Prevent Users from Start Screen Customization using Intune Policy

In this post, you will see how you can prevent users from Start Screen Customization using Intune Policy. This policy setting allows you to prevent users from changing their Start screen layout.

You can customize what you see on the Start menu and taskbar, You can pin Store apps, programs, folders, drives, files, and websites to Start accessing what you use most quickly. You can also organize, group, and name categories of apps to how you like on the Start screen.

Start layout policy can be used to pin apps to the taskbar based on an XML File you provide. Users can change the order of pinned apps, unpin apps, and pin more apps to the taskbar.

When a full Start screen layout is imported with Group Policy or MDM, users can’t pin, unpin, or uninstall apps from the Start screen. Users can see and open all apps in the All Apps view but can’t pin any apps to the Start screen.

Patch My PC

Microsoft recommends setting catalog profiles to create and manage security policies for all Intune managed Windows devices. The Intune Settings Catalog is the best place for all the policy settings in Intune.

Prevent Users from Start Screen Customization using Intune Policy

Let’s create an Intune Cloud Policy to prevent users from Start Screen Customization using Intune. You can use Intune cloud policy or Group Policy ADMX template policy setting to prevent users from changing their Start screen layout.

Adaptiva
  • Sign in to the Microsoft Intune Admin portal https://endpoint.microsoft.com/
  • Select Devices > Windows > Configuration profiles > Create profile.
Prevent Users from Start Screen Customization using Intune Policy Fig.1
Prevent Users from Start Screen Customization using Intune Policy Fig.1

In Create Profile, Select Platform, Windows 10, and later and Profile, Select Profile Type as Settings catalog. Click on Create button.

Prevent Users from Start Screen Customization using Intune Policy Fig.2
Prevent Users from Start Screen Customization using Intune Policy Fig.2

On the Basics tab, enter a descriptive name, such as Prevent Users from Start Screen Customization. Optionally, enter a Description for the policy, then select Next.

Prevent Users from Start Screen Customization using Intune Policy Fig.3
Prevent Users from Start Screen Customization using Intune Policy Fig.3

In Configuration settings, click Add settings to browse or search the catalog for the settings you want to configure.

Prevent Users from Start Screen Customization using Intune Policy Fig.4
Prevent Users from Start Screen Customization using Intune Policy Fig.4

On the Settings Picker windows, Select Administrative\Start Menu and Taskbar to see all the settings in this category. Select Prevent users from customizing their Start Screen (User) below. After adding your settings, click the cross mark at the right-hand corner to close the settings picker. 

Note! In policy, use the search box to find specific settings. You can search by category or a keyword, such as Start Screen. It will display the related settings available.

Prevent Users from Start Screen Customization using Intune Policy Fig.5
Prevent Users from Start Screen Customization using Intune Policy Fig.5

Here you need to specify the settings either set to Enabled or Disabled based on your requirements. I am setting up enabled to lock start screen modifications.

This policy setting allows you to prevent users from changing their Start screen layout. If you enable this setting, you will prevent a user from selecting an app, resizing a tile, pinning/unpinning a tile or a secondary tile, entering the customize mode and rearranging tiles within Start and Apps.

If you disable or do not configure this setting, you will allow a user to select an app, resize a tile, pin/unpin a tile or a secondary tile, enter the customize mode and rearrange tiles within Start and Apps.

Prevent Users from Start Screen Customization using Intune Policy Fig.6
Prevent Users from Start Screen Customization using Intune Policy Fig.6

Under Assignments, In Included groups, click Add groups and then choose Select groups to include one or more groups. Click Next to continue.

Prevent Users from Start Screen Customization using Intune Policy Fig.7
Prevent Users from Start Screen Customization using Intune Policy Fig.7

In Scope tags, you can assign a tag to filter the profile to specific IT groups. Add scope tags (if required) and click Next.

In Review + create, review your settings. When you select Create, your changes are saved, and the profile is assigned.

A notification will appear automatically in the top right-hand corner with a message. You can see that Policy “Prevent Users from Customizing Start Screen” created successfully. The policy is also shown in the Configuration profiles list.

Prevent Users from Start Screen Customization using Intune Policy Fig.7.1
Prevent Users from Start Screen Customization using Intune Policy Fig.7.1

Your groups will receive your profile settings when the devices check in with the Intune service the policy applies to the device.

Intune Reporting

You can check Intune settings catalog profile report from Intune Portal, which provides an overall view of device configuration policies and deployment status.

To monitor the policy assignment, from the list of Configuration Profiles, select the policy, and here you can check the device and user check-in status. If you click View Report, additional details are displayed.

Prevent Users from Start Screen Customization using Intune Policy Fig.8
Prevent Users from Start Screen Customization using Intune Policy Fig.8

Additionally, you can quickly check the update as devices/users check in status reports:

You can troubleshoot the basic security policy from the Intune admin center portal. One example is given below How To Start Troubleshooting Intune Issues from the server-side. The next level of troubleshooting is with MDM Diagnostics Tool to collect the log and information from the client side.

Intune MDM Event Log

The Intune event ID 814 indicates that a string policy is applied to Windows 10 or 11 devices. You can also see the exact value of the policy used on those devices. This is a user-based policy; hence you would be able to see the Current User and user’s SID details.

Here you can check the Event log path to confirm this – Applications and Services Logs – Microsoft – Windows – Devicemanagement-Enterprise-Diagnostics-Provider – Admin.

MDM PolicyManager: Set policy string, Policy: (NoChangeStartMenu), Area: (ADMX_StartMenu), EnrollmentID requesting merge: (AA8AFEC1-DFE0-4917-B1A0-5024C7533127), Current User: (S-1-12-1-3186897695-1137825691-1845872004-278613382), String: (), Enrollment Type: (0x6), Scope: (0x1).
Prevent Users from Start Screen Customization using Intune Policy Fig.9
Prevent Users from Start Screen Customization using Intune Policy Fig.9

The registry is the next place you can check to confirm whether the registry entries are already created and applied or not.

You can use REGEDIT.exe on a target computer to view the registry settings that store group policy settings. These settings are located in the registry path. You can also get the registry information inside HKEY_LOCAL_MACHINE, as shown below.

Registry HiveHKEY_CURRENT_USER
Registry PathSoftware\Microsoft\Windows\CurrentVersion\Policies\Explorer
Value NameNoChangeStartMenu
Value TypeREG_DWORD
Enabled Value1
Disabled Value0
Prevent Users from Start Screen Customization using Intune Policy Fig.10
Prevent Users from Start Screen Customization using Intune Policy Fig.10

End Users Experience

Once the policy is applied, when you log in to the system and click on Start Menu or under All Apps, you will not allow a user to select an app, resize a tile, pin/unpin a tile or a secondary tile, enter the customize mode and rearrange tiles within Start and Apps.

Prevent Users from Start Screen Customization using Intune Policy Fig.11
Prevent Users from Start Screen Customization using Intune Policy Fig.11

Author

About Author – JiteshMicrosoft MVP, has over six years of working experience in the IT Industry. He writes and shares his experiences related to Microsoft device management technologies and IT Infrastructure management. His primary focus is Windows 10/11 Deployment solution with Configuration Manager, Microsoft Deployment Toolkit (MDT), and Microsoft Intune.

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.