CosmicThing2

New Member
Joined
Dec 5, 2016
Hey there,

I'm an IT Technician at a secondary school currently setting up Windows 10 for our students. Currently they're all using 7 and we have a pre-configured image which we roll out to all our computers using pxe, this is set up with many pre-installed programs and settings. We're currently trying to configure the Windows 10 education edition to upgrade to it but are having lots of issues related to the start menu and particularly, the search bar. We've already used a powershell script to remove many of the apps which come with 10... why these were included in an education edition, I'm unsure.

Cortana is disabled, this can be easily done via group policy. The settings and control panel is also disabled and the window dies as soon as you try to open either of these assuming you're logged in as a student; we already have many groups set up via active directory. However, the students can still type in 'network' or 'net' into the search bar, as an example, and all the network settings will then appear. 80% of these are inaccessible because they rely on going via the settings menu... one or two of the settings aren't blocked though, 'View network computers and devices' for instance, always pops up. We really don't want students to be able to access this. Network settings aren't the only thing which shows up either, the users can also type in 'C:\' to shortcut their way into the C drive (which we definitely don't want) even though it's blocked in explorer.

So I'd like to ask, is there any way to either A. Completely disable to search bar altogether, either via registry or group policy or even deleting windows files to prevent it working correctly. Or B. Filter it such that it only results from a specific drive are displayed (We need the 'H' drive) or even displays nothing at all.

We have tried:
  • Disabling the indexing service --> This seems to sort it temporarily, but give it 5-10 minutes or log off/back on and it fixes itself even though the service is still disabled
  • Modifying the index service to limit it to filetypes --> You're able to filter to indexing service and initially we limited it to remove all winsettings files. Same result, it sorted the issue temporarily and then it fixed itself a few minutes later and was back to searching the control panel
  • Hiding the search bar/button on the taskbar --> This works but if you press start, you can type and search from here too
We've done a massive amount of research online but every website seems to be talking about how to fix the search bar. We want to break it or remove it altogether. Surely there must be a way to prevent it working. Otherwise we may have to resort to a classic shell or some other option.


Thank you,
 
Last edited:
Why not just lock down the network settings via Group Policy?
 
Why not just lock down the network settings via Group Policy?

Network settings and the whole settings menu/control panel are already locked down. If a student were to type in 'network' into the search, most of the things they click on are blocked and the window dies before you can view it. However some aren't, particularly 'Set up a network connection', 'View network computers and devices' and 'Identify and repair network connections'. What would be ideal is if it didn't show any of these network settings at all. Disabling the search altogether would work fine too.

Network settings is purely an example, you can also just type 'C:\' into search and this will allow the user though even though the C drive has been intentionally hidden in explorer.

There's tonnes of group policy network settings, many of which seem completely unrelated. We can't find any which would stop or filter the windows search though.
 
I use a free program called Ashampoo AntiSpy for Windows 10 which disables information sharing, location services to Microsoft, it also has an option to disable windows search bar.




Sent from my LGMS631 using Tapatalk
 
Right click the taskbar and look for search and enable "hidden" to hide the search box

Sent from my GT-P5210 using Tapatalk
 
Right click the taskbar and look for search and enable "hidden" to hide the search box

Sent from my GT-P5210 using Tapatalk

Doesn't stop students typing in the start menu. Click start and just start typing, it'll still let you search.
 
What about disabling search via Services?

Still didn't seem to break search, it fixes itself again after a reboot.

It's alright, I'm experimenting with Classic Shell now which seems so good compared to the lack of options windows gives you

Thank you
 
Another option to Remove Search Icon from taskbar is to use regedit. Open the registry editior and look for the following key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Search and in the right side pane, look for a DWORD SearchboxTaskbarMode and change its value to 0 Restart, log off or restart Explorer to take effect.

