Windows 10 / Server 2016 Group Policies for Customising Settings

[glenimp617]

This is a royal pain,

Has anyone been able to hide options from the new look settings panel, or at least lock them down to stop users messing about?

The ones I'm struggling with (there are many)

Personalization > Colors > High Contrast Settings
Time & Language > Region & Language > Add a Language

If anyone could point me in the direct of some white paper, or guide to follow at least I'll know the area to be looking in. I've manage to lock down some parts, but savvy users can find other ways in.

Thanks!!

 

[glenimp617]

I'm starting to understand that the majority of settings can only be changed in the registry. Gotta love Microsoft

 

[TechMinerUK]

I'm starting to understand that the majority of settings can only be changed in the registry. Gotta love Microsoft

Microsoft wont let us remove those bloatware Windows 10 apps with GPO so this doesn't seem like a shock

 

[glenimp617]

Microsoft wont let us remove those bloatware Windows 10 apps with GPO so this doesn't seem like a shock

after months of messing about, we have now decided upon Ltsb 1607

it's Windows 10 without the rubbish

still struggling with the group policies, but managed to get 95% of it sorted. There are some settings which simply can't be changed.

 

[Saundie]

I have only recently come to learn that Microsoft are opposed to the LTSB being used in such a manner;

LTSB is not intended for deployment on most or all the PCs in an organization; it should be used only for special-purpose devices. As a general guideline, a PC with Microsoft Office installed is a general-purpose device, typically used by an information worker, and therefore it is better suited for the CB or CBB servicing branch.

General-purpose Surface devices running Long-Term Servicing Branch (LTSB) are not supported. As a general guideline, if a Surface device runs productivity software, such as Microsoft Office, it is a general-purpose device that does not qualify for LTSB and should instead run Current Branch (CB) or Current Branch for Business (CBB).

I'm not sure if "not supported" means that they'll actively refuse to assist you with a problem with Windows 10 on a Surface device, or just that they don't recommend it. We have the 2015 LTSB on all of our Surface Pros and it works fine, but having seen the "WaaS overview" article on Technet, I'm no longer sure whether we can continue to use the LTSB. As a result, I'm now investigating exactly what you were doing initially; removing the crap from the "normal" Windows 10, hiding all the things we don't want users messing around with, and configuring it to use the so called "Current Branch for Business"

 

[glenimp617]

I think Microsoft would say that, as LTSB is without any universal apps (which Microsoft are heavily pushing).

LTSB is the best version of Windows 10 IMHO.

 

[Saundie]

I agree, and I am quite content with our LTSB image, but I am not sure if we can ignore Microsoft's warnings that LTSB "is not intended for deployment on most or all the PCs in an organization; it should be used only for special-purpose devices". The more I look into managing the consumer Windows 10 in an enterprise, the more I'm inclined to stick with the LTSB.

It's frustrating that Microsoft have decided to force this Windows as a Service idea on us. It might make sense for home users, but I can't see businesses embracing the extra support overhead it brings. Thankfully we're sticking with Windows 7 for the majority of our systems...

 

[glenimp617]

Here's a great tip I've been using this week to customise w10 and s2016. MS are lazy and you can't do much through group policies so you have to change registry keys. The issue is that some of these keys are now different from what they were in 2012 so looking on google doesn't always help.

Download a program called regshot and launch the x86-ansicode exe on the s2016 server. Click on shot1, then make your changes. Click on shot2 then compare. You'll see a text file with all the registry changes so you can find which key is responsible for the change. You can then apply this in a gpo.