Selective Control of the Immersive Control Panel (Settings) in Server 2016

It has been a considerable amount of time that the inability to nicely manage the Immersive Control Panel or “Settings” App provided in place of the traditional Control Panel in Server 2016 has frustrated Citrix and RDS admins. Finally as of the September Cumulative Update for Server 2016, we can selectively lock this down in a similar fashion that we can with the traditional Control Panel

Credit goes out to sklopp at Citrix discussions who brought this to light

The official release details can be found here

The Management Options

Microsoft provide an ADMX option to lock this down which Carl has already documented here. Alternatively you can write the HKCU keys with whichever VUEM tickles your fancy, or via good old GPP with Item level targeting.

It is nice to see that there is a specific “Show Only” and well as a “Hide Only” option when controlling this.

A list of applets (can we call them that?) is outlined below

display

emailandaccounts

extras

findmydevice

lockscreen

Maps

mousetouchpad

network-ethernet

network-cellular

network-mobilehotspot

network-proxy

network-vpn

network-directaccess

network-wifi

notifications

nfctransactions

easeofaccess-narrator

easeofaccess-magnifier

easeofaccess-highcontrast

easeofaccess-closedcaptioning

easeofaccess-keyboard

easeofaccess-mouse

easeofaccess-otheroptions

optionalfeatures

otherusers

powersleep

printers

privacy-location

privacy-webcam

privacy-microphone

privacy-motion

privacy-speechtyping

privacy-accountinfo

privacy-contacts

privacy-calendar

privacy-callhistory

privacy-email

privacy-messaging

privacy-radios

privacy-backgroundapps

privacy-customdevices

privacy-feedback

recovery

regionlanguage

storagesense

tabletmode

taskbar

themes

troubleshoot

typing

usb

signinoptions

sync

workplace

windowsdefender

windowsinsider

windowsupdate

yourinfo

Selective Control with WEM

Because I like to do everything with WEM where I can, this article will cover the configuration at a WEM level, however GPP and Item Level Targeting can achieve the same thing for other environments

I like this approach because you can be as selective as you like by writing the Current User Keys directly

Create the WEM Registry Action:

Name: Windows Settings (ICP) – Show Only Display
Description: Immersive Control Panel – Shows Display
Key: SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
Type: REG_SZ
Value: SettingsPageVisibility
Data: Showonly:display

WEMAction
WEM Action

You can then assign the action to whoever you want based on whatever conditions you want as per normal

The Result

Below is my user logged into a Server 2016 image that does not have the latest September patch applied

NonPatchImage
Image – Non Patched with HKCU Key Applied

And below, is the same user logged into an identical build, but with the update deployed.

PatchedImage
Patched Image with HKCU Key Applied

And now my admin user logged in – no restrictions

PatchedImage-Admin
Patched Image with Admin User

Pretty happy with that result.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Create a website or blog at WordPress.com

Up ↑

%d bloggers like this: