" />
      </Conditions>
    </FilePathRule>
    <FilePathRule Id="ed97d0cb-15ff-430f-b82c-8d7832957725" Name="(Default Rule) All scripts" Description="Allows members of the local Administrators group to run all scripts." UserOrGroupSid="S-1-5-32-544" Action="Allow">
      <Conditions>
        <FilePathCondition Path="*" />
      </Conditions>
    </FilePathRule>
  </RuleCollection>

DisableProxyChange
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/DisableProxyChange
string
<enable/>
Prevents a user messing with proxy settings

SetupScriptUrl
./Vendor/MSFT/NetworkProxy/SetupScriptUrl
string
url orr your script - e.g. Securly SmartPAC in our case

AutoDetect
./Vendor/MSFT/NetworkProxy/AutoDetect
integer
0
Prevents proxy autodetect if using the above settings.

Deploy WiFi
Your Wifi name
./Device/Vendor/MSFT/WiFi/Profile/yourwifiname/WlanXML
xml file
e.g.
<WLANProfile
xmlns="http://www.microsoft.com/networking/WLAN/profile/v1">
  <name>RLT</name>
  <SSIDConfig>
    <SSID>
      <hex>yourrSSID as HEX</hex>
 <name>yourrssid</name>
    </SSID>
    <nonBroadcast>false</nonBroadcast>
  </SSIDConfig>
  <connectionType>ESS</connectionType>
  <connectionMode>auto</connectionMode>
  <autoSwitch>false</autoSwitch>
  <MSM>
    <security>
      <authEncryption>
        <authentication>WPA2PSK</authentication>
        <encryption>AES</encryption>
        <useOneX>false</useOneX>
      </authEncryption>
      <sharedKey>
        <keyType>passPhrase</keyType>
        <protected>false</protected>
        <keyMaterial>yourrkey</keyMaterial>
      </sharedKey>
      <keyIndex>0</keyIndex>
    </security>
  </MSM>
</WLANProfile>

LockScreenImageUrl
./Vendor/MSFT/Personalization/LockScreenImageUrl
string
URL to the public image (I put the image on a Google Doc - publish to the web and make public and view the public image - right click the image and get the url)
This sets the login background and lock screen image.

DesktopImageUrl
./Vendor/MSFT/Personalization/DesktopImageUrl
string
URL as above
This sets the users wallpaper.

EncodedCertificate
./Device/Vendor/MSFT/RootCATrustedCertificates/Root/e1964c6d6f7666b133a5837e8d87f05f9b91359d/EncodedCertificate
Base64
Put in the contents of your certificate file - no returns at the end of each line!
The e1964c6d6f7666b133a5837e8d87f05f9b91359d is the unique id of the certificate (install on a machine and view the details). This is the string for Securly's current SSL certificate.

Updates - we now deploy an additional three policies

EnableWebSignIn
./Device/Vendor/MSFT/Policy/Config/Authentication/EnableWebSignIn
Integer
1
This makes the login screen pure Google. Need the following Group policy adding as well.
We do this programmatically using LGPO.exe

HideFastUserSwitching
./Device/Vendor/MSFT/Policy/Config/WindowsLogon/HideFastUserSwitching
Integer
1
This hides other users.

InteractiveLogon_DoNotDisplayLastSignedIn
./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/InteractiveLogon_DoNotDisplayLastSignedIn
Integer
1
Hides other users on the login screen.

EnableFirstLogonAnimation
./Device/Vendor/MSFT/Policy/Config/WindowsLogon/EnableFirstLogonAnimation
Integer
0
Removes stupid Windows 10 getting ready rubbish.

