In this post, you will see how you can prevent users from Start Screen Customization using Intune Policy. This policy setting allows you to prevent users from changing their Start screen layout.
You can customize what you see on the Start menu and taskbar, You can pin Store apps, programs, folders, drives, files, and websites to Start accessing what you use most quickly. You can also organize, group, and name categories of apps to how you like on the Start screen.
Start layout policy can be used to pin apps to the taskbar based on an XML File you provide. Users can change the order of pinned apps, unpin apps, and pin more apps to the taskbar.
When a full Start screen layout is imported with Group Policy or MDM, users can’t pin, unpin, or uninstall apps from the Start screen. Users can see and open all apps in the All Apps view but can’t pin any apps to the Start screen.
Microsoft recommends setting catalog profiles to create and manage security policies for all Intune managed Windows devices. The Intune Settings Catalog is the best place for all the policy settings in Intune.
- Disable Or Enable Windows 11 Context Menu How To Guide
- Remove Search Link From Start Menu Using Intune
Prevent Users from Start Screen Customization using Intune Policy
Let’s create an Intune Cloud Policy to prevent users from Start Screen Customization using Intune. You can use Intune cloud policy or Group Policy ADMX template policy setting to prevent users from changing their Start screen layout.
- Sign in to the Microsoft Intune Admin portal https://endpoint.microsoft.com/
- Select Devices > Windows > Configuration profiles > Create profile.
In Create Profile, Select Platform, Windows 10, and later and Profile, Select Profile Type as Settings catalog. Click on Create button.
On the Basics tab, enter a descriptive name, such as Prevent Users from Start Screen Customization. Optionally, enter a Description for the policy, then select Next.
In Configuration settings, click Add settings to browse or search the catalog for the settings you want to configure.
On the Settings Picker windows, Select Administrative\Start Menu and Taskbar to see all the settings in this category. Select Prevent users from customizing their Start Screen (User) below. After adding your settings, click the cross mark at the right-hand corner to close the settings picker.
Note! In policy, use the search box to find specific settings. You can search by category or a keyword, such as
Start Screen. It will display the related settings available.
Here you need to specify the settings either set to Enabled or Disabled based on your requirements. I am setting up enabled to lock start screen modifications.
This policy setting allows you to prevent users from changing their Start screen layout. If you enable this setting, you will prevent a user from selecting an app, resizing a tile, pinning/unpinning a tile or a secondary tile, entering the customize mode and rearranging tiles within Start and Apps.
If you disable or do not configure this setting, you will allow a user to select an app, resize a tile, pin/unpin a tile or a secondary tile, enter the customize mode and rearrange tiles within Start and Apps.
Under Assignments, In Included groups, click Add groups and then choose Select groups to include one or more groups. Click Next to continue.
In Scope tags, you can assign a tag to filter the profile to specific IT groups. Add scope tags (if required) and click Next.
In Review + create, review your settings. When you select Create, your changes are saved, and the profile is assigned.
A notification will appear automatically in the top right-hand corner with a message. You can see that Policy “Prevent Users from Customizing Start Screen” created successfully. The policy is also shown in the Configuration profiles list.
Your groups will receive your profile settings when the devices check in with the Intune service the policy applies to the device.
To monitor the policy assignment, from the list of Configuration Profiles, select the policy, and here you can check the device and user check-in status. If you click View Report, additional details are displayed.
Additionally, you can quickly check the update as devices/users check in status reports:
You can troubleshoot the basic security policy from the Intune admin center portal. One example is given below How To Start Troubleshooting Intune Issues from the server-side. The next level of troubleshooting is with MDM Diagnostics Tool to collect the log and information from the client side.
Intune MDM Event Log
The Intune event ID 814 indicates that a string policy is applied to Windows 10 or 11 devices. You can also see the exact value of the policy used on those devices. This is a user-based policy; hence you would be able to see the Current User and user’s SID details.
Here you can check the Event log path to confirm this – Applications and Services Logs – Microsoft – Windows – Devicemanagement-Enterprise-Diagnostics-Provider – Admin.
MDM PolicyManager: Set policy string, Policy: (NoChangeStartMenu), Area: (ADMX_StartMenu), EnrollmentID requesting merge: (AA8AFEC1-DFE0-4917-B1A0-5024C7533127), Current User: (S-1-12-1-3186897695-1137825691-1845872004-278613382), String: (), Enrollment Type: (0x6), Scope: (0x1).
The registry is the next place you can check to confirm whether the registry entries are already created and applied or not.
You can use REGEDIT.exe on a target computer to view the registry settings that store group policy settings. These settings are located in the registry path. You can also get the registry information inside HKEY_LOCAL_MACHINE, as shown below.
End Users Experience
Once the policy is applied, when you log in to the system and click on Start Menu or under All Apps, you will not allow a user to select an app, resize a tile, pin/unpin a tile or a secondary tile, enter the customize mode and rearrange tiles within Start and Apps.
About Author – Jitesh, Microsoft MVP, has over six years of working experience in the IT Industry. He writes and shares his experiences related to Microsoft device management technologies and IT Infrastructure management. His primary focus is Windows 10/11 Deployment solution with Configuration Manager, Microsoft Deployment Toolkit (MDT), and Microsoft Intune.