Server 2016 & PC Settings/Immersive Control Panel

[Eric Gilliland]

I'm curious how everyone is handling this if you're publishing full desktops. Since there isn't a way to modify the visibility of any of these areas with group policy. Have you found some way to edit file/directory NTFS permissions to accomplish selective visibility? Do you just allow it? Do you remove read access to "C:\Windows\ImmersiveControlPanel\SystemSettings.exe" so it can't be launched? There is mostly junk in there, but I'd like to offer up some areas to users, mostly Personalization options, like color, start, and taskbar settings. These are areas that you can't configure in the "classic" control panel.

 

I'm not in production yet and with Server 2019 coming out soon, I may just wait for it to see how that differs.

[Stefan Klopp]

Hello,

 

I did read through the changelog of the latest Cumulative Update for Windows Server 2016.
September 20, 2018—KB4457127 (Link: https://support.microsoft.com/de-at/help/4457127/windows-10-update-kb4457127)

The changelog says:

 

Makes the visibility Group Policy for the Settings Page available under User Configuration and Computer Configuration. The GPOs are at the following paths:

User Configuration/Administrative Template/Control Panel/Settings Page Visibility

Computer Configuration/Administrative Template/Control Panel/Settings Page Visibility

 

 

 

There are also changes about that in other Windows-Versions like Windows 10 1803.
September 20, 2018—KB4458469 (Link: https://support.microsoft.com/de-at/help/4458469)

The changelog says:

 

Makes the visibility policy for the Settings Page available under User Configuration. The GPO is at the following path: User Configuration/Administrative Template/Control Panel/Settings Page Visibility 

 

 

 

The Policy "Settings Page Visibility" does show up in User-node in GPEdit.msc on an updated Windows Server 2016 machine:

 

 

I don't know, if new ADMX will be released. At the Moment I am not able to test this with GPO, because the settings are missing.

Would be great, if this will work as expected ...

 

 

Appendix:

Just tested this out.

I have a Server 2016 with KB4457127 installed. I did create a GPO targeting this machine.

The GPO contains a Group Policy Preferences - Registry Setting:

 

Key Path: HKCU - SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer

Value: SettingsPageVisibility

Type: Reg_SZ

Data: showonly:windowsupdate;bluetooth

 

I use Item-Level-Targeting: User does get the setting. Admin does not get the setting.

 

Result:
Admin: Immersive Control Panel Shows everything

User: Immersive Control Panel Shows only Windows Update and Bluetooth

[CarlStalhood]

Like this? https://www.carlstalhood.com/group-policy-objects-vda-user-settings/#settingspage

[Martijn Kools]

Yeah we just allow everything now in 2016 because there is no other option. But in 1709 Windows 10 there is a new GPO:

 

https://www.windowscentral.com/how-hide-settings-pages-windows-10-creators-update

 

So that will def. be possible in Windows Server 2019 as well. For now you could indeed block systemsettings.exe but that's no option for us either since people need to add/remove printers or change personal display settings.

 

 

[Eric Gilliland]

Thanks for the input. The "Settings page visibility" works perfectly in Win10. Since Server LTSB 2016 is based on 1607, it doesn't apply to it. It obviously makes enterprise management much more difficult. I really dislike how a user could go into "Default save locations" and start writing to data to the write cache drive, for example.

 

I'm leaning towards keeping it disabled and creating an exception group for users to temporarily access the area to change their taskbar settings or whatnot. Make the change and then remove them from the group.

[James Kindon]

you aren't alone

https://social.technet.microsoft.com/Forums/WINDOWS/en-US/b6f50699-21dc-48bb-9110-f9e0fdb0801c/server-2016-and-quotsettings-page-visibilityquot?forum=winserverTS

 

Hopefully Server 2019 offers something better than the hammer of Thor approach with applocker

[Morten Tollefsen1709160153]

On 6.9.2018 at 5:42 PM, Eric Gilliland said:

I'm curious how everyone is handling this if you're publishing full desktops. Since there isn't a way to modify the visibility of any of these areas with group policy. Have you found some way to edit file/directory NTFS permissions to accomplish selective visibility? Do you just allow it? Do you remove read access to "C:\Windows\ImmersiveControlPanel\SystemSettings.exe" so it can't be launched? There is mostly junk in there, but I'd like to offer up some areas to users, mostly Personalization options, like color, start, and taskbar settings. These are areas that you can't configure in the "classic" control panel.

