Allowing Reboot without Shutdown on Windows 10
How it is possible in mid-2018, with 2.6 million results in google when searching, that we don't have a policy where we can prevent shutting down a system but allow rebooting? There are dozens of workarounds, some of which I'll go over below, but no actual ability to set this policy.
First, there are two places that most people turn to when setting this policy. The first is a GPO under Administrative Templates \ Start Menu and Taskbar \ Remove and prevent access to the Shut Down, Restart, Sleep, and Hibernate commands. According to the help (shamelessly stolen from StartMenu.adml):
This policy setting prevents users from performing the following commands from the Start menu or Windows Security screen: Shut Down, Restart, Sleep, and Hibernate. This policy setting does not prevent users from running Windows-based programs that perform these functions.
If you enable this policy setting, the Power button and the Shut Down, Restart, Sleep, and Hibernate commands are removed from the Start menu. The Power button is also removed from the Windows Security screen, which appears when you press CTRL+ALT+DELETE.
If you disable or do not configure this policy setting, the Power button and the Shut Down, Restart, Sleep, and Hibernate commands are available on the Start menu. The Power button on the Windows Security screen is also available.
Note: Third-party programs certified as compatible with Microsoft Windows Vista, Windows XP SP2, Windows XP SP1, Windows XP, or Windows 2000 Professional are required to support this policy setting.
Close, but no cigar. The second option that people turn to is the permissions granted under Computer Configuration \ Windows Settings \ Security Settings \ Local Policies \ User Rights Assignment \ Shut Down The System. At first, this looks like what we want - prevent users from shutting down. The explanation for this setting given by Microsoft includes:
This security setting determines which users who are logged on locally to the computer can shut down the operating system using the Shut Down command. Misuse of this user right can result in a denial of service.
Still looking good - no mention of any other options. Perhaps we limit this to a select few and no one else can shut down? Unfortunately, when you set this policy, you are also preventing users from being able to restart the computer. Even thought it doesn't call out "Restart" as something they are restricted from performing, it appears as thought Windows really considers restarting just shutting down and starting back up again. Even when trying to run a reboot command from the command prompt, you're denied access.
So, without looking into third party solutions, we're left with a workaround. The route I took, which was good enough for my needs:
- Do not define the "Shut Down The System" policy. Basically allow anyone to shutdown.
- Use "Remove and Prevent Access to the Shut Down . . ." policy.
- Create two shortcuts on the Start Menu to logoff and to restart.
The end result is that users do have permission to shut down, so it's not impossible for them to do it if they know how. Since I'm trying to stop them from shutting down their own personal (corporate) virtual machines, I'm not too concerned with them finding a way to turn the system off. If they do, they'll probably only do it once since it means a call to the Help Desk to turn it back on until we get some kind of self-service environment running for it.
Here is the XML I used - you're more than welcome to steal it, it's pretty generic: