Initial Workstation configuration with MS Windows 10 20H2 (part 4) - Group policy settings, Misc settings (Command line and Registry)

In this final part of the series, we will focus on more hard-to-reach settings that need group policy, command line, and registry tinkering.

Previously during the first part, we have tackled the first steps of our Windows 10 20H2 installation. In the second part, we configured the settings needed for our system in the “Modern” Settings application. In the third part, we made adjustments to other settings as well as application-specific selections and settings.

Disclaimer: These settings are only applied to my set up, and turn off systems and services that might be useful to you. Do not follow this guide blindly - use your discretion and actual use case and decide if you need a particular setting or not.

So here’s the final part of the series:

Group Policy Settings

WinKey+R: gpedit.msc

Disable Telemetry (only works in Enterprise editions)

Computer Configuration -> Administrative Templates -> Windows Components -> Data Collection and Preview Builds:

• Allow Telemetry: Set to Enabled and 0 - Security [Enterprise Only]

Disable Automatic Updates

Computer Configuration > Administrative Templates > Windows Components > Windows Update

• Configure Automatic Updates: Set to Enabled and 2 - Notify for download and auto-install and select Install updates for other Microsoft products

Or you can set it to Disabled so that you have to manually run Windows Update when you want.

Configure removal of items from Quarantine folder

Computer Configuration -> Administrative Templates -> Windows Components -> Microsoft Defender Antivirus -> Quarantine

• Configure removal of items from Quarantine folder: Set to Disabled

Completely Disable Skydrive/Onedrive Integration

Computer Configuration > Administrative Templates > Windows Components > Onedrive

• Prevent OneDrive files from syncing over metered connections: Set to Enabled
• Prevent the usage of OneDrive for file storage: Set to Enabled
• Prevent the usage of OneDrive for file storage on Windows 8.1: Set to Enabled
• Save documents to OneDrive by default: Set to Disabled

Disable background synchronization for feeds and Web Slices

Computer Configuration > Administrative Templates > Windows Components > RSS Feeds

• Turn off background synchronization for feeds and Web Slices: Set to Enabled

Disable Windows Spotlight

Computer Configuration > Administrative Templates > Windows Components > Cloud Content

• Do not show Windows tips: Set to Enabled
• Turn off Microsoft consumer experience: Set to Enabled User Configuration > Administrative Templates > Windows Components > Cloud Content
• Turn off all Windows spotlight features: Set to Enabled

Disable “New Apps Can Open File Types” Notification

Computer Configuration > Administrative Templates > Windows Components > File Explorer

• Do not show the 'new application installed' notification: Set to Enabled

Disable thumbs.db creation in folders

User Configuration -> Administrative Templates -> Windows Components -> File Explorer

• Turn off the caching of thumbnails in hidden thumbs.db files: Set to Enabled

Disable Online Assistance

Computer Configuration > Administrative Templates > Windows Components > Online Assistance

• Turn off Active Help -> Set to Enabled

Disable Search locations

Computer Configuration > Administrative Templates > Windows Components > Search

• Allow Cortana > Set to Disabled
• Allow indexing of encrypted files > Set to Disabled
• Allow search and Cortana to use location > Set to Disabled
• Do not allow web search > Set to Enabled
• Don't search the web or display web results in Search > Set to Enabled
• Don't search the web or display web results in Search over a metered connection > Set to Enabled
• Set what information is shared in Search > Set to Enabled and Anonymous info

Disable Sync your settings

Computer Configuration > Administrative Templates > Windows Components > Sync Your Settings

• Do not sync: to Enabled
• Do not sync app settings: to Enabled
• Do not sync Apps: to Enabled
• Do not sync browser settings: to Enabled
• Do not sync desktop personalization: to Enabled
• Do not sync on metered connections: to Enabled
• Do not sync other Windows settings: to Enabled
• Do not sync passwords: to Enabled
• Do not sync personalize: to Enabled
• Do not sync start settings: to Enabled

