1. Knowledge Base
  2. Security
  3. Microsoft Endpoint Manager / InTune

Disabling Registry Editor for Users

If you users have no need to access the registry editor (lets face it why would they) then disable it

From Devices / Configuration Profiles - click the Create Profile Option

You need to create for Windows 10 and later and use the Template and Custom option.

Enter a Name for your policy and a description (if you wish) - personally we always like to make the name descriptive, so we can later, quickly see what the policy is doing and we like to have lots of policies delivering certain aspects, so its easy to remove if we wish.

You are then going to create a CUSTOM OMA-URI for the settings

Name

Disable Registry Editor

Description

Disable Registry Editor

OMA-URI

./user/vendor/MSFT/Policy/Config/ADMX_ShellCommandpromptRegeditTools/DisableRegedit

Data Type: String

Value

<enabled/>
<data id="DisableRegeditMode" value="2"/>

Once you have that created, you can click on NEXT and apply this to a Group or indeed all users, however, we would recommend applying to a group which contains all your users, but excludes any admin's, so you are still able to RUNAS and use an Admin account to access the regedit command.