There are no settings out of the box designed for it. Many suggested registry keys and deploying them via GPO. I am not a fan of it unless I am out of options.

Looking through the options to configure extensions using the ExtensionSettings policy, one setting that pops out and caught my attention is called runtime_blocked_hosts, which basically prevents extensions from interacting with or modifying websites that you specify. It’s pretty much exactly what Trust Sites do.

Let’s give it a shot.

First of all, the policy Configure extension management settings is a Computer Configuration policy. So, you will need to set it up on a GPO that controls through a computer, not a user.

Computer Configuration > Administrative Templates > Microsoft Edge > Extensions.

The detailed setting is a JSON-based text string. Make sure to prepare the whole string in Notepad and paste it into the Group Policy Management editor. For me, the following JSON string adds BC government sites and the Purolator website to the Trusted Sites list and forces the extension shown on the toolbar.

{"odfafepnkmbhccpbejgmiehpchacaeak":{"runtime_blocked_hosts":["://.gov.bc.ca","://.purolator.com"],"toolbar_state":"force_shown"}}

And it works flawlessly.

First, download the policy template files here. There are two files for Microsoft Edge,

• msedge.admx for configuring Microsoft Edge settings. There are tons of settings that you can mess up with.
• msedgeupdate.admx for managing Microsoft Edge updates.

The msedge.admx is the one you are after. Copy it to the AD server’s PolicyDefinitions folder and those setting will show up in the Group Policy Editor.

Most Edge settings can be applied to both Computers and Users. If you want to deploy the extensions based on the user, configure that under User Configuration. Otherwise, do that under Computer Configuration.

Now let’s deploy the uBlock Origin extension via Group Policy.

Fire up the Group Policy Manager and open the policy responsible for a User’s OU. Navigate through the following location,

User Configuration > Administrative Templates > Microsoft Edge > Extensions

Double-click the setting called Control which extensions are installed silently.

Select Enable and click on the Show button. Then enter the extension ID into the box and click OK. The extension ID is the last portion of the URL of the official Edge extension page.

And that’s it. The extension will be automatically installed the next time users sign into their computers.

By default, Windows caches up to 10 credentials on local computer and these cached credentials never expire. They are stored in the registry under HKLM\Security\Cache key.

Note that you will need to give yourself Read permission

All credentials are hashed in the NL$x value format and cannot be viewed plainly and easily decrypted, fortunately. However, it could still potentially be risky because once the hackers get their hands on these data they can use a brute-force attack against these hashes to decrypt the password.

So, here are a few approaches to limit the cache credentials on Windows computers.

First of all, add all accounts in Domain Admin group to the Protected Users group so the credentials for these accounts won’t be cached locally. However, if you have some apps that integrates with AD you may find difficulty signing in using your own password.

Then, turn on BitLocker disk encryption if possible. Once encrypted, hackers won’t be able to do anything with it.

If BitLocker is not possible, disable cached credentials on all desktops and limit to only 1 for all laptops.

It’s easier to do so through GPO. Head over to the following location,

Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options

And set the Interactive Logon: Number of previous logons to cache to 1 for laptops and 0 for desktops.

Additionally, you can display a notification of using cached credentials by enabling the policy Report when logon server was not available during user logon under the following location:

Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Logon Options

Guess what? Out of the 6 policies I put in, only one of them gets pushed out. None of the other ones got applied.

The gpresult command line that checks the resulting set of policy settings enforced on the computer tells me all of them are pushed out from the Active Directory as they are supposed to. But why my Office 365 apps take none of them?

Turns out, something has changed since the release of Office 2013. All group policy settings pushed out from AD will be ignored on retail version of Office, including Microsoft 365 Business subscription. If you need a version that supports GPO, you need to get the volume license editions, or Microsoft 365 Business Premium, which is equivalent to Office 365 ProPlus. Essentially, you will need to pay more, a lot more, to get the functionality again.

I don’t find any official documents that state this requirement but I do tend to agree with this, as it’s exactly what happened in my case.

Workaround? Use Registry settings instead, not the ones under Policies key because those ones are already existed but are ignored, but the real ones under HKCU.

For example, if I need to Allow Trusted Locations on my network, I can open GPO editor on a specified GPO and go to

User Configuration > Preferences > Windows Settings > Registry 

Right-click on the empty area at the right pane, choose New > Registry Item.

Select Create as Action, HKEY_CURRENT_USER as the Hive, with the following Key Path:

SOFTWARE\Microsoft\Office\16.0\Word\Security\Trusted Locations

Set a Value name as AllowNetworkLocation with a value data as 1 in REG_DWORD type.

You may also need to copy/paste to another item and change the action to Update to make sure the setting you put in is always intact.

It’s not as perfect as the ones pushed out via GPO but it works. If it gets changed during one session, it will get reset via next login.

It has worked beautifully until recently I started upgrading them gradually to Windows 10. The ones graduated from Windows 7 to Windows 10 don’t reboot themselves anymore after any security updates.