Deployment

When setting up a machine, we have a USB key on with a deployment script that does the following:
Installs Chrome, Google Management Software and the registry key that locks login to domain accounts.
  • Deploys other software
  • Activates Windows 
  • Removes Internet Explorer from the PC.
  • We then logoff from and enrol the device into Google land. 
The script we use (minus Windows keys!)

 msiexec.exe /i "GoogleChromeStandaloneEnterprise64.msi" /q /norestart
msiexec.exe /i "gcpwstandaloneenterprise64.msi"
regedit /s loginrestrictions.reg
AcroRdrDC1902120058_en_US.exe /sAll /rs /rps /msi /norestart /quiet EULA_ACCEPT=YES
GoogleDriveFSSetup.exe --silent --desktop_shortcut
audacity-win-2.3.3.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /SP
vlc-3.0.8-win32.exe /L=1033 /S
dism /online /Import-DefaultAppAssociations:"apps.xml"
LGPO.exe /m MDM.pol
setup.exe /configure OOP2019.xml
mkdir c:\start
copy start.xml c:\start
regedit /s startmenu.reg
rem UNCOMMENT OUT THE PRINTERS YOU NEED AT THE SITE YOU ARE AT
rem NM printers
rem msiexec.exe /i "pc-print-deploy-client[10.105.146.7].msi" /quiet
rem Garsington printers
rem msiexec.exe /i "pc-print-deploy-client[10.107.50.3].msi" /quiet
rem Larkrise printers
rem msiexec.exe /i "pc-print-deploy-client[10.210.210.3].msi" /quiet
cd TT
rem msiexec.exe /i "Primary Target Tracker.msi" /quiet
c:\Windows\system32\slmgr.vbs /ipk yourwindowskey
c:\Windows\system32\slmgr.vbs /ato
DISM /online /disable-feature /featurename:Internet-Explorer-Optional-amd64

Labels:

Comments

  1. Anonymous2 June 2020 at 22:15

    Would you, or can you recommend anyone helping us setting this up? We are not very keen with Windows policies or scripts but would like basic management for our Windows machines. Having the Windows machines login seamless to Google is very tempting as well as managing them from the same place that we manage all the Chrome Devices.

    Thanks.

    ReplyDelete
    Replies
    1. Roger Nixon3 June 2020 at 06:28

      If all you want is the Google login, just install the Google credential provider and required registry key and thats it. https://support.google.com/a/answer/9250996?hl=en

      The policies are not too hard to deploy - and I've listed all of the ones I use here.

      Delete
    2. Unknown3 September 2020 at 07:10

      Very good content. I've recently deployed and configured these features and would be happy to help if you are still interested. Ping me for that!

      Delete
    3. Roger Nixon7 September 2020 at 07:58

      Always happy to share ideas.

      Delete
    4. Josh Sharrad15 February 2021 at 17:15

      Great blog post! Really useful in helping us move away from an AD environment!

      Would be really interested in seeing this configured/more restricted for students.

      Delete
    5. Roger Nixon15 February 2021 at 17:48

      Thanks. What extra restrictions are you looking for?

      Delete
    6. Josh Sharrad15 February 2021 at 23:29

      Things like disabling the microsoft store and other apps, disabling the action center and preventing saving to/remapping the desktop and documents etc.
      Things we can do with GPOs, would be really handy to be able to set Reg Keys but i think that's an OMA-URI resitrciton/purpose??

      Delete
    7. Roger Nixon16 February 2021 at 07:31

      For Apps - use an App Locker policy - Google have a guide: https://support.google.com/a/answer/9925268?hl=en#zippy=%2Cblock-apps-that-are-bundled-in-the-windows-operating-system%2Coption-gui-windows-groups-policy-editor%2Cblock-specific-apps

      You can also lock down control panel and settings as much as you want.

      Redirect home folders to Drive is an interesting one - and not something I've tried to do. We are heavily G Suite - so 99% of stuff just happens in the browser and we educate users to use File Stream (now Google Drive) for everything else. If you did do it - then their is a reg settings to make Drive a consistent Drive letter - then I'd guess its possible.

      Delete
    8. Josh Sharrad16 February 2021 at 11:59

      Perfect, thanks,

      We're becoming heavily GSuite based and encouraging users to use the browser and GDFS but we still need the restrictions in place to prevent them saving things locally and then losing it... I did look down that path, but it tries to remap the locations before a user has logged into GDFS. They're also not forced to login to GDFS allowing them to bypass it. We'd also have to set this up with a script on machine setup, which is all good, until Google goes changing their product! GDFS being my case in point!

      I wish we could put chroembooks/boxes in offices! Chromebook management is so easy...

      Delete
  2. swings15 July 2022 at 18:42

    Hi Roger, thanks for all of this.

