It was bought to our attention that users were circumventing some software restrictions and policies by use safe mode with networking. So to stop this happening we really needed to disable safe mode. Now there are various ways of achieving this and software out there to help you, but I have a solution that we implemented that I feel is a good solution to the issue. There are a few explained solutions and potential drawbacks below
Disable F8 - By passable through hard reset
Firstly if you u want to prevent f8 from being pressed at start up or stop the f8 menu from appear that is definitely possible. On investigation it is possible to stop f8 being pressed and that stops the safe mode menu being displayed, however if a user forcibly turns off the computer without shutting down properly the menu will automatically appear on next boot rendering the disable of f8 useless. So I won't go into more detail using this method.
Use a Script - RJ45 pull may circumvent
It is also possible to use a script to do this. The code below is untested so use at your own risk:
Set WMIService = GetObject("winmgmts:\\.\root\cimv2")
Set Items = WMIService.ExecQuery("Select from Win32_Environment")
safemode = false
For Each SubItems in Items
if SubItems.Name = "SAFEBOOT_OPTION" and SubItems.VariableValue = "Network" then
safemode = True
if subitems.name = "lib" then
username = subItems.Username
if safemode = True then
msgbox "We caught you " & username
Set OpSysSet = WMIService.ExecQuery("select from Win32_OperatingSystem where Primary=true")
For each OpSys in OpSysSet
Essentially the script checks to see if you the computer is logged on in safe mode and then if it is logs the user off. However this may be susceptible to the user pulling the RJ45 on logon to cancel the script... So again although this is possible I would not use this method.
Disable Keyboard and Mouse in Safe Mode - MY PREFERRED METHOD
Ok so this option will allow users to access the f8 menu, but when they get to safe mode the keyboard and mouse will not work. This requires some registry tweaks to get it working.
The registry tweaks are to delete the following registry keys :
' Delete mouse driver for safe mode
' Delete keyboard driver for safe mode
However these keys are owned by the trustedinstaller user and therefore you will need to change the permissions on these keys first using group policy before we can delete them.
So first you need to create a group policy that takes control of those registry settings, here is a screen shot of where you need to do this:
I generally make sure that systems and administrators had full control over those registry keys. Once you have set up all the permission changes on the registry we can create a script that will go through and delete those keys on start up:
On Error Resume next
Set WSHShell = WScript.CreateObject("WScript.Shell")
' This Deletes the mouse driver in safe mode
' This Deletes the keyboard driver in safe mode
Set WSHShell = Nothing
So you need to save the above in to a .vbs file and then attached it to your group policy on computer startup. After the computer has picked up the group policy the permissions on the registry will have changed and then on next computer start up the registry keys will be deleted and the keyboard and mouse will be disabled in all safe modes.
If you wish to re-enable the safe mode on a computer you can re-add the registry keys (remember though on start up they will be deleted again). You can do this with the following text put into a .reg file. On double clicking the .reg file it will integrate the reg keys and enable the mouse and keyboard:
Windows Registry Editor Version 5.00
So in summary :
- Create GPO
- Add permissions to aforementioned keys in GPO
- Create key deletion script
- Attach to startup of GPO
- Apply to network.
Please make sure you thoroughly test before rolling out.
Thursday, March 27. 2014
Display comments as (Linear | Threaded)
The author does not allow comments to this entry