Overview

For a seamless and user-friendly setup, consider the following configuration:

User Account & Login

1. Local Account with Auto-Login
   • Create a local account named something like “Presenter” with no password.
   • Use netplwiz to enable automatic login for this account.
2. Guest Mode Alternative (If Needed)
   • Set up a guest-like account with no password and limited privileges.
   • Use Windows’ Assigned Access (Kiosk Mode) if you want to restrict access to specific apps.

Security & Privacy

3. Disable Microsoft Account Sign-in Requirements
   • Use a local admin account to prevent the need for Microsoft login.
4. Reset on Reboot (If Necessary)
   • Consider software like Reboot Restore Rx or Deep Freeze to reset changes after each session.
5. Prevent Unwanted Changes
   • Restrict access to settings and admin privileges using Group Policy Editor (gpedit.msc).

Networking & Internet

6. Wi-Fi Auto-Connect
   • Set up a U3A-specific Wi-Fi profile that connects automatically.
7. Browser Shortcuts
   • Set up shortcuts to common cloud services (Google Drive, OneDrive, etc.) in Edge or Chrome.
8. Disable Windows Updates During Presentations
   • Configure updates to install outside U3A hours (e.g., overnight).

Software & Apps

9. Preinstall Essential Apps
   • LibreOffice or PowerPoint Viewer for slides.
   • VLC Media Player for videos.
   • Zoom/Teams/Skype for online meetings.
   • Web browser (Chrome/Edge with useful bookmarks).
10. PDF Viewer
    • Set SumatraPDF or Edge as the default viewer.
11. Disable OneDrive Sync (If Unnecessary)
    • Prevent login prompts and unnecessary background syncing.

User Experience & Accessibility

12. Large Icons & Simple Desktop Layout
    • Place commonly used apps on the desktop for easy access.
13. Enable High Contrast Mode or Larger Text (For Visibility Issues)
    • Useful for presenters with vision impairments.
14. Set a Clean Desktop Background
    • A simple U3A-branded wallpaper can look professional and avoid clutter.

---

Admin Account

Admin Account Setup: Local vs. Microsoft Account

For your use case, you have two options:

1. Local Admin Account (Recommended)
   • Simple to manage, no need for internet access.
   • No OneDrive access, but avoids Microsoft-related login issues.
   • Can be used on all laptops without restrictions.
2. Microsoft Admin Account (For OneDrive Access)
   • Required if you want built-in OneDrive access.
   • Can be used across multiple laptops, but you may hit Microsoft’s device limit (typically 10 devices per account).
   • Requires an internet connection and periodic login.
   • May force Windows Hello setup (PIN, fingerprint, etc.), which can be annoying.

Recommended Approach for U3A

• Use a Local Admin Account for general management.
• If OneDrive is essential, create a separate Microsoft account just for U3A. This account can be added to each laptop as a secondary account for OneDrive access.

---

Step-by-Step Instructions for Setting Up the Admin Account

Option 1: Create a Local Admin Account (Recommended)

1. Open Settings:
   • Press Win + I → Go to Accounts → Other users.
2. Add a New Local User:
   • Click Add account.
   • Select I don’t have this person’s sign-in information.
   • Click Add a user without a Microsoft account.
   • Enter:
     • Username: Admin
     • Password: Leave blank (or set a simple password)
   • Click Next.
3. Give Admin Privileges:
   • Select the newly created user.
   • Click Change account type.
   • Set it to Administrator.
4. Sign In & Configure:
   • Log into this account once to finalize setup.
   • Disable Microsoft’s “Welcome Experience” to prevent nagging prompts.

---

Option 2: Create a Microsoft Admin Account (If OneDrive Is Required)

1. Open Settings:
   • Press Win + I → Go to Accounts → Other users.
2. Add a Microsoft Account:
   • Click Add account.
   • Enter a shared U3A Microsoft account (e.g., u3a.boxhill.laptops@outlook.com).
   • Complete verification steps.
3. Make It an Admin:
   • After setup, go to Settings → Accounts → Other users.
   • Click the account → Change account type → Select Administrator.
4. Sign In & Configure:
   • Sign in and set up OneDrive if needed.
   • Configure OneDrive to Files On-Demand mode to prevent unnecessary downloads.
5. Repeat on Other Laptops:
   • Sign in using the same Microsoft account, but be mindful of Microsoft’s device limit.

---

Additional Security Tweaks

• Rename the Built-in Admin Account (For Security)
  Run the following command in PowerShell as an administrator: Rename-LocalUser -Name "Administrator" -NewName "U3AAdmin"
• Disable the Built-in Administrator Account (Optional) Disable-LocalUser -Name "Administrator"
• Prevent Microsoft Account Requirement in Future
  Open gpedit.msc → Computer Configuration → Windows Settings → Security Settings → Local Policies → Security Options
  • Set Accounts: Block Microsoft accounts to Users can’t add Microsoft accounts.

