If you don’t want Standard users to launch the Control panel and make any changes to PC Settings, you can use a setting available in the Intune Settings Catalog called “Prohibit access to Control Panel and PC settings (User)” This policy is applicable on Intune-managed Windows 10 and Windows 11 devices.
Once this policy is applied, the user will be restricted from launching the control panel, Settings app, or altering any PC settings, such as the desktop background, display settings, or accessing the Device Manager. You can implement this restriction by creating a device configuration profile and targeting users for its application.
This setting blocks Control.exe and SystemSettings.exe, preventing users from launching the Control Panel, Settings app, or running any associated items.
Table of Contents
Create a Device Configuration Profile
Now that we understand the policy setting and its impact, let’s proceed with the following steps to create a device configuration profile:
- Login on Microsoft Intune admin center
- Click on Devices > Configuration profiles
- Click on + Create profile
- Platform: Windows 10 and later
- Profile type: Settings Catalog
Basics tab
- Provide a Name and Description of the policy.
Click Next.
Configuration settings tab
- On the Configurations tab > Click Add settings
- Using Settings Picker, search for “prohibit“
- Click on the Category Administrative Templates\Control Panel and select “Prohibit access to Control Panel and PC settings (User)“.
- Use the toggle switch to Enable this policy. Click Next.
- On Scope tags, Click Next
- Assignments – Assign this profile to an Azure AD group containing Users. Click Next.
- Review + create – Review the profile and click on Create.
End-user Experience
Users will encounter the following error message when attempting to open the Control Panel, Settings app, or any Settings items. The screenshot below illustrates the error message when right-clicking on the desktop and selecting Personalize.
