End users are prevented from accessing admin options like Server manager, Power shell, Administrative Tools, etc. when connected to their cloud desktop session. Some of these options, however, still appear as visible for them in the Start menu. When users click them, they are blocked from accessing these tools.
There may be reasons you want to hide them completely from your users and in such case follow the below steps.
In server 2016 you can customize a users Start menu layout through GPO by creating an xml file based on a layout you create. Below are the steps needed in order to create the xml file and then to push it out through GPO for your users.
This is the default Server 2016 start menu layout:
After removing (by right clicking the tile and selecting remove) and adding the shortcuts I want to show up as tiles in the start layout, it will look something like this:
Once you have the Start menu looking how you want it, you will need to create a folder and share it out to everyone with read permissions. For the purpose of this article I created the share on the root of the C:\ drive on the session host but you can use any share location you want.
Create the folder:
Give it any name you would like:
Share the folder out to all your users:
Once the share is ready, open Powershell and run the following command:
Export-StartLayout -Path "C:\layouts\demo-layout.xml"
Export-StartLayout -Path "\\share-path\demo-layout.xml"
This command creates the xml file based on the layout you set earlier. You can export the xml file to a local folder or shared location. The file itself will look something like this when opened:
Log into your DC and launch the group policy management console and create a new GPO:
Once the GPO is created, right click on it and edit it:
The settings you will be configuring can be set to both the user and the computer. How you want to manage the policy is up to you but please be aware that if you create a computer based policy, the GPO will apply to everyone that logs into the server, admins included.
The setting for the user policy is called Start Layout and is located at:
User Configuration > Administrative Templates >Start Menu and Taskbar
The setting for the computer policy is called Start Layout and is located at:
Computer Configuration > Administrative Templates >Start Menu and Taskbar
After choosing which policy you want to apply, right click on Start Layout and click on edit. Once the policy window is open select on Enabled and in the Start Layout File type in the network path of the xml file and click OK:
Once the policy is configured, link it to the OU where your users or terminal servers are:
Next time your users log in they will have a start menu layout with the tiles you set up for them.
If you need to update the layout, just configure the Start menu like you did at the beginning of the guide with the new tiles you want showing up or remove any unwanted tiles, run the same powershell command as above to replace the old xml file and the GPO will take care of updating the Start layout.