Prohibit Access to Control Panel and PC Settings using Intune
Let’s learn how to prohibit access to Control Panel and PC Settings using Intune. You can block or disable control panel and disable PC settings using Intune (MEM).
On a Windows computer, there are multiple ways to disable access to control panel and PC settings. For example, you can disable control panel using group policy on your computers.
If one has to manually block control panel on a PC, the registry method is the easy one. However, this is a method involves modifying registry keys. If you are managing your devices using MDM solution such as Intune, you can block access to control panel and PC settings easily via Settings Catalog.
What happens when you Disable Control Panel and PC settings?
When you deploy Intune prohibit access to control panel and PC settings, it disables all Control Panel programs and the PC settings app. This setting blocks Control.exe and SystemSettings.exe, the program files for Control Panel and PC settings, from starting. As a result, users cannot start Control Panel or PC settings, or run any of their items.
The Control.exe and SystemSettings.exe, the program files for Control Panel and PC settings, are blocked from launching. The user cannot launch the control panel nor can make any changes to PC via PC settings.
The Intune Settings Catalog helps you to disable access to Control Panel and PC Settings for users. You can create and manage security policies for all Intune managed Windows devices with settings catalog.
Steps to Prohibit Access to Control Panel and PC Settings using Intune
Using Intune Settings Catalog, you can prohibit access to control panel and PC settings using with following steps. We will now create a new device configuration profile.
Sign-in to Microsoft Endpoint Manager admin center. Go to Devices > Configuration Profiles. To create a new policy, select Create Profile.
This new profile will apply for Windows 10 and later OS. The Profile type that we have selected here is Settings Catalog. Click Create.
On Create Profile window, specify the name of the profile as “Prohibit Access to Control Panel and PC Settings using Intune“. You can add a brief description of what this policy is all about. Click Next.
As mentioned earlier, with settings catalog, you can choose which settings you want to configure. You can include multiple settings in a profile and deploy it to computers. To define new settings for the profile, select Add Settings.
You will be presented with Settings Picker window where you have to select the settings to disable control panel and PC settings for your computer.
In the search box, type “Prohibit Access to Control Panel and PC Settings” and click Search. Under Browse by category, select Administrative Templates\Control Panel.
Select the setting Prohibit Access to Control Panel and PC Settings (User) and close the Settings Picker window.
You will need to enable the setting Prohibit Access to Control Panel and PC Settings (User). Move the slider to Enabled. Click Next to continue.
On the Assignments tab, you must include the groups that you want to target this policy. Always select a test user group or pilot users so that you first test the working on this policy and then deploy it to a wider group.
Selecting scope tags are optional, and you may skip them. Click Next.
On the Review+Create tab, you can review the settings that you defined so far. Ensure all the settings are correct and select Create.
After you create the policy, a notification will appear shortly that confirms the policy has been created. You should see something like this – Policy “Prohibit Access to Control Panel and PC Settings using Intune” created successfully. You can close the notification.
After you have created the policy, wait for a few minutes while the policy gets applied to the user group. You can monitor the deployment by selecting the policy and reviewing the Device and user check-in status.
On my Windows 11 laptop, I see the policy settings have been applied. When the control panel is launched, you immediately see the below error.
This operation has been cancelled due to restrictions in effect on this computer. Please contact your system administrator.
If you launch the PC settings app, you should see the same error as described above. The Settings app may launch and disappear immediately. If you attempt launch the sysdm.cpl via run command, it shows the operation has been cancelled due to restrictions.
Control Panel Blocked via Intune – Event ID 814
When you prohibit access to Control Panel and PC Settings using Intune, the Windows device logs the following details in the event viewer with event ID 814.
The Event ID 814 confirms the MDM client received a policy update from the server and successfully applied it on the Windows 10 or Windows 11 computer.
MDM PolicyManager: Set policy string, Policy: (NoControlPanel), Area: (ADMX_ControlPanel), EnrollmentID requesting merge: (8F80A159-63EF-4141-BA76-FE6D85B4D9E2), Current User: (S-1-12-1-2085253464-1182808814-933472934-2715377099), String: (), Enrollment Type: (0x6), Scope: (0x1).
To review the event ID 814, launch the event viewer on Windows computer. In the event viewer, go to Applications and Services Logs > Microsoft > Windows > Devicemanagement-Enterprise-Diagnostics-Provider > Admin
.
Tested in my test lab works fine thank you Prajwal