How to filter off-site Windows devices with DNS?


To perform off-site filtering for Windows Devices there are two steps that need to be taken. The first step is get the script copied over to a location that students can't delete it from. The second step is to create a Group Policy object to monitor for a network change event and then have the script execute based upon that.

Part 1: Getting the script copied over

  1. Download the applicable attached script and edit it to replace the first IP address with your internal DNS servers IP.
  2. Rename the saved script to setdns.bat
  3. Move the script to a shared folder from your server
  4. Open up "Group Policy Management"
  5. Create a new GPO object
  6. Please name this "Copy Securly File"
  7. Right-click the newly created GPO and then click "Edit"
  8.  Please go to Computer Configuration > Preferences > Windows Settings > Files, right click and go to "New" and then "file"
  9. On the "New File Properties Window" please uncheck "Archive" and check the hidden box. Please click the "..." button for Source File(s) and navigate to the downloaded file.
  10. For Destination file: please input a location that students would not have access to such as C:\windows\setdns .bat, then click on "Apply" and then "OK"

 Part 2: Script actions

  1. Open up "Group Policy Management"
  2. Create a new GPO object
  3. Name this policy "Securly DNS actions"
  4. Right-click the newly created GPO and select "edit"
  5. Drill down to Computer Configuration > Preferences > Control Panel Settings > Scheduled Tasks and right click "Scheduled Tasks" and go to New > Scheduled Task (at least Windows 7)

  6. In the Name area please enter "Securly DNS"
  7. Under "Security Options" click the "Change User or Group" button
  8. In the window that popped up please type in "System" and click the "check names" box then click OK
  9. Please also check the "Run with highest privileges" box.
  10. The completed General Tab should look like the below:
  11. Click on the "Triggers" tab and then click the "New" button
  12. For the "Begin the task" drop down, please select "on an event"
  13. Change:
    Log to "Microsoft-Windows-NetworkProfile/Operational"
    Source to "Microsoft-Windows-NetworkProfile"
    Event ID to 10000
    Check the "stop task if it runs longer than to 30 minutes
    Check the Activate box
    Check the Enabled box
    Click the OK box
  14. Click on the "Actions" tab and select "New"

  15. For the "Program/Script" area please enter the path chosen in Part 1: ex: C:\windows\setdns.bat and then click "ok" to save the changes
  16. On the "Conditions" tab, under "Power", please ensure "Start task only if the computer is on AC power" is UNCHECKED. Some Versions of Windows Server automatically enable this. We want the task to run whether the computer is on AC power or battery. 
  17. Please click "Apply" to save all of the settings
  18. Once this has been applied to an OU. You can remotely update Group Policy (on some versions of Windows Server) by right-clicking on the OU and selecting "Group Policy Update".

Note that it is recommended to disable IPv6 on the devices themselves for when they go offsite - please see this article from Microsoft on how to achieve this: 

Have more questions? Submit a request