How to control desktop gadgets in the enterprise

Learn about the pros and cons of Microsoft's desktop gadgets in the enterprise, and about the group policy settings that can help you manage them.

Desktop gadgets are a hot-button issue for many Windows administrators: Some find that gadgets improve the end-user experience, while others have completely banned the use of desktop gadgets in their organizations.

A quick Internet search for "desktop gadgets" reveals countless items that have no place in the enterprise, such as the gadget that lets you use a touch-screen monitor as a piano. In addition, some applications contain malicious code. However, desktop gadgets such as a calculator may help user productivity. Furthermore, desktop gadgets are relatively easy to create, so an enterprise can produce its own line of business gadgets. For example, I know of one organization that created a SharePoint app that tracks inventory information in real time.

Ultimately, each organization needs to decide for itself if it wants to allow desktop gadgets. If you do allow gadgets in your enterprise, then it's important to manage them. While Microsoft doesn't allow for a high degree of control over desktop gadgets, there are four Group Policy settings in Windows 7 that can help you. Unfortunately, none of these settings let you blacklist specific gadget (but I have seen a few subtle hints that such a setting may be coming in the future).

These settings are in the Group Policy Object Editor at Computer Configuration | Administrative Templates | Windows Components | Desktop Gadgets, shown in Figure 1. You can also find an identical set of user-specific Group Policy settings at User Configuration | Administrative Templates | Windows Components | Desktop Gadgets.

Figure 1: Four Group Policy settings can help you control desktop gadgets. (Click to enlarge.)
Control desktop gadgets with group policy settings

The first of these settings is Override the More Gadgets Link. Windows contains a link that takes users to Microsoft's gadget gallery, where they can download additional gadgets. This setting allows the administrator to provide an alternate download link, so when a user clicks on the More Gadgets link, he will be taken to a download site that you have approved. You could even create your own internal download site containing only desktop gadgets that are approved for use within your organization.

The Turn off desktop gadgets setting is another Group Policy setting. This is the setting to use if you want to completely ban gadgets in your organization.

More desktop management tips

How Windows 7's SKUs compare with Windows XP's editions

Assessing Microsoft's cloud-based Intune for Windows management

How to control Facebook use in the enterprise
The third setting is Restrict unpacking and installation of gadgets that are not digitally signed. When a user downloads a desktop gadget, the gadget often arrives as a compressed file that may or may not be digitally signed. Since most of the more reputable software publishers sign their code, you could use this setting to ensure that if a user downloads a gadget, he will be able to unpack the compressed file only if it has been signed. This Group Policy setting does not provide a mechanism for approving compressed packages based on who signed them.

The last Group Policy setting is Turn off user-installed desktop gadgets. If you enable this setting, users will be able to run only the desktop gadgets that are built into Windows. Any gadgets that users have downloaded and installed themselves will be disallowed.

A business case can often be made for the use of desktop gadgets, but there is plenty of room for abuse. Although Microsoft doesn't provide a lot of control over the use of desktop gadgets, there are Group Policy settings that can give you some degree of control.

ABOUT THE AUTHOR
Brien M. Posey, MCSE, has received Microsoft's Most Valuable Professional Award seven times for his work with Windows Server, IIS and Exchange Server. He has served as CIO for a nationwide chain of hospitals and health care facilities and was once a network administrator for Fort Knox. You can visit his personal website at www.brienposey.com.


This was first published in August 2010

Dig deeper on Microsoft Windows 7 operating system

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchVirtualDesktop

SearchWindowsServer

SearchExchange

Close