In a Microsoft Skype for Business Server 2015 environment, an anonymous participant joins a Skype for Business meeting by using the Skype for Business Web App or Skype Meeting App. Even though the conferencing policy (where AllowParticipantControl and AllowExternalUserControl are both set to False) doesn't enable participants to take control, the participant can give control to other users in the meeting and bypass the conferencing policy.
To fix this issue, install the January 2019 cumulative update 6.0.9319.537 for Skype for Business Server 2015, Web Components Server.
Note This fix only applies to Skype Meeting App. If you are using the Skype for Business Web App, you have to enable the Skype Meetings App to replace the Skype for Business Web App.
To enable the Skype Meetings App, please run the following cmdlet:
Set-CsWebServiceConfiguration -MeetingUxUseCdn $True
For more information about the Skype Meeting App and Skype for Business Web App, please refer to the following article: