Windows 2016 server and Group Policy on Windows 10 Computer; blocking settings problem

[yamahahornist]

So Microsoft really screwed up Windows domain users for Windows 10 computers. I am setting up a Group Policy for students at our school and the problem I am facing is the metro UI settings vs the control panel (Windows 7) settings. The group policy control panel settings will block users from accessing the things you don't want them to through control panel; but if a user opens the metro UI settings they almost have every update and security feature available still. Through the Metro UI settings the user have access to windows updates (even though I blocked them), backup settings, system restart and restore settings, system activation settings, and also developer option settings. Honesty I don't care so much about windows updates (I perfer users not to update, but there kids..) My biggest concern is that the setting to reboot the computer in advance startup mode is open to them; this could allow a kid to really mess up a computer. There is a GPO setting that disables the settings and control right out; but then basic needed settings functions are removed... The metro UI really freaking sucks! It's a major security concern. Ideally would be keeping the control panel with limited functionality and disabling the metro UI settings; but I don't think the GPO has that setting? Does anyone know a work around?? Or even a script that could run at login to disable the Metro Setting UI?? Thanks in advance!

 

[newbcakes]

I'm trying to track... you have Windows 10 systems you're trying to lock down? You're using group policy set at the domain level (or local level)? You think you're getting a partial application of group policy... on one system or numerous?

Would you be kind enough to restate what you're tying to do without all of the personal attacks on the O/S? What is it you're trying to accomplish, what specific settings are you trying to remove from general users? And... are your users domain users, generic/anonymous users (e.g., shared account), local users, or something else?

 

[yamahahornist]

I'm trying to track... you have Windows 10 systems you're trying to lock down? You're using group policy set at the domain level (or local level)? You think you're getting a partial application of group policy... on one system or numerous?

Would you be kind enough to restate what you're tying to do without all of the personal attacks on the O/S? What is it you're trying to accomplish, what specific settings are you trying to remove from general users? And... are your users domain users, generic/anonymous users (e.g., shared account), local users, or something else?

I have multiple domain users under a school student domain group. That group is then under a GPO; so all the GPO settings are being applied to whatever user I put under the domain student group. The gpo works just fine and settings I am enabling are working correctly. The problem is I have no way of limiting the domain users from accessing the Metro UI Settings in Windows 10. Through my GPO I have limited the domain users access to certain settings through the control panel, but it doesn't really stop users from accessing them through Windows 10 Metro UI settings. I blocked Windows Updates through the GPO but the domain users can still update the computers through the Metro UI Settings. My need is to block the domain users from being able to either access the Metro UI Settings all together or stop them from being able to update the computer through it.