Share via

How to Disable ScheduledTask from opening on regular Users?

Özbey, Ömer 0 Reputation points
2025-10-30T13:00:13.79+00:00

Hey all — has anyone actually got this working on Windows 10/11 without breaking the Task Scheduler service or admin/system tasks?

Context: Intune-managed devices (Win10/11). Happy to use Intune (Settings Catalog/OMA-URI) or classic GPO if that’s cleaner.

What we tried (and what happened):

  • Legacy GPO “Task Scheduler 5.0” policies → no effect on Win10/11.

SRP (per-user)

Blocking taskschd.msc was unreliable (MMC still loads the snap-in).

  Blocking **`schtasks.exe`** per user *can* work, but we still need a clean/supported way to kill the UI route.
  
  **MMC snap-in restriction in HKCU (`Restrict_Run`)** → no impact on our builds. Also don’t see “Task Scheduler” listed under **Intune → Settings Catalog → MMC** (maybe ADMX mismatch?).
  
  **Registry flips** like “Task Scheduler 5.0” Creation/Deletion/Execution → no effect.
  
  **AppLocker** → not tested here (cmdlets/module missing on these machines).
  
  **Changing ACLs on `C:\Windows\System32\Tasks`** → skipped (too risky; could break system tasks/updates).

Has anyone have a solution for this?

Windows for home | Windows 11 | Apps
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Francisco Montilla 30,440 Reputation points Independent Advisor
    2025-10-30T13:43:12.16+00:00

    Hello,

    Yes. The supported way is to use the MMC snap-in restrictions at user scope, not SRP or file ACLs.

    Try this.

    In a classic GPO, create a user-scoped GPO that targets your non-admin users or a security group.

    In User Configuration > Administrative Templates > Windows Components > Microsoft Management Console, first enable the policy named Restrict users to the explicitly permitted list of snap-ins. Then, in the Restricted/Permitted snap-ins folder, set the entry for Task Scheduler to Disabled. When a snap-in is prohibited, it will not appear in Add/Remove Snap-in and any .msc that already contains it opens but the Task Scheduler node is omitted with a policy message.

    If you want this via Intune instead of on-prem GPO, deploy the same settings using the ADMX-backed Policy CSP at user scope.

    In Intune, create a Custom profile (Windows 10 and later), add an OMA-URI setting for ADMX_MMC Restrict users to the explicitly permitted list of snap-ins with the path ./User/Vendor/MSFT/Policy/Config/ADMX_MMC/MMC_Restrict_To_Permitted_Snapins and set the value to the ADMX boolean payload <enabled/>. Then add the per-snap-in OMA-URI from the ADMX_MMCSnapins area for the Task Scheduler snap-in and set it to <disabled/>. If the Settings Catalog does not surface that entry in your tenant, use Group Policy analytics to export a tiny GPO with just those two settings and let Intune show you the CSP mapping and OMA-URIs to paste into your custom profile.

    Was this answer helpful?

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.