Create and deploy a device configuration policy in Microsoft Intune that prevents users from accessing Task Manager on Windows computers using the Settings Catalog.
Task Manager provides powerful system control capabilities that can pose security risks in enterprise environments. Users with Task Manager access can terminate critical business applications, end security processes, or gather sensitive system information. By implementing centralized restrictions through Microsoft Intune, IT administrators can maintain system security while preserving user productivity.
Microsoft Intune's Settings Catalog represents the modern approach to device configuration management, replacing older methods like Administrative Templates and custom OMA-URI policies. The Settings Catalog provides direct access to Windows Configuration Service Providers (CSPs) with a user-friendly interface, ensuring policies stay current with Windows updates and reducing configuration errors.
When you deploy the "Remove Task Manager (User)" policy through Intune, it configures the Windows registry key HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr with a value of 1. This system-level restriction prevents non-administrative users from launching Task Manager through any method - right-clicking the taskbar, using Ctrl+Alt+Delete, or running taskmgr.exe directly. The restriction applies immediately after the next user login and remains active until the policy is removed or disabled.
Start by signing into the Microsoft Intune admin center where you'll create the configuration policy. This is the central hub for all device management tasks.
https://endpoint.microsoft.comSign in with your administrative credentials that have permissions to create device configuration policies. Once logged in, you'll see the main dashboard with various management options.
Verification: Confirm you can see the "Devices" section in the left navigation menu. If you don't see this option, your account lacks the necessary permissions.
Navigate to the device configuration section where you'll create the new policy. This is where all device restriction and configuration policies are managed.
In the left navigation menu, click on Devices, then select Configuration profiles. You'll see a list of existing configuration policies if any have been created previously.
Click the Create profile button to start creating a new configuration policy. This will open the policy creation wizard.
Verification: You should see the "Create a profile" page with platform and profile type selection options.
Select the appropriate platform and profile type for the Task Manager restriction policy. The Settings Catalog provides the most comprehensive and up-to-date policy options.
On the "Create a profile" page:
Click Create to proceed to the policy configuration wizard.
The Settings Catalog is Microsoft's modern approach to device configuration, replacing the older Administrative Templates method. It provides access to all available Configuration Service Provider (CSP) settings.
Verification: You should now see the "Basics" tab of the policy creation wizard with fields for name and description.
Set up the basic information for your Task Manager restriction policy. Clear naming and descriptions help with policy management and troubleshooting.
On the Basics tab, fill in the following information:
Disable Task Manager - Security PolicyPrevents non-administrative users from accessing Task Manager to enhance system security and prevent unauthorized process terminationThe name should be descriptive enough that other administrators understand the policy's purpose without opening it. Include keywords that make it easy to find in searches.
Click Next to proceed to the configuration settings.
Verification: The "Configuration settings" tab should now be active, showing an empty settings list with an "Add settings" button.
Configure the specific setting that will disable Task Manager access for users. This uses the Administrative Templates policy that maps to the Windows registry.
On the Configuration settings tab:
Task ManagerOnce the setting is added, you'll see it in your configuration list. Click on the setting to configure it:
When enabled, this policy prevents users from starting Task Manager through any method - right-clicking the taskbar, using Ctrl+Alt+Delete, or running taskmgr.exe directly.
Click Next to proceed to assignments.
Verification: The setting should show "Remove Task Manager (User): Enabled" in your configuration list.
Configure which users or devices will receive this Task Manager restriction policy. Proper assignment ensures the policy applies only where needed.
On the Assignments tab:
Common assignment strategies:
You can also add exclusion groups if certain users need Task Manager access despite being in the included groups.
Click Next to continue.
Verification: Your selected groups should appear in the "Included groups" section with the correct member count displayed.
Set up scope tags if your organization uses role-based administration to limit which administrators can manage this policy.
On the Scope tags tab:
Scope tags are useful in large organizations where different IT teams manage different departments or regions. They ensure administrators only see and manage policies relevant to their responsibilities.
Common scope tag examples:
Click Next to proceed to the final review.
Verification: The selected scope tags should be listed, or "Default" should be shown if no custom tags are used.
Review all policy settings before deployment to ensure everything is configured correctly. This is your final opportunity to make changes before the policy goes live.
On the Review + create tab, verify:
If everything looks correct, click Create to deploy the policy.
The policy will appear in your Configuration profiles list with a status of "Deploying" initially, then change to show deployment statistics.
Verification: The new policy should appear in the Configuration profiles list with your specified name and show deployment progress.
Track the deployment progress and ensure the policy is successfully applied to target devices. Monitoring helps identify any deployment issues early.
To monitor deployment:
The status page shows:
Policy deployment typically takes 15-30 minutes for online devices, or up to 8 hours for devices that sync periodically.
Verification: At least one device should show "Succeeded" status within 30 minutes for online devices.
Verify that the policy is working correctly by testing Task Manager access on a target device. This confirms the restriction is active and functioning as expected.
On a device where the policy has been applied, test these methods:
taskmgr, and press EnterExpected result for the run command test:
Task Manager has been disabled by your administrator.If you're testing as a local administrator, the restriction won't apply to your account. Test with a standard user account to see the actual restriction in effect.
To verify policy application on the device, check the registry:
Get-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\System" -Name "DisableTaskMgr" -ErrorAction SilentlyContinueThe value should be 1 when the policy is active.
Verification: Standard users should see the "disabled by administrator" message when attempting to access Task Manager through any method.
Deepen your knowledge with related resources
Share your thoughts and insights
Sign in to join the discussion
![How to Deploy Slack with Microsoft Intune [4 Different Methods]](/_next/image?url=https%3A%2F%2Fapi.anavem.com%2Fuploads%2Fmedium_tutorial_cover_how_to_deploy_slack_with_microsoft_intune_4_different_method_1774824625635_f02204453e.png&w=1536&q=75)