Let’s check how to disable control panel and PC settings using Intune. There is a group policy also available to prohibit access to Control Panel and PC Settings. In this post, we will see how to implement this for MEM Intune Managed devices easily.
The Intune Settings Catalog is the best place to go for all the policy settings in Intune (MEM). Microsoft recommends using setting catalog profiles to create and manage security policies for all Intune managed Windows devices.
The Settings app and the Control Panel are where users can go in and change a wide range of configurations. This can impact or create consistency in the user experience. The users would be able to change the system, network, account, and privacy settings. You can use this Policy from the MEM Intune admin center portal.
- Intune User Policy Troubleshooting Tips for Prevent Changing Theme MEM
- Disable PST Access to Outlook Profile using Intune MEM
- Intune Logs Event IDs IME Logs Details for Windows Client Side Troubleshooting
- Fix Azure AD PRT Primary Refresh Token Issue with Windows 10 21H2 or KB5006738
You can use the following policy to stop users from playing around with the control panel and settings app. This Policy disables all Control Panel programs and the PC settings app from Windows devices.
This setting prevents Control.exe and SystemSettings.exe, the program files for Control Panel and PC settings, from starting. As a result, users cannot start Control Panel or PC settings or run any of their items.
- This setting removes Control Panel from: The Start screen File Explorer.
- This setting removes PC settings from The Start screen Settings charm Account picture
Disable Control Panel PC Settings Using Intune
Let’s try to Disable Control Panel PC Settings using Intune settings catalog. This Policy will help the admins to deliver a consistent experience with all the end-user devices. This Policy will help to prohibit access to Control Panel and PC Settings using Intune.
Let’s start creating the policy straightaway. You can perform registry changes to achieve the same results, but I won’t recommend doing the registry hack when a better option is available for you.
- Login to Endpoint Manager Intune portal https://endpoint.microsoft.com/#home
- Navigate to Devices -> Windows -> Configuration profiles.
- Click on +Create Profile.
In Create Profile blade, You can select Platform: Select Windows 10 and later and Profile: Select Settings catalog (preview). Don’t worry about the preview tag there near to settings catalog. Microsoft fully supports this type of policy.
Click on the Create button. For Example – You have to select the platform Windows 10 and later. You can enter the details such as the name of the Policy and settings in the next screens.
Once you click on Create button from the above page, you will need to enter the Name and Description of the setting catalog policy.
Enter the name of the policy Name – Prohibit access to Control Panel and PC Settings and click on the next button to continue. I recommend using detailed descriptions so that colleagues can easily understand the details.
You can click on the +Add Settings link to bring up the new blade of the policy configuration wizard. This link will help with a new blade called the Settings Picker with a search box.
Settings catalog – With the settings catalog, you can choose which settings you want to configure. Click on Add settings to browse or search the catalog for the settings you want to configure.
Prohibit access to the control panel and PC settings Policy
Settings picker is your search engine for Intune settings catalog policies. You can use commas “,” among search terms to lookup settings by their keywords. Also, you have the option to filter the settings catalog policies based on the Windows editions.
The keyword that I will use here to disable Control Panel and PC Settings is Prohibit access to Control Panel and PC Settings, or you can use Control Panel as the keyword. You will need to click on the search button to show the results.
You will need to click on the Administrative Templates Control Panel and pick the setting called “Prohibit access to Control Panel and PC Settings (User).” Make sure you have selected that Policy as shown in the screen capture.
Now, you can close the Settings Picker blade.
Now, you will need to block or disable the control panel and PC settings for a set of devices. You will need to click on the slide button to enable the prohibit access to the control panel and PC settings. Click on the next button to continue.
NOTE! – This is a user-based policy, so it’s better to deploy it to the Azure AD user group instead of the device group.
This section will help you assign the “prohibit access to the control panel and PC settings” Policy to the AAD User Group. You can refer to the following guide to Create Intune Settings Catalog Policy and deploy it only to a set of Intune Managed Windows 11 or Windows 10 devices using Intune Filters.
I used all users’ deployment as an example for this particular policy deployment. I want to disable Allow Workplace for all the users. You can click on the Next button and add the Scope Tags on the next page.
You will need to click on the next and create buttons to complete the policy creation process.
Intune MDM Event ID 814
The Intune event ID 814 indicates a STRING value is applied as part of this Policy on the Windows 11 or Windows 10 devices. You can also see the exact value of the Policy being applied on those devices.
You can check the Event log path to confirm this – Applications and Services Logs – Microsoft – Windows – Devicemanagement-Enterprise-Diagnostics-Provider – Admin.
MDM PolicyManager: Set policy string, Policy: (NoControlPanel), Area: (ADMX_ControlPanel), EnrollmentID requesting merge: (D1E11663-BF69-4DD8-974A-BAD47E6EF433), Current User: (S-1-5-21-2901188661-3025291148-348095268-1124), String: (), Enrollment Type: (0x6), Scope: (0x1).
Registry Entries for Disable Control Panel PC Settings
The Registry Entries for Disable Control Panel and PC Settings using the following registry key when you use MDM or Windows CSP or Intune.
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\Providers\D1E11663-BF69-4DD8-974A-BAD47E6EF433\default\S-1-5-21-2901188661-3025291148-348095268-1124\ADMX_ControlPanel
- NoControlPanel – Enabled this means Control Panel and Settings apps will be disabled for Windows 10 and Windows 11 devices.
Conclusion Control Panel Restrictions
The implementation of the prohibit access to the control panel and PC settings policy was easy. Intune setting catalog workflow makes admin life easier.
The end-user experience can still see the settings app icon in the start menu (before and after logging off and restarting the PC). When I tried to open the control panel, a restrictions popup with the following message appeared.
Restrictions – When Control Panel is launched –The operation has been canceled due to restrictions in effect on this computer. Please contact your system administrator.
Settings App – No specific error or popups; the settings app didn’t get launched.
Author
Anoop is Microsoft MVP! He is a Solution Architect in enterprise client management with more than 20 years of experience (calculation done in 2021) in IT. He is Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc……………
Hi, wouldn’t this block access to sign in options as well though, what if a user needs to change their PIN, Windows Hello ?