I've got a GPO to deploy a PEAP MSCHAP v2 wireless profile to certain domain computers. The computers receive the wireless profile assigned through GPO, the connection works, however, I noticed that users (including non-admin users) can modify certain settings of the wireless profile.
When you open the wireless profile, on the connection tab, all options are greyed out with a notification stating "These settings are managed by your system administrator". When you switch to the security tab you see the same thing, however, there are two buttons that even non-admin users can select and change settings.
The Security (tab) > Choose a network authentication method > Microsoft: Protected EAP (PEAP) > Settings button
and
The Security (tab) > Advanced Settings button.
When you select the "Advanced Settings" button, it opens 802.1X settings (tab) and 802.11 settings (tab) and all of the options are greyed out, but when you open then "Settings" button you can edit the settings.
Typically, I wouldn't be too concerned about this, however, you can uncheck the "validate server certificate" option, the option that allows you to specify the RADIUS authentication server, which Trusted Root Certification Authorities can be used for the connection, whether or not NAP should be enforced, etc. Some of these could increase your attack surface (such as a man-in-the-middle attack if you aren't validating the server, etc.).
I looked around a bit, but couldn't find any GPOs that would restrict this. I apologize in advance if I missed something simple and thanks in advance for your time in considering this.