Thursday, June 4, 2026
type here...
Client ManagmentMDMIntune

Boost Endpoint Security: Disable Regedit and CMD via Intune Settings Catalog

By Haresh Hirani
0
1420

In enterprise environments, restricting access to critical system tools like the Windows Registry Editor (regedit.exe) and Command Prompt (cmd.exe) is essential to maintain system integrity and prevent unauthorized configurations. Microsoft Intune provides a centralized approach to enforce these restrictions across managed devices using the Settings Catalog.

 

 

Prerequisites

Before proceeding, ensure the following:
  • You have administrative access to the Microsoft Intune Admin Center.
  • Target devices are running Windows 10 (version 1909 or later) or Windows 11.
  • Devices are enrolled in Intune and are either Devices are Microsoft Entra ID-joined or Hybrid joined.

Blocking Access to Windows Registry Editor

The Windows Registry Editor allows users to modify system configurations, which can pose security risks if misused. To prevent access:

Step-by-Step Guide:

  1. Sign in to Intune Admin Center:

  2. Create a New Configuration Profile:

    • Go to Devices > Windows > Configuration profiles > + Create profile.
    • Select PlatformWindows 10 and later.
    • Choose Profile typeSettings catalog.

  3. Configure Profile Basics:

    • Enter a NameBlock Windows Registry Access.
    • Provide a DescriptionPrevents users from accessing the Windows Registry Editor.
    • Click Next.

  4. Add Settings:

    • In the Configuration settings tab, click + Add settings.
    • In the Settings picker, search for Prevent access to registry editing tools.
    • Select the setting under Administrative Templates > System.

  5. Configure the Setting:

    • Set Prevent access to registry editing tools to Enabled.
    • Set Disable regedit from running silently to Yes.
    • Click Next.

  6. Assign the Profile:

    • In the Assignments tab, choose the user or device groups to which this policy should apply.
    • Click Next.

  7. Review and Create:

    • Review the configuration settings.
    • Click Create to deploy the policy.

End-User Experience:

Once applied, users attempting to open the Registry Editor will receive the message:

“Registry editing has been disabled by your administrator.”

 

Preventing Access to Command Prompt

The Command Prompt can be used to execute various commands that may compromise system integrity. To restrict access:

Step-by-Step Guide:

  1. Create a New Configuration Profile:

    • In the Intune Admin Center, go to Devices > Windows > Configuration profiles > + Create profile.
    • Select PlatformWindows 10 and later.
    • Choose Profile typeSettings catalog.

  2. Configure Profile Basics:

    • Enter a NamePrevent Access to Command Prompt.
    • Provide a DescriptionDisables access to cmd.exe for users.
    • Click Next.

  3. Add Settings:

    • In the Configuration settings tab, click + Add settings.
    • In the Settings picker, search for Prevent access to the command prompt.
    • Select the setting under Administrative Templates > System.

  4. Configure the Setting:

    • Set Prevent access to the command prompt to Enabled.
    • Set Disable the command prompt script processing also to No (unless you also want to block batch scripts).
    • Click Next.

  5. Assign the Profile:

    • In the Assignments tab, choose the user or device groups to which this policy should apply.
    • Click Next.

  6. Review and Create:

    • Review the configuration settings.
    • Click Create to deploy the policy.

End-User Experience:

After the policy is applied, users attempting to open the Command Prompt will see:

“The command prompt has been disabled by your administrator.”

Additional Considerations

  • Batch Scripts: If your organization relies on batch scripts for logon or startup processes, ensure that the Disable the command prompt script processing also setting is configured appropriately to avoid disruptions.
  • Administrative Access: These settings apply to standard users. Administrators may still have access unless additional restrictions are implemented.
  • Testing: Always test new policies on a subset of devices before widespread deployment to prevent unintended consequences.

Conclusion

By leveraging Microsoft Intune’s Settings Catalog, administrators can effectively restrict access to critical system tools like the Windows Registry Editor and Command Prompt, enhancing the security posture of their organization’s devices.

Author

  • Hi, I’m Haresh Hirani the mind behind Hiraniconfigmgr.com. I’m a seasoned IT professional with deep expertise in Microsoft technologies, especially in Configuration Manager (ConfigMgr/SCCM). Over the years, I’ve expanded my skill set to cover a broader range of modern device management platforms like Microsoft Intune, Jamf Pro, ManageEngine Endpoint Central, and VMware AirWatch (Workspace ONE UEM), I use this blog to document real-world, tested, working fixes and walkthroughs from my daily technical experiences. The 💡idea is simple: if it helped me, it might help someone like you. My goal is to create a living repository of practical IT solutions for the community. If you find something useful, or if you want to collaborate, feel free to connect with me on LinkedIn or drop a message through the Contact page. Happy to help.

Previous article
Windows Endpoint UI Hardening: Improve Productivity by Enforcing Distraction-Free Taskbars and Start Menus with Intune Settings Catalog.
Next article
Audit‑Ready PowerShell: Enable & Setup PowerShell Transcription via Microsoft Intune

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Search

Latest posts

I’m the person behind this webpage. Thank you for visiting the website and about me page! My website is all about Microsoft technologies. More about ConfigMgr and all other technologies which are interesting for me. However, larger percentage of my posts are related to SCCM. Normally, like to post the interesting issues which I came across in my day to day tech life. you will find only solutions which comes on my day to day life.

Hot Category

Popular Post

© COPYRIGHT Hiraniconfigmgr.com

Developed By : Deepcoder