---

Presenter Account

Setting Up Auto-Login

To ensure that presenters don’t have to enter a password when starting the laptops, you can configure Windows to log in automatically. This setup works best when using a local user account (e.g., “Presenter”).

---

Step 1: Create the “Presenter” Local Account

If you haven’t created the Presenter account yet, follow these steps:

1. Open Settings:
   • Press Win + I → Go to Accounts → Other users.
2. Add a New Local User:
   • Click Add account.
   • Select I don’t have this person’s sign-in information.
   • Click Add a user without a Microsoft account.
   • Enter:
     • Username: Presenter
     • Password: Leave blank (or set a simple password).
   • Click Next.
3. Ensure the Account is Standard (Non-Admin)
   • Go to Settings → Accounts → Other users.
   • Click the new Presenter account.
   • Click Change account type and ensure it is set to Standard user (not Administrator).

---

Step 2: Enable Auto-Login for “Presenter”

Option 1: Using netplwiz (GUI)

1. Open the User Accounts Window
   • Press Win + R, type netplwiz, and press Enter.
2. Disable Password Requirement
   • In the User Accounts window, select the Presenter account.
   • Uncheck “Users must enter a username and password to use this computer.”
   • Click Apply.
3. Enter the Login Credentials
   • If prompted, enter the password for the Presenter account (leave blank if there is no password).
   • Click OK and restart the laptop to confirm auto-login works.

---

Option 2: Using the Registry Editor (For Systems Without netplwiz)

If netplwiz doesn’t work, you can enable auto-login via the registry.

1. Open the Registry Editor
   • Press Win + R, type regedit, and press Enter.
2. Navigate to the Auto-Login Key
   • Go to: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
3. Modify or Create the Necessary Values
   • Double-click DefaultUserName, set it to Presenter.
   • Double-click DefaultPassword, enter the password (leave blank if none).
   • Double-click AutoAdminLogon, set the value to 1.
4. Restart the Laptop to Apply Changes

---

Step 3: Prevent Windows Updates from Resetting Auto-Login

• Disable Forced Login Prompts After Updates
  1. Open Settings → Accounts → Sign-in options.
  2. Under “Require sign-in”, select Never.
  3. Scroll down to “Use my sign-in info to automatically finish setting up after an update” and turn Off.

---

Step 4: Set Up Auto-Lock for Security

Since the laptop logs in automatically, you may want to enable auto-lock after inactivity to prevent misuse.

• Open Settings → System → Power & sleep.
• Set Screen turn-off time to 5-10 minutes.
• Click Additional power settings → Require a password on wakeup and enable it.

---

Restricting System Changes for the Presenter Account

To prevent presenters from making accidental (or intentional) system changes, we can apply restrictions using Group Policy, Local Security Policies, and Registry Edits. These steps will:

• Block access to settings like user accounts, updates, and system preferences.
• Prevent software installation (except by an admin).
• Restrict access to certain drives or files.
• Disable access to the Task Manager and Command Prompt.

---

Step 1: Convert “Presenter” to a Standard User (If Not Done Already)

A Standard User account cannot install software or change system-wide settings.

1. Open Settings → Accounts → Other users.
2. Select Presenter and click Change account type.
3. Ensure it is set to Standard User (not Administrator).
4. Click OK.

---

Step 2: Restrict System Settings & Access to Control Panel

We’ll use Group Policy to block settings changes.

Using Local Group Policy Editor (gpedit.msc)

1. Open the Group Policy Editor
   • Press Win + R, type gpedit.msc, and press Enter.
2. Block Access to Control Panel & Settings
   • Navigate to: User Configuration → Administrative Templates → Control Panel
   • Double-click Prohibit access to Control Panel and PC settings.
   • Set it to Enabled and click OK.
3. Prevent Users from Changing Account Settings
   • Navigate to: User Configuration → Administrative Templates → Control Panel → User Accounts
   • Double-click Apply the default account picture to all users.
   • Set it to Enabled.
4. Prevent Access to Command Prompt
   • Navigate to: User Configuration → Administrative Templates → System
   • Double-click Prevent access to the command prompt.
   • Set it to Enabled.
5. Prevent Access to Registry Editor
   • Navigate to: User Configuration → Administrative Templates → System
   • Double-click Prevent access to registry editing tools.
   • Set it to Enabled.
6. Prevent Access to Task Manager
   • Navigate to: User Configuration → Administrative Templates → System → Ctrl+Alt+Del Options
   • Double-click Remove Task Manager.
   • Set it to Enabled.
7. Apply Changes and Restart
   • Close Group Policy Editor.
   • Restart the laptop for the settings to take effect.

