Muokkaa

Jaa


Policy CSP - ADMX_ShellCommandPromptRegEditTools

Tip

This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see Understanding ADMX-backed policies.

The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.

DisableCMD

Scope Editions Applicable OS
❌ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 2004 with KB5005101 [10.0.19041.1202] and later
✅ Windows 10, version 20H2 with KB5005101 [10.0.19042.1202] and later
✅ Windows 10, version 21H1 with KB5005101 [10.0.19043.1202] and later
✅ Windows 11, version 21H2 [10.0.22000] and later
./User/Vendor/MSFT/Policy/Config/ADMX_ShellCommandPromptRegEditTools/DisableCMD

This policy setting prevents users from running the interactive command prompt, Cmd.exe. This policy setting also determines whether batch files (.cmd and .bat) can run on the computer.

  • If you enable this policy setting and the user tries to open a command window, the system displays a message explaining that a setting prevents the action.

  • If you disable this policy setting or don't configure it, users can run Cmd.exe and batch files normally.

Note

Don't prevent the computer from running batch files if the computer uses logon, logoff, startup, or shutdown batch file scripts, or for users that use Remote Desktop Services.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name DisableCMD
Friendly Name Prevent access to the command prompt
Location User Configuration
Path System
Registry Key Name Software\Policies\Microsoft\Windows\System
ADMX File Name Shell-CommandPrompt-RegEditTools.admx

DisableRegedit

Scope Editions Applicable OS
❌ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 2004 with KB5005101 [10.0.19041.1202] and later
✅ Windows 10, version 20H2 with KB5005101 [10.0.19042.1202] and later
✅ Windows 10, version 21H1 with KB5005101 [10.0.19043.1202] and later
✅ Windows 11, version 21H2 [10.0.22000] and later
./User/Vendor/MSFT/Policy/Config/ADMX_ShellCommandPromptRegEditTools/DisableRegedit

Disables the Windows registry editor Regedit.exe.

  • If you enable this policy setting and the user tries to start Regedit.exe, a message appears explaining that a policy setting prevents the action.

  • If you disable this policy setting or don't configure it, users can run Regedit.exe normally.

To prevent users from using other administrative tools, use the "Run only specified Windows applications" policy setting.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name DisableRegedit
Friendly Name Prevent access to registry editing tools
Location User Configuration
Path System
Registry Key Name Software\Microsoft\Windows\CurrentVersion\Policies\System
ADMX File Name Shell-CommandPrompt-RegEditTools.admx

DisallowApps

Scope Editions Applicable OS
❌ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 2004 with KB5005101 [10.0.19041.1202] and later
✅ Windows 10, version 20H2 with KB5005101 [10.0.19042.1202] and later
✅ Windows 10, version 21H1 with KB5005101 [10.0.19043.1202] and later
✅ Windows 11, version 21H2 [10.0.22000] and later
./User/Vendor/MSFT/Policy/Config/ADMX_ShellCommandPromptRegEditTools/DisallowApps

Prevents Windows from running the programs you specify in this policy setting.

  • If you enable this policy setting, users can't run programs that you add to the list of disallowed applications.

  • If you disable this policy setting or don't configure it, users can run any programs.

This policy setting only prevents users from running programs that are started by the File Explorer process. It doesn't prevent users from running programs, such as Task Manager, which are started by the system process or by other processes. Also, if users have access to the command prompt (Cmd.exe), this policy setting doesn't prevent them from starting programs in the command window even though they would be prevented from doing so using File Explorer.

Note

Non-Microsoft applications with Windows 2000 or later certification are required to comply with this policy setting.

Note

To create a list of allowed applications, click Show. In the Show Contents dialog box, in the Value column, type the application executable name (e.g., Winword.exe, Poledit.exe, Powerpnt.exe).

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name DisallowApps
Friendly Name Don't run specified Windows applications
Location User Configuration
Path System
Registry Key Name Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Registry Value Name DisallowRun
ADMX File Name Shell-CommandPrompt-RegEditTools.admx

RestrictApps

Scope Editions Applicable OS
❌ Device
✅ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 2004 with KB5005101 [10.0.19041.1202] and later
✅ Windows 10, version 20H2 with KB5005101 [10.0.19042.1202] and later
✅ Windows 10, version 21H1 with KB5005101 [10.0.19043.1202] and later
✅ Windows 11, version 21H2 [10.0.22000] and later
./User/Vendor/MSFT/Policy/Config/ADMX_ShellCommandPromptRegEditTools/RestrictApps

Limits the Windows programs that users have permission to run on the computer.

  • If you enable this policy setting, users can only run programs that you add to the list of allowed applications.

  • If you disable this policy setting or don't configure it, users can run all applications.

This policy setting only prevents users from running programs that are started by the File Explorer process. It doesn't prevent users from running programs such as Task Manager, which are started by the system process or by other processes. Also, if users have access to the command prompt (Cmd.exe), this policy setting doesn't prevent them from starting programs in the command window even though they would be prevented from doing so using File Explorer.

Note

Non-Microsoft applications with Windows 2000 or later certification are required to comply with this policy setting.

Note

To create a list of allowed applications, click Show. In the Show Contents dialog box, in the Value column, type the application executable name (e.g., Winword.exe, Poledit.exe, Powerpnt.exe).

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace

Tip

This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.

ADMX mapping:

Name Value
Name RestrictApps
Friendly Name Run only specified Windows applications
Location User Configuration
Path System
Registry Key Name Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Registry Value Name RestrictRun
ADMX File Name Shell-CommandPrompt-RegEditTools.admx

Policy configuration service provider