How to block Registry access using Intune

I recently wrote a blog post on blocking Command prompt access on Windows devices using Intune. This blog post is about blocking access to Windows Registry Editor on Windows 10/11 devices.

As you may know, the Windows registry stores all the configuration settings for applications, drivers, and the operating system. Making unauthorized changes to registry keys and values can lead to issues related to applications and the OS.

To block Registry access, you can create a device configuration profile and Enable a setting called Prevent access to registry editing tools (User). There is also an additional setting called Disable Regedit from running silently. If this is set to Yes, Users cannot run .reg files manually or from the command prompt.

Disables the Windows registry editor Regedit.exe. If you enable this policy setting and the user tries to start Regedit.exe, a message appears explaining that a policy setting prevents the action. If you disable this policy setting or do not configure it, users can run Regedit.exe normally.

Prevent access to registry editing tools (User)

In the following sections of this blog post, we will look into the steps of blocking Registry Editor access on Windows 10/11 devices using Intune.

STEP 1 – Create a Device Configuration Profile

Let’s create a device configuration profile first and configure this setting:

• Sign in to the Intune admin center.
• Click on Devices > Configuration > Create > New Policy.
• Platform: Windows 10 and later.
• Profile type: Settings Catalog.

Basics

Provide a Name and Description of the profile. For Example:

• Name: Prevent Registry Editor access for all Users
• Description: This profile will block regedit.exe access to all users on Windows 10/11 devices

Configuration settings

Click on + Add settings and search for Registry in the settings picker. Select Prevent access to registry editing tools (User) to configure under the Administrative Templates\System category.

• Toggle the switch to prevent access to registry editing tools (User) in the Enabled State. This will block access to Registry Editor.

• Select Yes to disable regedit from running silently to prevent registry access using alternative methods, such as a .reg file or a command prompt.

Assignments

Assign this profile to an Entra security group containing users or devices. If you add users to the group, the profile will be applied even if a user changes their device. However, if you want to apply this profile to specific devices only, then target this profile to an Entra security group containing devices only.

Review + create

Review the profile settings and click on Create to create this policy.

Sync Intune Policies

The device check-in process might not begin immediately. If you’re testing this policy on a test device, you can manually kickstart the Intune sync from the device itself or remotely through the Intune admin center.

Alternatively, you can use PowerShell to force the Intune sync on Windows devices. Restarting the device is another way to trigger the Intune device check-in process.

STEP 2 – Monitoring Deployment Progress

To monitor the deployment progress of a Device configuration profile, follow the below steps:

• Sign in to the Intune admin center.
• Click on Devices and then select Configuration.
• Choose the Device Configuration profile you want to work with, and at the top of the page, you’ll see a quick view of the Success, Failure, Conflict, Not Applicable, and In Progress status.
• Click on View report to access more detailed information.

End-user Experience

Once this policy has been successfully applied to target devices, users will try to launch Registry Editor using the Start Menu, the Run dialog box, or any other alternative. It will show a pop-up with the below message:

Registry editing has been disabled by your administrator

FAQs