---

Step 3: Block Software Installation

By default, Standard Users cannot install software. However, we can prevent software from running from USB drives (except files like PowerPoint presentations).

Using Local Group Policy Editor

1. Open gpedit.msc and navigate to: Computer Configuration → Windows Settings → Security Settings → Software Restriction Policies
2. If no policies exist:
   • Right-click Software Restriction Policies → Create New Policies.
3. Block Running Applications from USB or External Drives
   • Navigate to Additional Rules.
   • Right-click in the right pane and select New Path Rule.
   • Set the Path to: E:\*.exe (Replace E: with the usual drive letter for USB drives).
   • Set Security Level to Disallowed.
   • Click OK.
4. Prevent Installation from Common Setup Files
   • Add these additional rules (one at a time) and set them to Disallowed: C:\Users\Presenter\Downloads\*.exe C:\Users\Presenter\Downloads\*.msi C:\Users\Presenter\AppData\*.exe
5. Restart the laptop to apply changes.

---

Step 4: Restrict Access to Drives (Optional)

To prevent accidental deletion of files, restrict access to certain drives.

1. Open gpedit.msc and navigate to: User Configuration → Administrative Templates → Windows Components → File Explorer
2. Enable “Prevent access to drives from My Computer”.
   • Choose the drives to restrict (e.g., only allow access to D: if that’s where presentations are stored).

---

Step 5: Restrict Network & Windows Updates

Since Windows updates can cause login prompts or delays, disable manual updates for the Presenter account.

1. Open gpedit.msc and navigate to: Computer Configuration → Administrative Templates → Windows Components → Windows Update
2. Enable “Remove access to use all Windows Update features”.
3. Restart the laptop to apply changes.

---

Step 6: Lock the Desktop Environment

To prevent unnecessary clutter, restrict the desktop to only useful shortcuts.

1. Navigate to: User Configuration → Administrative Templates → Desktop
2. Enable “Prohibit adding, deleting, and editing desktop icons”.
3. Place only essential shortcuts (PowerPoint, browser, video player) on the desktop.
4. Set a U3A-branded wallpaper and prevent changes.

---

Final Notes

✅ No admin privileges for Presenter account
✅ Cannot install software or change system settings
✅ Cannot access Command Prompt, Registry, or Task Manager
✅ No Windows Update interruptions
✅ Safe browsing & file access restrictions

---

Resetting a Laptop to Its Original Setup

If a presenter accidentally changes settings, installs unwanted software, or causes system instability, you can quickly restore the laptop to its original setup.

---

Option 1: Restore Windows Using Built-in Reset (Best for Full Resets)

This method reinstalls Windows but keeps essential apps and files.

Steps:

1. Open Settings
   • Press Win + I → Update & Security → Recovery.
2. Start Reset Process
   • Under Reset this PC, click Get started.
3. Choose Reset Option
   • Select Keep my files (keeps personal files but removes apps & settings).
   • Select Remove everything (if a full reset is needed).
4. Follow On-Screen Instructions
   • If asked, choose Local reinstall (faster than cloud recovery).
   • Wait for Windows to reinstall.
5. Reconfigure the Laptop
   • Reapply Auto-Login, Restrictions, and Software Setup as needed.

---

Option 2: Use a Restore Point (Best for Minor Fixes)

If the system is misconfigured but still functional, restore it to an earlier state.

Steps:

1. Open System Restore
   • Press Win + R, type rstrui, and press Enter.
2. Select a Restore Point
   • Choose a restore point from before the issue occurred.
3. Start the Restore
   • Click Next → Finish.
   • The system will restart and restore settings.

---

Option 3: Use a Backup Software (Best for Quick Resets)

If you set up Reboot Restore Rx or Deep Freeze, every restart will reset the laptop automatically.

1. Install Reboot Restore Rx (Free)
   • Download from horizondatasys.com.
   • Install and protect the C:\ drive.
   • Once set up, all changes are erased on reboot.
2. For Deep Freeze (Paid)
   • Configure it to lock system changes.
   • Admins can disable it for updates.

---

Option 4: Manual Reset Using U3AAdmin Account (Best for Quick Fixes)

If presenters only made minor changes, you can manually reset configurations.

Steps:

1. Log in as U3AAdmin
   • Press Ctrl + Alt + Del, click Sign out, and log in as Admin.
2. Remove Unwanted Apps
   • Open Settings → Apps → Installed Apps.
   • Uninstall anything presenters may have installed.
3. Reset Group Policy Settings
   • Open Command Prompt as Admin and run: gpupdate /force
   • If settings seem broken, reset policies entirely: rd /S /Q C:\Windows\System32\GroupPolicy gpupdate /force
   • Restart the laptop.
4. Restore Presenter Account
   • Delete and recreate the Presenter account: net user Presenter /delete net user Presenter /add net localgroup Users Presenter /add
   • Reapply Auto-Login (see previous instructions).