Turns out, there is another new policy that needs to be enabled to force a reboot immediately after Windows Update installs important updates. It also lets you set up a restart timer, ranging from 15 to 180 minutes, to give users the opportunity to save their work. When the timer runs out, the restart will proceed even if the PC has signed-in users.

The policy is named Always automatically restart at the scheduled time and located at the following Group Policy location:

Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Update

Group Policies applied to my account and computer

There is a built-in tool called Resultant Set of Policy (rsop.msc) that scans all active policies and displays them all in a window similar to Group Policy Editor. You will need to go through the list to find out all the policies applied to your account and computer.

There is also a built-in command line called GPResult that you can also use to collect all the policies applied in place.

gpresult /scope user /v

This is to search and show all the active policies applied to the current user. To find all policies applied to the PC, run the following instead in an elevated Command Prompt window.

gpresult /scope computer /v

Group Policies applied to a remote computer and user

To get all the policies applied to a remote computer:

GPResult /s computer-name /scope computer /v

To get all the polices applied to a remote user on a remote computer

GPResult /s computer-name  /user username /scope user /v

GPOs applied to my account and computer

Same command as above but with a different switch.

GPResult /scope user /r
GPResult /scope computer /r
GPResult /s computer-name /user username /scope user /r
GPResult /s computer-name /scope computer /r

Policies set in a specific GPO

That’s where PowerShell shines.

Get-GPOReport -Name "GPO-Name" -ReportType HTML -Path "Path\report.html"

It generates a report in HTML format for the specified GPO and save it in the specified location.

Policies set in all GPOs in the domain

Get-GPOReport -All -ReportType HTML -Path "path\all-gpo.html"

A full list of GPOs in the domain

Simply use Get-GPO cmdlet.

Get-GPO -All

Your roaming user profile was not completely synchronized. See the event log for details or contact administrator.

By checking the event log, a few warning entries show that

Windows cannot copy file \\?\C:\Users\131\System Volume Information to location \\?\UNC\backup\mcq\profiles\tsProfiles\131.V2\System Volume Information. This error may be caused by network problems or insufficient security rights.

So why a user profile has a folder called System Volume Information that is only made for a storage volume? That’s because I am using User Profile Disk for the Remote Desktop sessions. Each session has its own disk mounted to store the user profile data. And because it’s basically a disk, it has a system hidden folder called System Volume Information only accessible by the operating system.

The only way to get around it is to exclude this folder from roaming profile. You can do that through Group Policy.

Open Group Policy Management Policy, go to

User Configuration > Administrative Templates > System > User Profiles

Double click Exclude directories in roaming profile setting.

Click Enable, and type in the folder names, separated by semi-colons.

Click OK when done and that will do the trick next time when you log in and log off.

For individual computers

It’s quite easy. Just open a PowerShell as Administrator window on the computer and run the following cmdlet and it will take care of the rest.

Enable-PSRemoting

For large network

Deploying the settings via Group Policy is definitely the way to go. If you are on Windows Server 2012 R2, open Group Policy Management and find the Grou Policy object you want to tweak and edit from there. Or create a new one if needed.

Once you are in there, there are three places that you need to go through:

1. Allow remote server management through WinRM

Go to Computer Configuration > Policies > Administrative Templates > Windows Remote Management (WinRM) > WinRM Service.

Double-click the setting “Allow remote server management through WinRM”

Select Enable and type in “*” in for both IPv4 filter and IPv6 filter.

Click OK to close the window.

* If you don’t see Windows Remote Management in your Group Policy Editor, there is probably the WinRM admin template missing in your Active Directory.

2. Enable WinRM service

Go to Computer Configuration > Policies > Preferences > Control Panel Settings.

And right-click Services and choose New > Service.

Choose Automatic (Delayed Start) as startup type, pick WinRM as the service name, set Start service as the action.

Click OK to save the change.

3. Set up the Firewall rule

Go to Computer Configuration > Policies > Security Settings > Windows Firewall with Advanced Security.

And right-click Inbound Rules and start a New Rule…

Select Predefined: option and choose Windows Remote Management from the list (not the one with compatible). Click Next.

Select the one for Domain and Private, and Allow the connection option at the next screen. And click Finish.

To reduce the exposure to this service we can remove the Private and only leave only Domain profile in place. Double-click the new rule we just created, go to Advanced tab and uncheck the Private option from the Profiles section.

Test it out

You can scan the port 5985 on the remote computer to see if it responses, like below:

Test-NetConnection -ComputerName remote_computer -Port Port#

Oh, simply open a PowerShell session on the remote computer and see if it succeeds.

Enter-PSSession -ComputerName remote_computer

There is a Group Policy setting that you can alter to bypass getting the updates through WSUS.

Open Group Policy Editor (local or in AD), go to Computer Configuration → Policies → Administrative Templates → System, and open a setting called Specify settings for optional component installation… on the right-side panel.

Then select Enabled, and check the option “Contact Windows Update directly to download repair content instead of WSUS”

Click OK and done. Run “gpupdate /force” to update the changes on the workstations to avoid the reboot.