    I was able to get msi files deployed but I am scratching my head with deploying exe files. Is there a good way to do this via custom settings in GCPW?

    ReplyDelete
    Replies
    1. Roger Nixon15 July 2022 at 18:51

      You need to build an MSI - use you favourite package builder.

      Delete
    2. swings15 July 2022 at 19:08

      Can you recommend any package builders?

      Delete
    3. Roger Nixon15 July 2022 at 19:11

      We use https://emcosoftware.com/msi-package-builder

      Delete
  3. Jas7 August 2024 at 07:33

    This post has been extremely helpful, and I have successfully implemented most of the recommended strategies. Thank you and kudos for the guidance. However, I am encountering challenges with the approach for deploying applications in a remote work environment where user accounts are set to standard user privileges on Windows systems. Many of the applications that need to be deployed require administrative rights. Can anyone provide advice on whether it is feasible to manage administrative permissions for such scenarios through the Google Admin Console?

    ReplyDelete
  4. Roger Nixon12 August 2024 at 17:16

    End users should not be installing apps at all. Deploy them with a suitable policy see here: https://apps.google.com/supportwidget/articlehome?hl=en&article_url=https%3A%2F%2Fsupport.google.com%2Fa%2Fanswer%2F10065085%3Fhl%3Den&assistant_id=generic-unu&product_context=10065085&product_name=UnuFlow&trigger_context=a

    We also setup remote access for ourselves and can remote onto end user devices and install one off if needed.

    ReplyDelete

Post a Comment

Popular posts from this blog

Delete a specific email using GAM

If a user send an inappropriate email to a loads of people or get stung by some sort of email exploit you can quickly delete the email from all of the recipients using a GAM command. Step 1 - get the email header Go into Google Vault and search for the offending user or someone known to have got the message. Click show details and grab the email ID. This will be a long string of characters followed by @mail.gmail.com Step 2 - find out who has the email Go into Google Vault and find the original message sent by the offending user. Look at the details to see who got it. Copy the list and dump it into a spreadsheet. Clean up to just a list of emails with a column header 'mail'. Save as a csv file. Step 3 - delete messages with GAM Put your CSV file in your GAM folder - this e.g. assumes its called mail.csv Run: gam csv mail.csv gam user ~mail delete messages query rfc822msgid: MESSAGEIDHERE doit The alternative nuke option is: gam all users delete messages query rf...
Post a Comment
Read more

Adding subdomains to G Suite

This is how I add subdomains (so basically new schools) to out G suite setup. I've got these steps documented on a scruffy set of notes that I've now got in Keep - so time to document them - for myself as much as anyone else! Steps in order (roughly) Add the new domain Verify the new domain Add MX records to hosting Add SPF record for Google to hosting Turn on email authentication Add DMARC record to hosting Setup custom Directory and restrict students OU to this. Create an admin quarantine for the domain. Configure SPAM setting for the domain. Turn on and off services as appropriate. Map a blank Google Site to the naked domain - if required. Setup some basic groups - allstaff, allusers (for directory) and students with appropriate permissions. Deploy custom wallpapers. So the steps in a bit of detail: Add the new domain & Verify ownership Click on Domains in the admin console: Add/remove domains followed by "add a domain" At this...
Post a Comment
Read more

My favorite GAM commands - well a few of them at least!

Where would be without GAM? Paying for expensive syncing tools or doing tedious manual tasks in the admin console. GAM can automate most things you might want to do in G Suite. So these are a few of my favourite commands - one I use either as part of a batch file - or just standalone. There are loads more - but these are ones that are used daily. Classroom Create a spreadsheet of all your domains classes -  gam print courses todrive Create a spreadsheet of a teacher's classes:  gam print courses teacher fred@mydomain.com todrive Bulk create classes: gam csv classes.csv gam create course alias ~alias name ~alias section ~subject teacher ~teacher status ACTIVE where classes.csv is a list of classes you want to make. Add teachers: gam csv teachers.csv gam course ~alias add teacher ~teacher Add students: gam csv students.csv gam course ~alias add teacher ~student Sync Students (in this example to a group - but could be an ou/csv file) gam csv grou...
Post a Comment
Read more