Since releasing Windows 8, Microsoft has modernized many of the commonly-used applications that come pre-installed with each iteration of Windows. The Settings app is a perfect example of this, not just redesigning but completely rewriting the application that handles configuration changes that affect users on the computer and in some cases, how the computer behaves.

While the Control Panel is still available, Microsoft defaults to using Settings as the means of controlling the OS’s configuration. With this in mind, the Settings app can be used by any user on the computer to modify critical (and not so critical) settings. Not all — but many — of these settings do impact other users or the way in which the computer operates itself.

SEE: Windows 10 April 2018 Update: An insider’s guide (free PDF) (TechRepublic)

This can pose issues for multi-user setups where more than one user will work from a machine. Even in single user environments, it would behoove systems administrators to lockdown unnecessary panes in addition to securing those panes which IT specifically wishes to keep out of the hands of end-users. Luckily, as of Windows 10 build 1703, Microsoft added the required policy templates to Group Policy in an effort to prevent unauthorized access to the individual panes, or the entire Settings app (Figure A).

Lock down individual Settings panes through Group Policy

1. Launch the Group Policy Management Console (GPMC). Make sure you do so with an account that has rights to edit the policy.

2. Navigate to Computer Configuration | Administrative Templates | Control Panel, and locate the Settings Page Visibility policy. Tick the radio button to Enabled, and the text box under Options will become editable.

3. This policy has a dual-homed personality meaning that it can either show a specified list of pages that will be allowed; or hide a specified list of pages that will be disabled and hidden from view. By specifying the prefix “showonly:” or “hide:” before listing the names of the page(s), the listed items will be shown or hidden, depending on the prefix. Multiple pages can be specified by using a semi-colon between ms-settings names.

4. In this case, configuring the policy to only show the Gaming DVR, Apps, and Wi-Fi settings under Network & Internet panes, we would enter the following ms-settings lines into the text box, clicking the Apply, then OK buttons to save the changes:


showonly:gaming-gamedvr;appsfeatures;network-wifi

(Figure B)

5. In Active Directory environments, these changes will take place once the device performs a background update. To force an immediate update, use the following command to make the changes take place at once:


gpupdate /target:computer

(Figure C)

Lock down individual Settings panes through the Registry

1. Launch the registry editor (Regedit.exe).

2. Navigate to the following key:


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer

3. Create a new string value titled “SettingsPageVisibility”. Modify the string value to include the ms-settings you wish to show or hide, as performed in step 4 in the previous section (Figure D).

4. These changes commit immediately to the system – no need to run any further commands as it will happen automatically through direct editing of the registry.

Note: Microsoft has a write up documenting the ms-settings names for the different sections and the individual panes contained within a section. Also of note, if wishing to only block certain pages within a pane, that can be achieved as well by stipulating the name(s) of the pages alongside the names of the category panes themselves to either show or hide them, as needed.

Also see:

Subscribe to the Microsoft Weekly Newsletter

Be your company's Microsoft insider by reading these Windows and Office tips, tricks, and cheat sheets. Delivered Mondays and Wednesdays

Subscribe to the Microsoft Weekly Newsletter

Be your company's Microsoft insider by reading these Windows and Office tips, tricks, and cheat sheets. Delivered Mondays and Wednesdays