How to Disable Control Panel using Group Policy

Disable Control Panel using Group Policy

In this tutorial, I will show you how to disable control panel using group policy. You can create a GPO to restrict control panel access for users or show only specified control panel items for specific users.

The Control Panel allows you to modify Windows settings. Windows looks and functions almost entirely depending on these choices, so you can customize Windows to suit your needs.

Some organizations do not want their users to introduce changes to Windows, so they disable access to the control panel for them. With a GPO, you can block the entire control panel or allow access to specific items within the control panel for users.

Install and Update Third Party Applications with Patch My PC
Install and Update Third Party Applications with Patch My PC

On a standalone computer, you can manually block control panel access using the registry. However, if you want to do so for multiple users in your enterprise, you must use Group Policy or Microsoft Intune.

Steps to Disable Control Panel using Group Policy

In this step, we will create a new group policy and configure the settings that will disable control panel access. Once the GPO is created, we will link it to an OU and test the policy.

When you link a new group policy, you either do it at the domain level or at the organizational unit level. I suggest making a new group policy object, linking it to a test OU with the pilot users, and then deploying it to a larger group of users.

To create a GPO, you can either log in to a domain controller or a member server installed with GPMC. You can also install the GPMC on Windows 11 and configure the group policies.

Step 1: Launch the Server Manager. Click Tools > Group Policy Management console. In the Group Policy Management console, expand the domain, right-click Group Policy Objects or an OU, and select New.

Create a GPO to Block Control Panel access
Create a GPO to Block Control Panel access

Step 2: On the New GPO box, specify the name for this GPO. For example, a good name can be something like “Disable Control Panel Access” and set the Source Starter GPO to none. Click OK.

Specify GPO name - Disable Control Panel Access
Specify GPO name – Disable Control Panel Access

Step 3: Right-click the new GPO that you just created and select Edit.

Step 4: In the Group Policy Management Editor window, navigate to the following path: User Configuration > Policies > Administrative Templates > Control Panel. On the right-hand side, right-click the setting “Prohibit access to control panel and PC settings” and select Edit.

Disable Control Panel using Group Policy
Disable Control Panel using Group Policy

Step 5: The Prohibit access to control panel and PC settings group policy setting moderates control panel access for users. The following options can be configured for this setting:

  • Enabled: When you enable this setting, it prevents Control.exe and SystemSettings.exe, the program files for Control Panel and PC settings, from starting.
  • Disabled: When disabled, users will have access to the control panel and all the items.
  • Not Configured: It means the policy has no effect. The control panel is accessible to all users.

I am going to enable this policy, which will remove the control panel from the start screen and file explorer for users. If users try to select a Control Panel item from the Properties item on a context menu, a message appears explaining that a setting prevents the action.

Click Apply and OK. Close the Group Policy Management Editor.

Disable Control Panel using Group Policy
Disable Control Panel using Group Policy

After the group policy object is configured, you have to link the GPO to an OU if you haven’t already. You can also link it to the domain, but doing so will make the GPO applicable to every computer in the domain, so it is not advised. The best approach is to choose a test OU, connect your GPO, and test the policy settings.

In the Group Policy Management console, right-click on the OU and select Link an existing GPO. On the Select GPO window, select the “disable control panel access” GPO that you created and click OK.

To speed up your testing, update the group policy on the client computers and check to see if access to the control panel is blocked. You can use multiple ways to perform the group policy update on remote computers. On a test client machine, you can manually perform the group policy update by running the gpupdate /force command.

Let’s see what users see on their Windows 11 PC when they launch the control panel. When a user launches the control panel, the GPO blocks it and shows the following error message:

This operation has been cancelled due to restrictions in effect on this computer. Please contact your system administrator.

Control Panel - This operation has been cancelled due to restrictions in effect on this computer.
Control Panel – This operation has been cancelled due to restrictions in effect on this computer

Show Only Specified Control Panel Items

At the beginning of the tutorial, I mentioned that instead of blocking access to the control panel, you can show only specified control panel items to users. Thankfully, there is a dedicated group policy for that named “Show only specific control panel items.”

Let’s create a new GPO to show users only specific control panel items.

  • In the Group Policy Management console, expand the domain, right-click Group Policy Objects or an OU, and select New.
  • Specify the GPO name as “Show only specific control panel items.
  • Right-click the GPO that you just created and select Edit.
  • In the Group Policy Management Editor window, navigate to the following path: User Configuration > Policies > Administrative Templates > Control Panel.
  • Edit the Show only specified Control Panel items policy and select Enabled.
Show Only Specified Control Panel Items
Show Only Specified Control Panel Items

After you have enabled the policy, you’ll have to specify the control panel items that will be shown to the users.

On Windows devices, control panel items are assigned canonical names, which can be used in a group policy to hide specific control panel items. Read the following article by Microsoft to learn about the Canonical names for Control Panel items.

Let’s say you want to display the control panel items Recovery and Region for the users and hide the rest. To accomplish that, you’ll need to get their canonical names and enter them in the GPO.

The canonical name for Recovery is Microsoft.Recovery and for Region, it is Microsoft.RegionAndLanguage.

Canonical names for Control Panel items
Canonical names for Control Panel items

Back to the GPO, next to the List of allowed control panel items, click the Show button and enter the canonical names for control panel items one by one that you want to be displayed for users. When done, click Apply and OK.

Show Only Specified Control Panel Items
Show Only Specified Control Panel Items

Close the GPMC editor, right-click the GPO and link this policy to the desired OU containing the users.

On the Windows 10/11 PC, sign in and perform the group policy update by running gpupdate /force command. Wait for the policies to refresh.

When the user opens the control panel, they will have access to only those items that we specified in the GPO. In the screenshot below, we see that on a Windows 11 PC, the user has access to only Recovery and Region items in the control panel.

This confirms that you can use GPO to show only the selected control panel items for your users instead of blocking the entire control panel access.

Show Only Specified Control Panel Items
Show Only Specified Control Panel Items

I hope this tutorial was informative and helpful to you at work. If you have any questions, you can post them in the comments section below.

Need more help?

If you need further assistance on the above article or want to discuss other technical issues, check out some of these options.