Skip to main content

Domain-Joined Windows 11 VM with Microsoft Edge Lockdown for Lab Use

Date: June 7, 2025
Category: Windows 11 / GPO / Domain Lab Hardening
Backlink: Bypassing TPM, Secure Boot, and Microsoft Account During Windows 11 VM Setup

Overview

This VM is domain-joined to library.local and intended to simulate a public-access or library-style machine for a generic user (libraryuser). Group Policy was used to lock down Microsoft Edge and restrict system-level access.

Environment

  • OS: Windows 11 VM

  • Domain: library.local

  • Domain Controller: Windows Server 2022

  • OU: LibraryLabUsers

  • User: libraryuser

  • GPO: Library User Restrictions

  • Template Type: Classic ADM (no ADMX available at the time)

GPO Settings Applied

Control Panel & Program Access

  • ๐Ÿ”’ Prohibit access to Control Panel and PC settings

  • ๐Ÿ”’ Remove Add or Remove Programs

Microsoft Edge Configuration

  • ๐Ÿงน Clear browsing data when Edge closes

  • ๐Ÿงน Clear cached images and files on close

  • ๐Ÿšซ Disable saving browser history

  • โœ… Enable Do Not Track

  • โš ๏ธ Enable insecure download warnings

Edge Extensions & Downloads

  • ๐Ÿšซ Block external extensions from being installed

Startup / Homepage Settings

  • ๐Ÿ  Configure homepage URL: https://docs.natenetworks.com

  • ๐Ÿ” Action on Edge startup: Open list of URLs

  • ๐Ÿงญ Sites to open:

    • https://docs.natenetworks.com

    • https://artash.io

  • ๐Ÿงญ Set new tab page as homepage

Start Menu and Taskbar Restrictions

  • โŒ Disable context menus in Start Menu

  • โŒ Remove Run from Start Menu

Ctrl+Alt+Del Restrictions

  • โŒ Remove Change Password

  • โŒ Remove Lock Computer

  • โŒ Remove Logoff

  • โŒ Remove Task Manager

Results

Logging in as libraryuser now:

  • Edge launches directly to the approved URLs

  • All Edge settings and customization options are blocked

  • Control Panel and system tweaks are locked down

  • User cannot access Run, Task Manager, or make profile/system changes

Next Steps

  1. Prevent Edge Settings Access

    • If not already enabled, locate:
      Prevent access to the settings page in Microsoft Edge
      โ†’ Set to Enabled

  2. Add AppLocker Rules

    • Restrict .exe launches outside of C:\Program Files and C:\Windows

  3. Enable SmartScreen & SafeSearch Policies

    • Protect against malicious or adult content

    • Optionally configure DNS-based content filtering (NextDNS/OpenDNS)

  4. Redirect Known Folders

    • Use Folder Redirection to isolate documents and desktop paths per user

  5. Add User Logoff Timer / Idle Policy

    • Use Task Scheduler or GPO to log off inactive users after X minutes

No Comments
Back to top