Sent from my GT-P5210 using Tapatalk
 
Go to blogs.technet.microsoft.com/keithmayor/2012/08/03/building-public-kiosk-workstations-with-windows-7-and-windows8-itpro/ look under windows pc in a public domain

You might get some ideas from there

Sent from my GT-P5210 using Tapatalk
 
Last edited by a moderator:
the way you are going about it … kids will just find a way to circumvent the hurdles … it's what kids do. and then … you won't have just the principal down your back … the kids' parents will too. and, that would be getting off lightly. why not just allow certain apps to be accessed? microsoft's "applocker" can help:

Lock down Windows 10 to specific apps (Windows 10)
AppLocker (Windows 10)
 
Jack has a really good idea there. I've deployed similar app disabling programs in earlier versions of Windows before and it's a better way than what you are trying to do. In XP days, the tool was called STEADY STATE, and was free up until a couple of years ago. It's a great tool to use to lock down the Windows OS, but since you mentioned you are on a Domain Network (you said your students are accessing Active Directory), this becomes much more complicated.:headache: As the Domain PDC now has ownership of the GPOs that control apps and services launching. Changing it on each additional workstation could be daunting if you were in a large school district and your deployment would be district wide. I've taught in 5 public school districts, and my last district contained 56 schools and 54,036 students. That's roughly 15,000 computers and 54,036 domain logins to manage. Our IT department was quite small, about 3-4 techs. That's several months to get around to touching all those computers and fixing restrictions on domain login accounts, even in small groups say 1 group to each school.

Given all that, this applocker looks like a long-awaited new version of the old STEADY STATE tool. And since it's been developed for a Domain environment, you can have the server (PDC) manage the security of apps and services on individual student computers through their network domain login using scripting as mentioned in Powershell. If you guys are already saving student computer images on the network, you may already have setup push restores via Roaming Profiles on all computers; this is a daunting task, but it's worked well in the corporate environment. I've seen it used with much success in multiple companies where I worked or consulted.

You didn't post anything about the size of your district, so you could be the only IT tech for a district with 1 school with 1 classroom and 10 PCs. That's going to prove to be quite challenging. If your are in a larger or much larger district as I was in all the districts I worked for (one was a Community College with 100 campus sites and 20,000 PCs), you'll need to get expert help to use the applocker tool. If this is the case, I'd strongly you contact a Microsoft Platinum Partner, one with specific experience in deployment of the Educational W10 software you've paid to license and already own. If you outsource this kind of thing, that tool will work but you need to use a reputable company. There are only a couple in the country I could recommend to assist you. One is the TSS division of IBM Global Services. They have a special Education Division that's already classified as a MS Platinum Partner, an MSDN Education Developer, and specialize in k-12 network and OS deployments. I know since I used to work there many years ago. The other company is Perot Systems; they have a similar division in their Texas or St. Louis office (used to) that worked specifically with School Districts such as yours on this type of project. There are other companies out there; but most of them do sketchy work in my opinion.

The other issue you have is that since you are an Educational entity, you'll most likely need to license the applocker for use in your school district through Microsoft. That's going to be an expensive proposition as per-seat costs could be $20 or more for the use of the app. However, since you already are paying site or enterprise licensing fees to Microsoft for use of their W10 Educational clients (and possibly Win 2xxx server too), you can get that tool licensed and added on to your annual bill your district already is paying to MS for use of their software on your computer network and classrooms. Check with your IT Director or your district's CFO.

We did a lot of this work way back in the W95/W98 days before STEADY STATE, and custom desktop shells were just starting to be used. School Districts in the Western US were very slow to adopt this technology and use it, but public libraries and college libraries were forced into setting this up once they introduced public usage of computers on their networks. If you go to either of these in the town or city where you live, you can also ask what app or company they partnered with to get their lockdown software written or installed. Most public libraries learned years ago how to deal with unruly kids as well as adults--and many of their PCs are fairly bulletproof these days. Occasionally, I'll go in their and try to poke holes in them for fun.:hee:

This could be a very small project as I mentioned if your school district is in a 1-horse town so-to-speak (less than 15 computers in the entire district) or it could be very large. Some districts have over 100,000 students in them and that's going to require a team larger than your entire IT department in order to test it and then deploy it somehow. You can let us know exactly how large, but you get the idea.

Hope that provides some further insight into the problem.
Best of luck,:encouragement:
<<<BIGBEARJEDI>>>
 
Back
Top Bottom