View Blog

Mar 2020
02

The last thing that standard users need on Windows 10 machines is access to REGEDIT.  It is one of the first things we block access to with Group Policy.  Surprising though, there is no native way in Intune to block it however.  The good news is that you can do it by creating a custom profile in Intune or any MDM.  I have included the information you need to create it below.  Now you can be rest assured that users won't be causing issues and circumventing policies by messing with the registry.

OMA-URI:  ./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/IntuneEdu/EXE/Policy

Data Type:  String (XML file)

<RuleCollection Type="Exe" EnforcementMode="NotConfigured">

        <FilePathRule Id="fd686d83-a829-4351-8ff4-27c7de5755d2" Name="(Default Rule) All files" Description="Allows members of the local Administrators group to run all applications." UserOrGroupSid="S-1-5-32-544" Action="Allow">

          <Conditions>

            <FilePathCondition Path="*" />

          Conditions>

        FilePathRule>

        <FilePathRule Id="ce9d9fd5-d765-48df-b87b-e1bafd5653ed" Name="All files" Description="Allows members of the Everyone group to run applications that are located in any folder." UserOrGroupSid="S-1-1-0" Action="Allow">

          <Conditions>

            <FilePathCondition Path="*" />

          Conditions>

                        <Exceptions>

     

        <FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="MICROSOFT® WINDOWS® OPERATING SYSTEM" BinaryName="REG.EXE">

          <BinaryVersionRange LowSection="*" HighSection="*" />

        FilePublisherCondition>

                Exceptions>

        FilePathRule>

     RuleCollection>

 


 

Comments (0)

No Comments!