---

Final Recommendation

If these laptops will be used often by different people, consider setting up Reboot Restore Rx. It automatically resets the system on reboot, ensuring presenters always start with a clean environment.

Probably too expensive. Need to look for open source solution.

---

Script for Windows 11 Setup and Lockdown for Shared Use

1. Initial Windows 11 Setup

• Bypassed Microsoft account requirement using Shift + F10 → OOBE\BYPASSNRO.
• Created a local account named ubh-user with no password.
• Created an admin account ubh-admin.
• Demoted ubh-user to a standard user.

2. Restricting “ubh-user” Account

• Disabled access to Task Manager, Command Prompt, Registry Editor, Control Panel, and Windows Installer using Group Policy (gpedit.msc) under:
  • User Configuration > Administrative Templates > System
  • User Configuration > Administrative Templates > Control Panel
  • User Configuration > Administrative Templates > Windows Components > Windows Installer
• Disabled password change for ubh-user: net user ubh-user /passwordchg:no net user ubh-user /passwordreq:no /expires:never

3. Auto-Login Configuration for “ubh-user”

$RegPath = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"
Set-ItemProperty -Path $RegPath -Name "DefaultUserName" -Value "ubh-user"
Set-ItemProperty -Path $RegPath -Name "AutoAdminLogon" -Value "1"
Set-ItemProperty -Path $RegPath -Name "DefaultPassword" -Value ""

• Verified and toggled auto-login behavior using a PowerShell script with Registry:: path notation.

4. Removing Windows 11 Bloatware

$bloatApps = @(
    "Microsoft.BingNews", "Microsoft.YourPhone", "Microsoft.WindowsFeedbackHub",
    "Microsoft.XboxGamingOverlay", "Microsoft.XboxGameOverlay", "Microsoft.Xbox.TCUI",
    "Microsoft.People", "Microsoft.MicrosoftSolitaireCollection", "Microsoft.SkypeApp"
)
foreach ($app in $bloatApps) {
    Get-AppxPackage -AllUsers -Name $app | Remove-AppxPackage
}

• Disabled suggestions and ads:
  • Win + I → Personalization > Start → Turn off “Show recommendations”
• Blocked future bloatware installations:

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\CloudContent" /v DisableWindowsConsumerFeatures /t REG_DWORD /d 1 /f

5. Preventing Backup Prompts and OneDrive Nagging

# Disable OneDrive if present
Start-Process -FilePath "taskkill" -ArgumentList "/f /im OneDrive.exe" -Wait -NoNewWindow
Start-Process -FilePath "$env:SystemRoot\System32\OneDriveSetup.exe" -ArgumentList "/uninstall" -Wait -NoNewWindow

# Disable Microsoft Backup prompts (all users)
$users = Get-ChildItem 'HKU' | Where-Object { $_.Name -match '^HKEY_USERS\\S-\d-\d+-(\d+-){1,14}\d+$' }
foreach ($user in $users) {
    $path = "$($user.PSChildName)\Software\Microsoft\Windows\CurrentVersion\UserProfileEngagement"
    if (-not (Test-Path "Registry::$path")) {
        New-Item -Path "Registry::$path" -Force | Out-Null
    }
    Set-ItemProperty -Path "Registry::$path" -Name "ScoobeSystemSettingEnabled" -Value 0 -Type DWord
}

6. Preventing Widgets and Taskbar Changes

• Disabled Widgets via Group Policy:
  • Computer Configuration > Administrative Templates > Windows Components > Widgets → “Allow widgets” = Disabled
• Prevented users from customizing the taskbar:
  • User Configuration > Administrative Templates > Start Menu and Taskbar → “Prevent users from customizing their taskbar” = Enabled

7. File System and Icon Cleanup

• Removed drive letter from 20MB boot partition using Disk Management.
• Resolved PowerShell registry path issues by switching to Registry:: notation.
• Rebuilt desktop shortcut icons using: ie4uinit.exe -show

Final System State

✅ ubh-user is restricted from making changes.
✅ ubh-admin retains full access and scripting capability.
✅ No bloatware, backup nags, or OneDrive prompts.
✅ Auto-login enabled but toggleable via PowerShell.
✅ System returns to configured state after reboot (once Time Freeze or equivalent is installed).

---

This refined setup provides a clean, stable, and non-interruptive environment for shared use systems while preserving admin flexibility

About the Image

“Microsoft Windows 11” by KK IN HK is licensed under CC BY-SA 4.0.