Whenever a new Windows OS ships, there’s always the inevitable period of discovery–especially for us Group Policy geeks–where we learn about all the new settings that come in GP, and how or whether we can control new OS features using Group Policy. Such was the case over the weekend when my good friend and fellow MVP Sander Berkouwer tweeted a question to me about how he could lock out the use of so-called “Connected Accounts”. This is the feature in Windows 8 where you can associate your local or domain user account with your Microsoft account (e.g. Live ID) for the purposes of synchronizing your Windows settings across all of your Windows devices. It’s a nice feature, but not necessarily one that enterprises might find helpful— given the possibility of stuff that may be considered private to the organization such as passswords to websites and apps, being synchronized externally.
Well, the question got me searching for a way to control this via Group Policy. Sure enough, after a bit of searching under Administrative Templates, I switched gears, figuring this was (or should be) clearly a security option. After a small amount of digging, I found the very setting I was looking for! The setting is under Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Accounts:Block Microsoft Accounts
This setting is of course, per computer, which means it’s all or nothing for all users on a given machine.
It also provides two separate options as shown here:
Basically, you can either prevent users from adding any Microsoft connected accounts, or you can prevent them from adding accounts and, if they’ve already added some, from using them to logon. This should be a good solution for those of you that want to limit use of this new capability in Windows 8!