In a locked down Windows environment, it is a best practice to hide specific control panel items for those functions that can’t or shouldn’t be performed by an end user.
With a RES WM “User registry” object, you can use “control.admx” to load the policy template to configure these settings.
In the “List of allowed control panel items” the Canonical name of the Control panel items should be entered.
So far so good. But it wasn’t working in my environment…
With this configuration active in RES Workspace Manager 2014, still all control panel items were shown.
When looking in the registry of a logged in user, these registry key’s were present:
The registry hive “HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestrictCpl” is set by the policy.
As stated in this MS Technet article, “The Hide specified control panel applets policy takes precedence over the Show only specified control panel applets policy.”
The entries in the “DisallowCpl” hyve are:
What about the “…\DisallowCpl”? Where does it come from?
The “villan” here, appears to be the setting “Disable Add/Remove programs” at Composition -> Desktop -> Lockdown and behaviour:
This setting will result in the “Disallow” hive.
Logging in, with this setting unchecked, only the specified items in the control panel were visible. Everything is working as expected…