Manage Microsoft PowerToys using Group Policy

blog.payperitem.com,

Standard users can install Microsoft PowerToys without requiring administrative privileges, which may be undesirable in managed environments. However, certain tools from the PowerToys suite might be beneficial for specific users. Group Policy allows administrators to control which utilities are available.

Contents

  1. Installation options
  2. Tools suitable for end users
  3. Enable PowerToys selectively via GPO
  4. Summary

PowerToys is a continuously evolving collection of system utilities designed for power users, with several tools that have also proven valuable for IT professionals.

Installation options

Microsoft offers two installation options for PowerToys:

  • Per-user installation – Installs PowerToys within the user’s profile without requiring administrative privileges;
  • System-wide installation – Installs PowerToys for all users on a device and requires administrative permissions.


Each installation type has a dedicated setup program, enabling IT administrators to manage deployment according to their needs.

Microsoft offers a separate setup for the installation per user

While the system-wide installation grants standard users access to all PowerToys tools, some applications still require administrative privileges to function. This applies, for example, to the Hosts File Editor or Environment Variables.

Tools suitable for end users

Many PowerToys tools are accessible to standard users, but some can still pose risks even without elevated permissions. For instance, PowerRename could disrupt a shared folder on a file server if a user mistakenly applies a faulty regular expression, leading to widespread unwanted file renaming.

The PowerToys contain a comprehensive collection of utilities

While some PowerToys are designed for advanced users, many provide valuable functionality for less tech-savvy users without the risk of misconfiguration or the need for IT support.

For example:

  • Explorer extensions enable previewing of additional file types;
  • Bulk Image Resizing allows quick adjustments to multiple images at once;
  • Workspaces let users launch multiple programs in predefined positions with a single action.

These features enhance productivity while remaining user-friendly and low-risk.

Enable PowerToys selectively via GPO

Microsoft has introduced an administrative template for managing PowerToys via Group Policy since version 0.64. To apply these policies, PowerToys must be updated to at least version 0.64, as earlier versions ignore GPO-configured settings. Each new PowerToys release includes updated ADMX and ADML files for policy management.

To enable these settings in Group Policy, copy the ADMX and ADML files to %SystemRoot%\PolicyDefinitions and the en-US language directory (for local policy management) or to the Central Store (for domain-wide GPO deployment). Once added, the PowerToys settings will appear in the Group Policy Editor under Computer Configuration and User Configuration => Administrative Templates => Microsoft PowerToys.

Administrators can disable PowerToys globally or manage individual utilities using Group Policy

The Configure global utility enabled state setting allows administrators to disable PowerToys altogether, preventing users from installing or using the suite. Additionally, IT admins can selectively disable individual utilities, enabling them to control which tools are available. This ensures that only approved features are accessible, minimizing potential risks while providing useful functionality.

Users cannot re-enable PowerToys utilities that have been disabled via GPO

Additionally, the GPO settings allow for further customization of specific tools. A key example is Mouse Without Borders, where administrators can disable file transfers, clipboard sharing, or restrict connections to devices within the same subnet for security reasons.

Under General Settings, admins can also disable diagnostic data sharing with Microsoft and prevent automatic updates, ensuring greater control over software versions in managed environments.

Summary

Microsoft PowerToys offers a versatile collection of utilities, catering to both power users and those with limited technical expertise. Organizations can mitigate potential misuse in managed environments and reduce helpdesk requests by restricting PowerToys either entirely or selectively through Group Policy (GPO).

Active Directory Server 2025

Related Posts

Configure Radius Server

Configuring a Windows RADIUS Server (typically via NPS – Network Policy Server) in a deep and secure way involves more than just installing the role and creating a basic policy. You’ll want to cover advanced aspects like: 🔧 1. NPS (RADIUS) Server Installation and Registration 🔐 2. Secure RADIUS with…

Read More

VPN server in Azure

Setting up a VPN server in Azure that supports secure access for employees, vendors, and customers requires a carefully planned architecture to address different access levels, security boundaries, and scalability. Here’s a solid approach with Azure-native and custom options, along with a proposed build. 🔐 Goal: 🧱 Solution Overview: Option…

Read More