Disable “Meet Now”

User Configuration > Administrative Templates > Start Menu and Taskbar

• Remove the Meet Now icon: to Enabled

Disable Windows Error Reporting

Computer Configuration > Administrative Templates > Windows Components > Windows Error Reporting

• Configure Error Reporting: Set to Enabled with:
  • Do not display links to any Microsoft provided 'more information' web sites
  • Do not collect additional files and
  • Do not collect additional machine data options
• Disable Windows Error Reporting: Set to Enabled
• Do not send additional data: Set to Enabled

Computer Configuration > Administrative Templates > System > Internet Communication Management > Internet Communication Settings

• Turn off handwriting personalization data sharing - Set to Enabled
• Turn off handwriting recognition error reporting - Set to Enabled
• Turn off Help & Support Center “Did you know?” content - Set to Enabled
• Turn off Help & Support Center Microsoft Knowledge Base search - Set to Enabled
• Turn off Internet download for Web publishing and online ordering wizards - Set to Enabled
• Turn off Printing over HTTP - Set to Enabled
• Turn off the “Order Prints” picture task - Set to Enabled
• Turn off the “Publish to Web” task for files and folders - Set to Enabled
• Turn off the Windows Messenger Customer Experience Improvement Program - Set to Enabled
• Turn off Windows Customer Experience Improvement Program - Set to Enabled
• Turn off Windows Error Reporting - Set to Enabled

Disable Internet explorer settings

Computer Configuration > Administrative Templates > Windows Components > Internet Explorer

• Allow Microsoft services to provide enhanced suggestions as the user types in the Address Bar - Set to Disabled
• Prevent managing SmartScreen Filter - Set to Enabled and Off
• Turn off browser geolocation - Set to Enabled

User Configuration > Administrative Templates > Windows Components > Internet Explorer

• Specify default behavior for a new tab - Set to Enabled and about:blank

Disable Microsoft Edge settings

Computer Configuration > Administrative Templates > Windows Components > Microsoft Edge

• Allow web content on New Tab page - Set to Disabled
• Configure additional search engines: Set to Enabled with <https://www.google.com/searchdomaincheck?format=opensearch>
• Configure Autofill - Set to Disabled
• Configure Do Not Track - Set to Enabled
• Configure Password Manager - Set to Disabled
• Configure Start pages - Set to Enabled and <about:inprivate>
• Configure search suggestions in Address bar - Set to Disabled
• Configure Windows Defender Smartscreen - Set to Disabled
• Prevent Microsoft Edge from gathering Live Tile information when pinning a site to Start - Set to Enabled
• Prevent the First Run webpage from opening on Microsoft Edge - Set to Enabled
• Set default search engine: Set to Enable with <https://www.google.com/searchdomaincheck?format=opensearch>

Disable Microsoft MAPS Microsoft Antimalware Protection Service

Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > MAPS

• Join Microsoft MAPS - Set to Disabled
• Send file samples when further analysis is required - Set to Enabled and Never Send

Disable Offline maps

Computer Configuration > Administrative Templates > Windows Components > Maps

• Turn off Automatic Download and Update of Map Data - Set to Enabled

Disable Teredo

Computer Configuration > Administrative Templates > Network > TCPIP Settings > IPv6 Transition Technologies

• Set Teredo State - Set to Disabled

Disable Live Tiles

User Configuration > Administrative Templates > Start Menu and Taskbar > Notifications

• Turn off tile notifications - set to enabled

Disable Device metadata retrieval

Computer Configuration > Administrative Templates > System > Device Installation

• Prevent device metadata retrieval from the Internet: Set to Enabled

Miscellaneous Settings

Disable 8.3 File Creation

• In an elevated command prompt: fsutil.exe behavior set disable8dot3 1

Disable Hibernation

Winkey+R: cmd -> type powercfg.exe -h off

Disable System Protection

Go to System -> Advanced System Properties -> System Protection

Configure Send To right-click menu

Configure SendTo right-click menu by pressing Win+R (open a “Run” prompt) and typing shell:sendto). Then delete or add any shortcuts you need.