 

I'm not in production yet and with Server 2019 coming out soon, I may just wait for it to see how that differs.

 

We are blocking systemsettings.exe. The users can still right-click the startmenu and start the old control panel and do the tasks we are allowing them through GPO.

[Eric Gilliland]

6 hours ago, Stefan Klopp said:

Hello,

 

I did read through the changelog of the latest Cumulative Update for Windows Server 2016.
September 20, 2018—KB4457127 (Link: https://support.microsoft.com/de-at/help/4457127/windows-10-update-kb4457127)

The changelog says

 

 

I confirmed this works as well w/the update. Thanks for this as I did not notice. About time! :)

[IT Systems1709151598]

On 9/24/2018 at 8:47 AM, Stefan Klopp said:

Hello,

 

I did read through the changelog of the latest Cumulative Update for Windows Server 2016.
September 20, 2018—KB4457127 (Link: https://support.microsoft.com/de-at/help/4457127/windows-10-update-kb4457127)

 

 

Brilliant!  Thanks for bringing this to our attention SKlopp.

[Navpreet Sidhu]

Thanks SKlopp!

 

...that is fix!

 

Carl Stalhood needs to update his cool XenApp blog, lol.

[Martijn Kools]

Very nice lol I just updated to this patch and it works.

 

So what do you guys have? I have this currently (Win2016):

 

showonly:notifications;multitasking;printers;mousetouchpad;personalization-background;colors;lockscreen;themes;personalization-start;taskbar;dateandtime;regionlanguage

 

 

[Stefan Klopp]

Be informed, that I stumbled on an issue:

 

I did check the settings-page URIs listed on: https://docs.microsoft.com/en-us/windows/uwp/launch-resume/launch-settings-app

I did invest about 2 hours to check all the URIs and setup the "SettingsPageVisibility-String" to our requirements.

I was happy, when I was ready, but it was not working anymore!

 

I did find the cause quickly. The max-length of the string seems to be 255 characters.

 

 

< 255 characters: working

> 255 characters: NOT working

 

Great Microsoft - Thank you!

 

[Navpreet Sidhu]

19 hours ago, Carl Stalhood1709151912 said:

Like this? https://www.carlstalhood.com/group-policy-objects-vda-user-settings/#settingspage

 

You the man!

[Ewald Bracko1709154210]

On ‎02‎.‎10‎.‎2018 at 0:32 PM, Stefan Klopp said:

Be informed, that I stumbled on an issue:

 

I did check the settings-page URIs listed on: https://docs.microsoft.com/en-us/windows/uwp/launch-resume/launch-settings-app

I did invest about 2 hours to check all the URIs and setup the "SettingsPageVisibility-String" to our requirements.

I was happy, when I was ready, but it was not working anymore!

 

I did find the cause quickly. The max-length of the string seems to be 255 characters.

 

 

< 255 characters: working

> 255 characters: NOT working

 

Great Microsoft - Thank you!

 

 

I can confirm that...

Oh my, this is such a stupid error...

Hopefully Microsoft will fix that soon. 255 characters are definitely too less in a Terminal Server environment...

[Stefan Klopp]

On ‎08‎.‎12‎.‎2018 at 1:30 AM, Ewald Bracko1709154210 said:

 

I can confirm that...

Oh my, this is such a stupid error...

Hopefully Microsoft will fix that soon. 255 characters are definitely too less in a Terminal Server environment…

 

I did read through the changelog of the Cumulative Update "KB4489889" from "March 19, 2019" for Windows Server 2016. (Link: https://support.microsoft.com/en-us/help/4489889) 
The changelog says:

 

Addresses a character limit issue in the "Settings Page Visibility" Group Policy in the following policy path: "User Configuration\Administrative Templates\Control Panel".

 

 

I have not tried it yet and therefore I can not confirm, that the character-limit is fixed now ...

[Arj Shoker1709159857]

Hi All

 

New here to forums and was trying to figure out how to customise the settings on user sessions and this works a treat but i have a problem the day after in which i get an error as below everytime i open the settings.  settings does open behind this.   and when i remove the GPO and reset my profile and reboot the VDA i still get this now everytime, Anyone have any ideas why i am getting this?  Many thanks in advance