It has been a considerable amount of time that the inability to nicely manage the Immersive Control Panel or “Settings” App provided in place of the traditional Control Panel in Server 2016 has frustrated Citrix and RDS admins. Finally as of the September Cumulative Update for Server 2016, we can selectively lock this down in a similar fashion that we can with the traditional Control Panel.

Credit goes out to sklopp at Citrix discussions who brought this to light.

The official release details can be found here

The Management Options

Microsoft provide an ADMX option to lock this down which Carl has already documented here. Alternatively you can write the HKCU keys with whichever VUEM tickles your fancy, or via good old GPP with Item level targeting.

It is nice to see that there is a specific Show Only and well as a Hide Only option when controlling this.

A list of applets (can we call them that?) is outlined below

display emailandaccounts extras findmydevice lockscreen Maps
mousetouchpad network-ethernet network-cellular network-mobilehotspot network-proxy network-vpn
network-directaccess network-wifi notifications nfctransactions easeofaccess-narrator easeofaccess-magnifier
easeofaccess-highcontrast easeofaccess-closedcaptioning easeofaccess-keyboard easeofaccess-mouse easeofaccess-otheroptions optionalfeatures
otherusers powersleep printers privacy-location privacy-webcam privacy-microphone
privacy-motion privacy-speechtyping privacy-accountinfo privacy-contacts privacy-calendar privacy-callhistory
privacy-email privacy-messaging privacy-radios privacy-backgroundapps privacy-customdevices privacy-feedback
recovery regionlanguage storagesense tabletmode taskbar themes
troubleshoot typing usb signinoptions sync workplace
windowsdefender windowsinsider windowsupdate yourinfo    

Selective Control with WEM

Because I like to do everything with WEM where I can, this article will cover the configuration at a WEM level, however GPP and Item Level Targeting can achieve the same thing for other environments.

I like this approach because you can be as selective as you like by writing the Current User Keys directly.

Create the WEM Registry Action:

Name  Windows Settings (ICP) - Show Only Display
Description  Immersive Control Panel - Shows Display
Key SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
Value SettingsPageVisibility
Data Showonly:display


You can then assign the action to whoever you want based on whatever conditions you want as per normal

The Result

Below is my user logged into a Server 2016 image that does not have the latest September patch applied


And below, is the same user logged into an identical build, but with the update deployed


And now my admin user logged in - no restrictions


Pretty happy with that result.