How to paste file shortcuts in Start menu

• Create a shortcut of the file
• Put that shortcut in C:\ProgramData\Microsoft\Windows\Start Menu\
• Find it in “All Apps” menu
• Right-click and “Pin to Start”

How to Pin to Start but Start As Administrator

• Enable “Run as administrator” in the source shortcut before “Pin to Start”
• Check “Run as administrator” in “Compatibility/Change Settings for all users” too

How to add “Open command window here” in shift right-click menu

Copy the following lines to Notepad, and save it with a .REG extension, say cmdhere.reg. Double-click the file to apply the registry settings.

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\Directory\shell\cmdprompt]
@="@shell32.dll,-8506"
"NoWorkingDirectory"=""

[HKEY_CLASSES_ROOT\Directory\shell\cmdprompt\command]
@="cmd.exe /s /k pushd \"%V\""

[HKEY_CLASSES_ROOT\Directory\Background\shell\cmdprompt]
@="@shell32.dll,-8506"
"NoWorkingDirectory"=""

[HKEY_CLASSES_ROOT\Directory\Background\shell\cmdprompt\command]
@="cmd.exe /s /k pushd \"%V\""

[HKEY_CLASSES_ROOT\Drive\shell\cmdprompt]
@="@shell32.dll,-8506"
"NoWorkingDirectory"=""

[HKEY_CLASSES_ROOT\Drive\shell\cmdprompt\command]
@="cmd.exe /s /k pushd \"%V\""

How to remove “Folder” from “This PC”

run regedit.exe

Delete the below keys:

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\{A8CDFF1C-4878-43be-B5FD-F8091C1C60D0}
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\{d3162b92-9365-467a-956b-92703aca08af}
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\{374DE290-123F-4565-9164-39C4925E467B}
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\{088e3905-0323-4b02-9826-5d99428e115f}
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\{1CF1260C-4DD0-4ebb-811F-33C572699FDE}
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\{3dfdf296-dbec-4fb4-81d1-6a3438bcf4de}
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\{3ADD1653-EB32-4cb0-BBD7-DFA0ABB5ACCA}
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\{24ad3ad4-a569-4530-98e1-ab02f9417aa8}
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\{A0953C92-50DC-43bf-BE83-3742FED03C9C}
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\{f86fa3ab-70d2-4fc7-9c99-fcbf05467f3a}
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\{0DB7E03F-FC29-4DC6-9020-FF41B59E513A}

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\{A8CDFF1C-4878-43be-B5FD-F8091C1C60D0}
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\{d3162b92-9365-467a-956b-92703aca08af}
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\{374DE290-123F-4565-9164-39C4925E467B}
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\{088e3905-0323-4b02-9826-5d99428e115f}
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\{1CF1260C-4DD0-4ebb-811F-33C572699FDE}
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\{3dfdf296-dbec-4fb4-81d1-6a3438bcf4de}
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\{3ADD1653-EB32-4cb0-BBD7-DFA0ABB5ACCA}
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\{24ad3ad4-a569-4530-98e1-ab02f9417aa8}
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\{A0953C92-50DC-43bf-BE83-3742FED03C9C}
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\{f86fa3ab-70d2-4fc7-9c99-fcbf05467f3a}
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\{0DB7E03F-FC29-4DC6-9020-FF41B59E513A}

This concludes the Windows 10 20H2 initial configuration guide. Hope you found something interesting to implement in your systems! Thank you for reading.

Thank you for reading! Be sure to share this post if you found it helpful and don’t hesitate to chat with me about it!

This post was first published on Stathis’ log book by Stathis Athanasiadis aka StatAth