GPO Settings for the cleanest Windows 7 Desktop

Let’s be honest, you’re probably not going to give up Windows 7 Professional unwill [maybe] Windows 10 comes out. I see desktops from all over the place and I have the same conclusions, an unclean desktop bugs me.

Here’s my list of GPO changes to add to your domain for a clean windows desktop every time. If you don’t like GPO then put these into your image and apply it to the default user profile.

  1. Use small icons (for the smaller height taskbar.
  2. Turn of “First Run” for Internet Explorer!
  3. Use Classic Logon.
  4. Do not remember the last username.
  5. Set up the Windows Firewall to allow ICMP Replies (If you are too paranoid to turn off the firewall completely)
  6. Always Open Control Panel to All Items
  7. Hide Network Locations icon on Desktop
  8. Prohibit Adjusting Desktop Toolbars
  9. Remove the Desktop Cleanup Wizard
  10. Disable ActiveDesktop
  11. Add Log Off to the Start Menu
  12. Do not display custom toolbars on taskbar
  13. Force Classic Start Menu
  14. Lock The Taskbar
  15. Prevent changes to task bar and start menu settings
  16. Prevent Grouping of Taskbar items – The stacking of multiple windows confuses users and they don’t seem to always be able to recognize the 32×32 icon. They need to see the title.
  17. Remove Balloon Tool Tips on start menu items
  18. Remove Documents icon from start menu
  19. Remove Favorites from Start Menu
  20. Remove Help from Start Menu
  21. Remove links and access to Windows Update
  22. Turn off notification area cleanup
  23. Turn off Personalized Menus
  24. Configure Outlook Express (Disable)
  25. Disable AutoComplete for Forms (Enabled)
  26. Disable changing home page settings
  27. Prevent Changing Proxy Settings
  28. Prevent managing the phishing bar -> Select phishing filter (Off)
  29. Turn off favorites bar (Disabled)
  30. Turn off managing smart screen for IE8
  31. Turn off the auto-complete feature for web addresses (Enabled)
  32. Turn On Suggested Sites (Disabled)
  33. Turn off the auto-complete feature for usernames and passwords on forms (Enabled)
  34. Do not allow Messenger to be run (Disabled)
  35. Do not automatically start Windows Messenger initially (Enabled)
  36. Remove all access to use all Windows Update features (Enabled)
  37. Do not display the ‘Install Updates and Shutdown’ option in Shutdown Menu

Secure Erase SSD

I ran into my first need to secure erase an SSD. On a traditional spinning disk hard drive, I used the ‘shred’ command in Linux and would write zeros to the drive and it would take a long time with multiple passes (paranoid?).

With SSDs writing zeros is strongly discouraged for the sake of the SSD lifespan. The steps below I used on two Dell 6400 series laptops and were adapted from the AskUbuntu forum.

Note: I could not find any instructions on how to do this with a SSD drive attached via a USB SATA dock. I had to plug the SSD directly to the motherboard via a SATA cable.

  1. Boot Ubuntu from a Live USB Flash Drive
  2. Open a Terminal
  3. Find your drive with: fdisk -l in this example, my drive was on /dev/sda
  4. Check your drive to see if it is frozen: hdparm -I /dev/sda
  5. If Frozen suspend the device with: systemctl suspend
  6. Wait a few seconds and then power the system back on.
  7. Check the frozen status again with: hdparm -I /dev/sda
  8. Once drive is ‘not frozen’ I found I had to set up a password, in this case, I just set the password to 12345678:
    hdparm --user-master u --security-set-pass 12345678 /dev/sda (replace 12345678 with the chosen password)
  9. This should return some confirmation text including: security_password: "12345678"
  10. Check that security has been enabled: hdparm -I /dev/sda (look for the enabled or not enabled line)
  11. Issue the Secure Erase command: hdparm --user-master u --security-erase 12345678 /dev/sda
  12. Do a quick: fdisk -l /dev/sda to make sure no partitions are there.