Table of Contents
I have recently written a blog post on how to block Command prompt access on Windows devices using Intune. This blog post is about blocking access to Windows Registry Editor on Windows 10/11 devices.
As you may be aware, Windows registry stores all the configuration settings for applications, drivers, and even the operating system itself. Making unauthorized changes to registry keys and values can lead to issues related to applications and OS.
To block Registry access, you can create a device configuration profile and Enable a setting called “Prevent access to registry editing tools (User)“. There is an additional setting called “Disable regedit from running silently“. If this is set to Yes, Users will also not be able to run .reg files manually and also from command prompt.
Disables the Windows registry editor Regedit.exe. If you enable this policy setting and the user tries to start Regedit.exe, a message appears explaining that a policy setting prevents the action. If you disable this policy setting or do not configure it, users can run Regedit.exe normally.Prevent access to registry editing tools (User)
In the following sections of this blog post, we will look into the steps of blocking Registry Editor access on Windows 10/11 devices using Intune.
STEP 1 – Create a Device Configuration Profile
Let’s create a device configuration profile first and configure this setting:
- Login on Microsoft Intune admin center
- Click on Devices > Configuration profiles
- Click on + Create profile
- Platform: Windows 10 and later
- Profile type: Settings Catalog
Provide a Name and Description of the profile. For Example:
- Name: Prevent Registry Editor access for all Users
- Description: This profile will block regedit.exe access to all users on Windows 10/11 devices
Click on + Add settings and then search for “Registry” in the settings picker. Select “Prevent access to registry editing tools (User)” to configure under Administrative Templates\System category.
- Toggle the switch for Prevent access to registry editing tools (User) to Enabled State. This will block access to Registry Editor.
- Select Yes for Disable regedit from running silently setting to prevent registry access using alternative ways like .reg file or via Command prompt.
Assign this profile to an Azure AD group containing users or devices. If you add users to the Azure AD group, then the profile will get applied even if a user changes their device, But if you want to apply this profile to specific devices only then target this profile to an Azure AD group containing devices only.
Review + create
Review the profile settings and click on Create to create this policy.
Sync Intune Policies
The device check-in process might not begin immediately. If you’re testing this policy on a test device, you can manually kickstart the Intune sync either from the device itself or remotely through the Intune admin center.
Alternatively, you can use PowerShell to force the Intune sync on Windows devices. Another way to trigger the Intune device check-in process is by restarting the device.
STEP 2 – Monitoring Deployment Progress
To monitor the deployment progress of a Device configuration profile, follow below steps:
- Sign in to the Microsoft Intune admin center.
- Click on “Devices” and then select “Configuration profiles“
- Choose the Device Configuration profile you want to work with, and at the top of the page, you’ll see a quick view of the Success, Failure, Conflict, Not Applicable, and In Progress status.
- Click on “View report” to access more detailed information.
Once this policy has been successfully applied to target devices, uses will try to launch Registry Editor using Start Menu or Run dialog box or any other alternative way. It will show a pop-up with below message:
“Registry editing has been disabled by your administrator“
What is the OMA-URI setting for blocking registry access?
OMA-URI Setting for blocking registry access on Windows devices is:
Data Type: String
Value: <enabled/> <data id=”DisableRegeditMode” value=”2″/>
What is the Group Policy setting for blocking registry access?
– Open Group Policy Management console > User Configuration > Administrative Templates > System
– On the right-hand side you will find a setting called “Prevent access to registry editing tools“. Double-click on it and set it to Enabled.
Can I block registry access using Registry Editor itself?
Yes, you can block registry access by creating below registry key and value:
– Navigate to HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies
– Right-click Policies > New > Key
– Name the new Key as System and Under this key create a DWORD registry entry called “DisableRegistryTools” and set its value to 2.
DisableRegistryTools = 0 (Registry editor will open as usual)
DisableRegistryTools = 1 (Registry Editor will not open in Interactive mode, but can be started with Silent switch /s or can execute through .reg files).
DisableRegistryTools = 2 (Registry editor will not open normally or by using Silent switches)
I want to read more about DisableRegedit.
You can read more about this policy at: ADMX_ShellCommandPromptRegEditTools Policy CSP – Windows Client Management | Microsoft Learn