Today a short blog about how we can hide settings pages in Windows 10 using Microsoft Intune. In Windows 10 more and more settings are moved away from the old Control Panel to the settings app and sometimes you want to hide one or a few of those pages on your Intune managed Windows 10 devices.
Using a Device Configuration profile it is pretty simple to hide a complete area of settings pages (like Accounts or Gaming) or even completely block access to the settings app as shown in the print screen below.
If we use the profile like shown above, the end-result is the Accounts and Gaming areas are removed from the settings app.
But how about only hiding a few of those pages, or only showing a few of those instead of hiding a complete settings area?
If we take a look at the MDM Diagnostics Report on a device on which the above policy is applied, we see the actual policy which is applied to the device. Just one settings is applied, PageVisibilityList, with a list of pages which are hidden.
If we have a look at the documentation about this CSP setting, we can see the setting is available on Windows 10 1703 and newer devices. It also tells us we can use it as a device or user policy and that we have two different modes. We can use hide as shown in the above print screen and we can use showonly. When using hide we only hide the pages we set in the policy. When using showonly, only the pages which are set in the policy are shown.
The corresponding URIs of the settings pages can be found on this list.
Now move on to Intune to create a configuration policy to apply this setting.
Create Custom Intune policy
Because this option is not available in the Device Management Portal, we need to create a Custom policy in Intune to apply this setting.
- Sign-in to the Device Management Portal
- Click Device Configuration
- Click Profiles
- Click Create Profile
- Give the configuration a Name
- Give the configuration a Description (Optional)
- Choose Windows 10 and later as Platform
- Choose Custom as Profile type
- Click the Configure tab
- Click Add to add a OMA-URI
On this page we need to add the OMA-URI settings which are available in the documentation.
OMA-URI: ./Device/Vendor/MSFT/Policy/Config/Settings/PageVisibilityList
Data Type: String
Value: see the two examples below
To only show a few pages:
showonly:personalization-start;display;personalization-background;printers
To only hide a few pages:
hide:workplace;recovery
When finished, click OK twice and click Create.
- Click the Assignments tab
- Search for the security group you want to assign the configuration to
- Click Save
End-user experience
When the showonly mode is used from the example, only the settings areas are shown on the settings start page which contain the pages you set in the policy.
When you click for example on Devices , only the Printers page is shown.
When the hide mode from the example is used, most of the settings areas are shown and when we have a look at the Accounts area, we see only Access school or work is hidden.
3 Comments
Can you hide settings and control panel for normal users but have run as admin option as well?
As you can read in the docs the setting supports device and user Scope:https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-settings#settings-pagevisibilitylist
So you should be able use
./User/Vendor/MSFT/Policy/Config/Settings/PageVisibilityList and assign it to a group of users (which don’t include admins).
Thanks, is there a custom rule for control panel as well?