How to Lock Down Specific Settings Pages Using GPO on Windows 11 Pro
🔍 WiseChecker

How to Lock Down Specific Settings Pages Using GPO on Windows 11 Pro

by

Quick fix: Open gpedit.msc on Windows 11 Pro, navigate to User Configuration → Administrative Templates → Control Panel, and use Hide specified Settings page visibility with a colon-prefixed URI list (e.g., showonly:network;windowsupdate) to restrict access to specific pages.

You want users on a Windows 11 Pro workstation to be able to change display brightness and use the Bluetooth pairing dialog, but not touch network settings, Windows Update, or Privacy. Disabling the entire Settings app is too blunt — basic adjustments break. The right tool is the per-page policy that hides or whitelists specific Settings URIs.

Symptom: You want to restrict access to specific Settings pages on Windows 11 Pro while leaving others usable.
Affects: Windows 11 Pro/Enterprise with Group Policy access.
Fix time: 15 minutes.

ADVERTISEMENT

How the Settings page restriction works

Every page in the Settings app has a URI — ms-settings:network, ms-settings:windowsupdate, ms-settings:privacy, and so on. The Hide specified Settings page visibility policy accepts a list of these URIs (without the ms-settings: prefix) and either hides them entirely or shows only the listed ones. The policy applies at sign-in and survives reboots.

The list of valid URIs is in Microsoft’s documentation under “ms-settings: URI scheme reference.” Common ones: display, network, bluetooth, windowsupdate, recovery, privacy, signinoptions, defaultapps, storagesense, activation.

Method 1: Hide specific pages from users

  1. Press Win + R, type gpedit.msc, press Enter.
  2. Navigate to User Configuration → Administrative Templates → Control Panel.
  3. Open Settings Page Visibility and set it to Enabled.
  4. In the Settings Page Visibility field, enter hide:network;windowsupdate;privacy;activation.
  5. Click OK.
  6. Run gpupdate /force from an elevated terminal.
  7. Sign out and back in. Open Settings — the listed pages are gone from the left sidebar.

This is the hide list: anything in the list disappears; everything else remains visible.

ADVERTISEMENT

Method 2: Show only specific pages (whitelist)

For tighter control, invert the logic and show only the pages you allow.

  1. Open the same policy as in Method 1.
  2. In the field, enter showonly:display;sound;bluetoothdevices.
  3. Apply, run gpupdate /force, sign out and back in.
  4. Open Settings — the sidebar shows only Display, Sound, and Bluetooth devices. Everything else is hidden.

This is the most restrictive setting. Users can use what you allow and nothing else. For a shared-workstation kiosk role, this is the right approach.

Method 3: Apply via Intune for managed devices

For fleet management:

  1. Sign in to https://endpoint.microsoft.com.
  2. Navigate to Devices → Configuration profiles.
  3. Create a new profile: platform Windows 10 and later, profile type Settings catalog.
  4. Search for Settings Page Visibility and add it.
  5. Set the value to either hide:… or showonly:… with your URI list.
  6. Assign the profile to the affected group of devices or users.
  7. Force a sync on a target device and verify the Settings app reflects the policy.

Intune is the right path for any device that’s already enrolled. The policy follows the user across devices in the same group.

How to verify the fix worked

  • Open Settings as the affected user. Hidden pages are missing from the sidebar.
  • Try to navigate to a hidden page directly: press Win + R, type ms-settings:network. The Settings app opens but shows an empty page or refuses to switch.
  • Run gpresult /h gpresult.html as the affected user. Search the report for Settings Page Visibility — the configured value appears under Applied Settings.

If none of these work

If the policy is set but Settings still shows all pages, the policy is applying at the wrong scope — Settings Page Visibility is a User policy, not Computer. Make sure you’re editing it under User Configuration, not Computer Configuration. For Home edition users without gpedit, you can write the registry directly: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\SettingsPageVisibility as a REG_SZ with the same value (hide:... or showonly:...). For domain-joined devices that ignore local GPO, an AD-pushed GPO at OU level supersedes local settings — check with gpresult which GPO is winning.

Bottom line: Settings Page Visibility is the right tool for restricting Settings without disabling it entirely. Use hide: when you want to remove a few sensitive pages; use showonly: when you want a kiosk-style minimal Settings experience.

ADVERTISEMENT

← Back to WiseChecker HomeMore in Windows & PC

🔍 Recommended for You