If you users have no need to access the registry editor (lets face it why would they) then disable it
From Devices / Configuration Profiles - click the Create Profile Option
You need to create for Windows 10 and later and use the Template and Custom option.
Enter a Name for your policy and a description (if you wish) - personally we always like to make the name descriptive, so we can later, quickly see what the policy is doing and we like to have lots of policies delivering certain aspects, so its easy to remove if we wish.
You are then going to create a CUSTOM OMA-URI for the settings
Name
Disable Registry Editor
Description
Disable Registry Editor
OMA-URI
./user/vendor/MSFT/Policy/Config/ADMX_ShellCommandpromptRegeditTools/DisableRegedit
Data Type: String
Value
<enabled/>
<data id="DisableRegeditMode" value="2"/>
Once you have that created, you can click on NEXT and apply this to a Group or indeed all users, however, we would recommend applying to a group which contains all your users, but excludes any admin's, so you are still able to RUNAS and use an Admin account to access the regedit command.