Easily Block Windows Registry Access using Intune Policy
In this article, we will show you how to block Windows registry access using Intune. You can use the Intune policy to restrict access to the Windows registry editor, which will prevent users from modifying the registry on their devices.
The heart of the Windows operating system is the registry. According to Microsoft, the registry contains information that Windows continually references during operation, such as user profiles, applications, application icons, what hardware exists on the system, and the ports that are being used.
One of our clients reported a problem in which a few users were modifying the registry with the Windows Registry Editor. It was hard to track the changes that were made to the registry. Since the Windows devices were enrolled in Intune, you can use Intune to restrict access to the registry editor (regedit.exe)
Blocking Windows registry access is essential because, if users alter the registry without first making a backup of it, it could result in serious issues that would require a complete reinstall of the operating system and result in data loss.
Intune offers an easy way to block Windows Registry access for users. We will create a configuration profile in Intune and use the policy “Prevent access to registry editing tools” that will completely block Windows Registry Editor (regedit.exe) for Windows users. Let’s get started.
Also Read: Disable Bluetooth on Windows devices using Intune
Block Windows Registry Access using Intune
Perform the following steps to block Windows registry access on Windows 10/11 devices using Intune:
- First, sign in to the Microsoft Intune admin center.
- Go to Devices > Windows > Configuration Profiles.
- Create a new configuration profile that will block access to registry editing tools.
Choose the following on the Create Profile page:
- Platform: Select Windows 10 and later
- Profile Type: Settings Catalog
Click Next.
Specify the policy name and a brief description of the policy. Other Intune administrators will be able to understand the policy’s purpose with these specifics.
- Name: Block Windows Registry access using Intune
- Description: Restrict access to registry editing tools
Click Next.
In the Configuration Settings section, under Settings Catalog, click Add Settings. The Intune Settings catalog allows you to enable or disable registry access for Windows users.
On the Settings picker window, type “registry editing” in the search box and click Search. From the search results, select Administrative Templates\System.
In the bottom pane, select the setting “Prevent access to registry editing tools (User).” Notice that another sub-setting, “Disable regedit from running silently? (User)” gets enabled by default. Close the Settings Picker window.
Configure the following settings to disable regedit access for Windows users:
- Prevent access to registry editing tools (user): Move the slider to the right to enable this setting. When you enable this setting, Intune will block regedit.exe access for Windows users.
- Disable regedit from running silently? (User): Click the drop-down and select Yes
Click Next.
On the scope tags tab, you may specify scope tags. Specifying scope tags is optional, and you may skip this step. Click Next.
In the Assignments window, specify the user groups for which you want to prevent access to the registry editor. We recommend deploying the profile to a few test user groups first and then expanding it to more groups if the testing is successful. Select Next.
On the Review + Create page, review all the settings that you have defined to block registry access using Intune and select Create.
After you create a configuration policy in Intune, a notification appears: “Policy created successfully“. This confirms that the policy has been created and is being applied to the groups we chose. The configuration profile that we created appears in Intune’s list of configuration profiles.
In order to receive policies from Intune, the devices must be online. You can also force sync Intune policies on your computers to get the latest policies and settings from Intune.
To monitor the Block Registry Editor policy in Intune that you applied to Windows devices, select the policy and review the Device and user check-in status. Under the Device and user check-in status, we see the total number of users who succeeded in receiving the policy. In some cases, the policy may fail to apply to certain users. To resolve the issues, you will need to troubleshoot the issue by reviewing Intune logs on Windows computers.
End User Experience
Let’s verify if the Intune policy has disabled access to the registry editor for users on Windows devices. Log in to one of the Windows 10/11 devices and launch the registry editor by running the command “regedit.exe“.
If a user tries to start Regedit.exe, the following message appears: “Registry editing has been disabled by your administrator“. With this, we can conclude that you can easily restrict access to the Windows registry editor using the Intune policy.