Whenever a new Windows OS ships, there’s always the inevitable period of discovery–especially for us Group Policy geeks–where we learn about all the new settings that come in GP, and how or whether we can control new OS features using Group Policy. Such was the case over the weekend when my good friend and fellow MVP Sander Berkouwer tweeted a question to me about how he could lock out the use of so-called “Connected Accounts”. This is the feature in Windows 8 where you can associate your local or domain user account with your Microsoft account (e.g. Live ID) for the purposes of synchronizing your Windows settings across all of your Windows devices. It’s a nice feature, but not necessarily one that enterprises might find helpful— given the possibility of stuff that may be considered private to the organization such as passswords to websites and apps, being synchronized externally.
Well, the question got me searching for a way to control this via Group Policy. Sure enough, after a bit of searching under Administrative Templates, I switched gears, figuring this was (or should be) clearly a security option. After a small amount of digging, I found the very setting I was looking for! The setting is under Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Accounts:Block Microsoft Accounts
This setting is of course, per computer, which means it’s all or nothing for all users on a given machine.
It also provides two separate options as shown here:
Basically, you can either prevent users from adding any Microsoft connected accounts, or you can prevent them from adding accounts and, if they’ve already added some, from using them to logon. This should be a good solution for those of you that want to limit use of this new capability in Windows 8!
Enjoy!
Darren
Some options are not usable when no Microsoft account is specified e.g. the built-in e-mail client.
I don’t know if this is something you want to use businesswise (it is possible to connect to exchange).
What is the best choice? Disable the Microsoft Account feature and use e.g. Microsoft Office Outlook?
Can you ask your users to create a Microsoft account for business purposes? Is it possible to create one for them?
I’m very curious which choices will be made in the corporate use of Windows 8… Time will tell, but what do you think Darren?
Randy-
I think the answer will vary per organization. The question many organizations will ask is, do I want my users accessing corporate data using an identity that resides outside the organization’s walls (e.g. a Live ID). For many regulated or financially sensitive companies, that answer will be no.
Darren
So I was looking for a solution to this exact problem and thought this would this would be the answer. only problem is that it doesn’t work.
I set the setting shown and still have access to my skydrive and all other items tied to my live account
Matt- This setting doesn’t work if you’ve already established a Microsoft Account in Win8. This is only for preventing it’s use in the first place. If you are trying to stop MA-enabled apps, you might want to look at AppLocker–which now supports blocking execution of Windows 8-style apps.
Just to clear things up, you wrote “you can prevent them from adding accounts and, if they’ve already added some, from using them to logon.” That’s not entirely true.
If you already added your MS account to your domain account you will still be able to log in.
I know this is a old article – But, for some reason I do not have this setting on my 2008 server. I just copied over the Windows8-Server2012ADMX-RTM into my SYSVOL. Do you know admx file this is pulling from?
Danny-
This is not from an ADMX. This is a security options item, that you won’t find unless you’re on Windows 8/2012 box. It’s possible that you could jury-rig the sceregval.inf file on a 2008 box to include it, but it’s a process you would have to go through that is not altogether straightforward. It would be easier to put up a 2012 or Win8 box in your domain to define the policy there. After all, this policy does not apply to anything other than Win8 or 2012.
Darren
Hi Danny
I just copied all the Policy files from C:\Windows\PolicyDefinitions (on a Windows 8 Enterprise x64 machine) to the SYSVOL of the 2008 R2 Domain Controllers and i’ve got these settings. So maybe you just try it the same way…
Is there also a way to just block the logon for Microsoft accounts? We want the users to be able to connect their microsoft account with their domain account so they could use the store, but block the possibility to completely use their microsoft account “stand alone”?
Thanks in advantage!
Not that I’m aware of Stephan.
Darren