If you don’t want Standard users to launch the Control Panel and make any changes to PC Settings, you can use a setting available in the Intune Settings Catalog called Prohibit access to Control Panel and PC settings (User). This policy applies to Intune-managed Windows 10 and Windows 11 devices.
Once this policy is applied, the user will be restricted from launching the control panel or Settings app or altering any PC settings, such as the desktop background, display settings, or accessing the Device Manager. You can implement this restriction by creating a device configuration profile and targeting users for its application.
This setting blocks Control.exe and SystemSettings.exe, preventing users from launching the Control Panel or Settings app or running any associated items.
Table of Contents
Create a Device Configuration Profile
Now that we understand the policy setting and its impact let’s proceed with the following steps to create a device configuration profile:
- Sign in to the Intune admin center.
- Click on Devices > Configuration > Create > New Policy.
- Platform: Windows 10 and later.
- Profile type: Settings Catalog.
Basics tab
- Provide a Name and Description of the policy.
Click Next.
Configuration settings
- On the Configurations tab > Click Add settings.
- Using Settings Picker, search for prohibit.
- Click on the Category Administrative Templates\Control Panel and select Prohibit access to Control Panel and PC settings (User).
- Use the toggle switch to Enable this policy. Click Next.
- On Scope tags, Click Next
- Assignments – Assign this profile to an Azure AD group containing Users. Click Next.
- Review + create – Review the profile and click on Create.
End-user Experience
Users will encounter the following error message when opening the Control Panel, Settings app, or any Settings items. The screenshot below illustrates the error message when right-clicking on the desktop and selecting Personalize.
