How to block Registry access using Intune

I have recently written a blog post on how to block Command prompt access on Windows devices using Intune. This blog post is about blocking access to Windows Registry Editor on Windows 10/11 devices.

As you may be aware, Windows registry stores all the configuration settings for applications, drivers, and even the operating system itself. Making unauthorized changes to registry keys and values can lead to issues related to applications and OS.

To block Registry access, you can create a device configuration profile and Enable a setting called “Prevent access to registry editing tools (User)“. There is an additional setting called “Disable regedit from running silently“. If this is set to Yes, Users will also not be able to run .reg files manually and also from command prompt.

Disables the Windows registry editor Regedit.exe. If you enable this policy setting and the user tries to start Regedit.exe, a message appears explaining that a policy setting prevents the action. If you disable this policy setting or do not configure it, users can run Regedit.exe normally.

Prevent access to registry editing tools (User)

In the following sections of this blog post, we will look into the steps of blocking Registry Editor access on Windows 10/11 devices using Intune.

STEP 1 – Create a Device Configuration Profile

Let’s create a device configuration profile first and configure this setting:

• Login on Microsoft Intune admin center
• Click on Devices > Configuration profiles
• Click on + Create profile
• Platform: Windows 10 and later
• Profile type: Settings Catalog

Basics

Provide a Name and Description of the profile. For Example:

• Name: Prevent Registry Editor access for all Users
• Description: This profile will block regedit.exe access to all users on Windows 10/11 devices

Configuration settings

Click on + Add settings and then search for “Registry” in the settings picker. Select “Prevent access to registry editing tools (User)” to configure under Administrative Templates\System category.

• Toggle the switch for Prevent access to registry editing tools (User) to Enabled State. This will block access to Registry Editor.

• Select Yes for Disable regedit from running silently setting to prevent registry access using alternative ways like .reg file or via Command prompt.

Assignments

Assign this profile to an Azure AD group containing users or devices. If you add users to the Azure AD group, then the profile will get applied even if a user changes their device, But if you want to apply this profile to specific devices only then target this profile to an Azure AD group containing devices only.

Review + create

Review the profile settings and click on Create to create this policy.

Sync Intune Policies

The device check-in process might not begin immediately. If you’re testing this policy on a test device, you can manually kickstart the Intune sync either from the device itself or remotely through the Intune admin center.

Alternatively, you can use PowerShell to force the Intune sync on Windows devices. Another way to trigger the Intune device check-in process is by restarting the device.

STEP 2 – Monitoring Deployment Progress

To monitor the deployment progress of a Device configuration profile, follow below steps:

• Sign in to the Microsoft Intune admin center.
• Click on “Devices” and then select “Configuration profiles“
• Choose the Device Configuration profile you want to work with, and at the top of the page, you’ll see a quick view of the Success, Failure, Conflict, Not Applicable, and In Progress status.
• Click on “View report” to access more detailed information.

End-user Experience

Once this policy has been successfully applied to target devices, uses will try to launch Registry Editor using Start Menu or Run dialog box or any other alternative way. It will show a pop-up with below message:

“Registry editing has been disabled by your administrator“

FAQs