K2000 Kloser Look: Preventing Microsoft Account Sync in Windows 8.x

 A new feature with Windows 8 allows the synchronization of applications and system configurations across different computers. This is convenient, as it allows a user to login to a new set of hardware and not have to spend time reconfiguring various settings. However, usually when features increase usability and convenience, security is the first aspect to suffer. While syncing this sort of data across multiple systems is handy for consumers, it may not be a great idea in for business machines due to the risk of sensitive data leakage. For instance, if the account associated with PC Sync was bound to both a corporate and personal computer, the personal computer would be a much easier target to attack and extract data. Such data could also be synced to a cell phone or tablet, both if which are easily lost, stolen, or accessed by unathorized persons. Luckily, the syncing behavior can easily be disabled in Windows 8 with the use of a Group Policy. (We’ll also take a look at doing it without GPO later on.)

  1. Using an account that has privileges to create new Group Policy Objects (GPOs), open the Group Policy Management Console on Windows 8 or Server 2012.
  2. Open the Group Policy Objects folder for the domain in which you would like to restrict the linking of Microsoft accounts.
  3. Create a new GPO and navigate to the following location in the GPO editor:  Computer Configuration > Policies >Windows Settings > Security Settings > Local Policies > Security Options.
  4. Double-click Accounts: Block Microsoft accounts. In the Properties dialog window, check Define this policy setting. Click the dropdown menu and select Users can’t add or log in with Microsoft accounts and then click OK.
  5. After the GPO has been created, right-click the domain or an OU and select Link an Existing GPO here to choose and enforce the GPO that was just created.
  6. Run the gpupdate /force command from the command line to update Group Policy, or just simply wait for the Policy to propagate on its own. The end result is that users can no longer link Microsoft accounts to computers under the Group Policy and all PC Sync settings will be disabled.

What about doing it during image deployment? Yep- you can do that too. Let’s say you don’t have a Windows 2012 server, or Windows 8 machine. The easy way would be to build one, do the above steps, and import that policy to your domain, but there are obviously scenarios where I can’t do that. You may be thinking “Registry!”, but Microsoft says this is not a registry change in the GPO Reference… Well if we wanted to do something during imaging we’ll have to figure something out! Good news- it is actually a registry setting. While it may or may not be exactly what the GPO does, the REG_DWORD value NoConnectedUser located atHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System is the key we’ve seen for security policy “Accounts: Block Microsoft accounts”.
The 3 acceptable settings:

0 – This policy is disabled 
1 – Users can’t add Microsoft accounts
3 – Users can’t add or log on with Microsoft accounts

Armed with that knowledge, you could write a postinstall task to set the value with command line, or set the setting via your Sysprep/DISM toolset.