Tuesday 31 March 2020

Hiding ONLY the Shutdown Button in Windows

Working from home has never been more popular (or enforced) than in the current times. In view of this, we have configured our workstations to allow our staff remote access through the Remote Desktop Protocol (RDP).

However, the habit of shutting down a workstation after a work day to conserve power seems to be a hard one to break. Computers were being remotely shutdown on a regular basis despite the additional warning that computers would need to be powered on manually on-site when attempting the action through a remote desktop connection. While computers could be powered on remotely with Wake-on-LAN (WOL), this quickly got old. A thought of solution was to disable the shutdown menu option on the Windows Start Menu.

A possible group policy setting was quickly found and tried
(Computer Configuration / Policies / Administrative Templates / Start Menu and Taskbar / Remove and prevent access to the Shut Down, Restart, Sleep, and Hibernate commands).
Unfortunately, this setting not only removed the Shut Down option, but all other power options as well.


A computer with Remote Desktop enabled will be able to respond to RDP requests while in sleep mode if its network adapter supports ARP and NS Offload. As all the network adapters in our office machines support this we want our staff to be able to put their workstations to sleep to conserve power, which still allows an incoming RDP connection to wake the computer; but not to shutdown the computer. More information on ARP and NS Offload features may be found on the Energy Star website here:
https://www.energystar.gov/products/low_carbon_it_campaign/business_case/24_7_remote_access


Further research lead us to the HideShutDown registry setting which simply hides the Shutdown menu option in the Start Menu
(HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Start\HideShutDown). To enable this setting, create a new DWORD with a value of 1.


EDIT: Some computers have a key in 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\current\device\Start
which may prevent the default defined above from taking effect. An entry in group policy to delete the offending registry key was also defined to ensure the defaults take effect.

Once the group policies have been propagated to all concerned computers, the Shut Down menu option disappears from the Start Menu, while still allowing users to restart their computers or put them in sleep mode.


Users with permission to shutdown computers may still do so using the "shutdown /s /t 0" command, but then we assume they know what they're really doing.

No comments:

Post a Comment