Table 14-1: Top New Windows 8 Group Policies
| Policy name | Description |
|---|---|
| Allow all trusted apps to install | Manage the installation of app packages that do not originate from the Windows Store. When enabled, you can install any trusted app. |
| Do not display the lock screen | Controls whether the lock screen appears for users. If enabled, users will see their user tile after locking their PC. |
| Turn on PIN sign-in | Controls whether a domain user can sign in using a numeric PIN. If disabled or not configured, a domain user can’t set up and use a PIN. |
| Turn off picture password sign-in | Controls whether a domain user can sign in using a picture password. If disabled or not configured, a domain user can’t set up and use a picture password. |
| Turn off switching between recent apps | If enabled, users will not be allowed to switch between recent apps and the App Switching option in PC Settings will be disabled. |
| Windows To Go Default Startup Options | Controls whether the PC will boot to Windows To Go if a USB device containing a Windows To Go workspace is connected, and controls whether users can make changes using the Windows To Go Startup Options control panel item. |
| Turn off File History | Allows you to turn off File History. If enabled, File History cannot be activated to create regular, automatic backups. Otherwise, File History can be activated. |
| Turn off access to the Store | Specifies whether to use the Store service for finding an app or application to open a file with an unhandled file type or protocol association. |
| Turn off the Store application | Denies or allows access to the Windows Store app. If enabled, access to the Windows Store application is denied. |
| Turn off app notifications on the lock screen | Allows you to prevent app notifications from appearing on the lock screen. |
| Do not sync | This turns off and disables the “sync your settings” switch on the “sync your settings” page in PC Settings. If enabled, “sync your settings” will be turned off, and none of the “sync your setting” groups will be available. Note: Additional related policies let you control syncing of app settings, passwords, personalization, other Windows settings, browser settings, desktop personalization, and more. |
| Prevent users from uninstalling applications from Start | If enabled, users cannot uninstall apps from Start. |
| Allow Secure Boot for integrity validation | Configures whether Secure Boot will be allowed as the platform integrity provider for BitLocker operating system drives. Secure Boot ensures that the PC’s pre-boot environment only loads digitally signed firmware. |
| Configure Windows SmartScreen | Manages the behavior of Windows SmartScreen. |
| Start Windows Explorer with ribbon minimized | This policy setting allows you to specify whether the ribbon appears minimized or in full when new File Explorer windows are opened. |
| Set Cost | Configures the cost of Wireless LAN connections on the local machine. If enabled, a drop-down list box presenting possible cost values will be active. Selecting one of the following values from the list will set the cost of these connections. (There are related policies, Set 3G Cost and Set 4G Cost, for cellular data connections.) |
| Turn off tile notifications | If enabled, apps and system features will not be able to update their tiles and tile badges in the Start screen. |
| Turn off toast notifications | If enabled, apps will not be able to raise toast notifications. (This policy does not affect taskbar notification balloons.) |
| Turn off toast notifications on the lock screen | If enabled, apps will not be able to raise toast notifications on the lock screen. |
Disk Encryption
Windows 8 supports a number of disk encryption technologies, which prevents thieves from accessing sensitive data should your computer be physically stolen: If the thief removes your hard drive and attaches it to a different computer, any encrypted files cannot be read even if the thief figures out a way to access the hard drive’s filesystem. There are two major technologies at play here: the older Encrypting File System, or EFS, and BitLocker, a more modern and easily managed system.
When files are copied or moved out of an encrypted folder, the encryption is retained unless you move them to a location where encryption is not supported, such as to another machine on your home network.
EFS, while still available in Windows 8, has been somewhat deprecated. It was created as a way to encrypt individual files or, more commonly, a folder. With the latter approach, encryption works for both new files as well as those that were present when the folder was encrypted. That is, as you add new files to the encrypted folder, those files are automatically encrypted.
To encrypt a folder with EFS, right-click it and choose Properties from the menu that appears. Then, in the Properties window that appears, click the Advanced button. In the Advanced Attributes window shown in Figure 14-4, select the option titled Encrypt contents to secure data.
Figure 14-4: Encrypting an individual file or folder is easy and generally quite fast.
When you click OK (or Apply), you’ll be asked to make the change to the folder only (which includes all of its contained files) or to the folder and any of its subfolders and their contents. Windows will encrypt the appropriate items and immediately suggest that you back up your encryption certificate and key, which is required for recovery should you try to access the folder contents later via a different PC or future reinstall of Windows. Microsoft recommends backing these items up to removable media. But we’d go a step further and make copies in multiple places, including cloud storage like SkyDrive.