Microsoft

How to lock down the Settings app in Windows 10

Microsoft's streamlined Settings application lets users modify vital Windows 10 components. Here's how to prevent unauthorized changes to how the OS operates.

istock-835998836.jpg
Image: iStock/Bet_Noire

Since releasing Windows 8, Microsoft has modernized many of the commonly-used applications that come pre-installed with each iteration of Windows. The Settings app is a perfect example of this, not just redesigning but completely rewriting the application that handles configuration changes that affect users on the computer and in some cases, how the computer behaves.

While the Control Panel is still available, Microsoft defaults to using Settings as the means of controlling the OS's configuration. With this in mind, the Settings app can be used by any user on the computer to modify critical (and not so critical) settings. Not all — but many — of these settings do impact other users or the way in which the computer operates itself.

SEE: Windows 10 April 2018 Update: An insider's guide (free PDF) (TechRepublic)

This can pose issues for multi-user setups where more than one user will work from a machine. Even in single user environments, it would behoove systems administrators to lockdown unnecessary panes in addition to securing those panes which IT specifically wishes to keep out of the hands of end-users. Luckily, as of Windows 10 build 1703, Microsoft added the required policy templates to Group Policy in an effort to prevent unauthorized access to the individual panes, or the entire Settings app (Figure A).

201818-figure-a.jpg
Vigo, Jesus

Lock down individual Settings panes through Group Policy

1. Launch the Group Policy Management Console (GPMC). Make sure you do so with an account that has rights to edit the policy.

2. Navigate to Computer Configuration | Administrative Templates | Control Panel, and locate the Settings Page Visibility policy. Tick the radio button to Enabled, and the text box under Options will become editable.

3. This policy has a dual-homed personality meaning that it can either show a specified list of pages that will be allowed; or hide a specified list of pages that will be disabled and hidden from view. By specifying the prefix "showonly:" or "hide:" before listing the names of the page(s), the listed items will be shown or hidden, depending on the prefix. Multiple pages can be specified by using a semi-colon between ms-settings names.

4. In this case, configuring the policy to only show the Gaming DVR, Apps, and Wi-Fi settings under Network & Internet panes, we would enter the following ms-settings lines into the text box, clicking the Apply, then OK buttons to save the changes:

showonly:gaming-gamedvr;appsfeatures;network-wifi

(Figure B)

201818-figure-b.jpg
Vigo, Jesus

5. In Active Directory environments, these changes will take place once the device performs a background update. To force an immediate update, use the following command to make the changes take place at once:

gpupdate /target:computer

(Figure C)

201818-figure-c.jpg
Vigo, Jesus

Lock down individual Settings panes through the Registry

1. Launch the registry editor (Regedit.exe).

2. Navigate to the following key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer

3. Create a new string value titled "SettingsPageVisibility". Modify the string value to include the ms-settings you wish to show or hide, as performed in step 4 in the previous section (Figure D).

4. These changes commit immediately to the system - no need to run any further commands as it will happen automatically through direct editing of the registry.

Note: Microsoft has a write up documenting the ms-settings names for the different sections and the individual panes contained within a section. Also of note, if wishing to only block certain pages within a pane, that can be achieved as well by stipulating the name(s) of the pages alongside the names of the category panes themselves to either show or hide them, as needed.

Also see:

About Jesus Vigo

Jesus Vigo is a Network Administrator by day and owner of Mac|Jesus, LLC, specializing in Mac and Windows integration and providing solutions to small- and medium-size businesses. He brings 19 years of experience and multiple certifications from seve...

Editor's Picks

Free Newsletters, In your Inbox