Policy CSP - ADMX_ShellCommandPromptRegEditTools
Tip
This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>
. For details, see Understanding ADMX-backed policies.
The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.
DisableCMD
Scope | Editions | Applicable OS |
---|---|---|
❌ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 2004 with KB5005101 [10.0.19041.1202] and later ✅ Windows 10, version 20H2 with KB5005101 [10.0.19042.1202] and later ✅ Windows 10, version 21H1 with KB5005101 [10.0.19043.1202] and later ✅ Windows 11, version 21H2 [10.0.22000] and later |
./User/Vendor/MSFT/Policy/Config/ADMX_ShellCommandPromptRegEditTools/DisableCMD
This policy setting prevents users from running the interactive command prompt, Cmd.exe. This policy setting also determines whether batch files (.cmd and .bat) can run on the computer.
If you enable this policy setting and the user tries to open a command window, the system displays a message explaining that a setting prevents the action.
If you disable this policy setting or don't configure it, users can run Cmd.exe and batch files normally.
Note
Don't prevent the computer from running batch files if the computer uses logon, logoff, startup, or shutdown batch file scripts, or for users that use Remote Desktop Services.
Description framework properties:
Property name | Property value |
---|---|
Format | chr (string) |
Access Type | Add, Delete, Get, Replace |
Tip
This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.
ADMX mapping:
Name | Value |
---|---|
Name | DisableCMD |
Friendly Name | Prevent access to the command prompt |
Location | User Configuration |
Path | System |
Registry Key Name | Software\Policies\Microsoft\Windows\System |
ADMX File Name | Shell-CommandPrompt-RegEditTools.admx |
DisableRegedit
Scope | Editions | Applicable OS |
---|---|---|
❌ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 2004 with KB5005101 [10.0.19041.1202] and later ✅ Windows 10, version 20H2 with KB5005101 [10.0.19042.1202] and later ✅ Windows 10, version 21H1 with KB5005101 [10.0.19043.1202] and later ✅ Windows 11, version 21H2 [10.0.22000] and later |
./User/Vendor/MSFT/Policy/Config/ADMX_ShellCommandPromptRegEditTools/DisableRegedit
Disables the Windows registry editor Regedit.exe.
If you enable this policy setting and the user tries to start Regedit.exe, a message appears explaining that a policy setting prevents the action.
If you disable this policy setting or don't configure it, users can run Regedit.exe normally.
To prevent users from using other administrative tools, use the "Run only specified Windows applications" policy setting.
Description framework properties:
Property name | Property value |
---|---|
Format | chr (string) |
Access Type | Add, Delete, Get, Replace |
Tip
This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.
ADMX mapping:
Name | Value |
---|---|
Name | DisableRegedit |
Friendly Name | Prevent access to registry editing tools |
Location | User Configuration |
Path | System |
Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System |
ADMX File Name | Shell-CommandPrompt-RegEditTools.admx |
DisallowApps
Scope | Editions | Applicable OS |
---|---|---|
❌ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 2004 with KB5005101 [10.0.19041.1202] and later ✅ Windows 10, version 20H2 with KB5005101 [10.0.19042.1202] and later ✅ Windows 10, version 21H1 with KB5005101 [10.0.19043.1202] and later ✅ Windows 11, version 21H2 [10.0.22000] and later |
./User/Vendor/MSFT/Policy/Config/ADMX_ShellCommandPromptRegEditTools/DisallowApps
Prevents Windows from running the programs you specify in this policy setting.
If you enable this policy setting, users can't run programs that you add to the list of disallowed applications.
If you disable this policy setting or don't configure it, users can run any programs.
This policy setting only prevents users from running programs that are started by the File Explorer process. It doesn't prevent users from running programs, such as Task Manager, which are started by the system process or by other processes. Also, if users have access to the command prompt (Cmd.exe), this policy setting doesn't prevent them from starting programs in the command window even though they would be prevented from doing so using File Explorer.
Note
Non-Microsoft applications with Windows 2000 or later certification are required to comply with this policy setting.
Note
To create a list of allowed applications, click Show. In the Show Contents dialog box, in the Value column, type the application executable name (e.g., Winword.exe, Poledit.exe, Powerpnt.exe).
Description framework properties:
Property name | Property value |
---|---|
Format | chr (string) |
Access Type | Add, Delete, Get, Replace |
Tip
This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.
ADMX mapping:
Name | Value |
---|---|
Name | DisallowApps |
Friendly Name | Don't run specified Windows applications |
Location | User Configuration |
Path | System |
Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer |
Registry Value Name | DisallowRun |
ADMX File Name | Shell-CommandPrompt-RegEditTools.admx |
RestrictApps
Scope | Editions | Applicable OS |
---|---|---|
❌ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 2004 with KB5005101 [10.0.19041.1202] and later ✅ Windows 10, version 20H2 with KB5005101 [10.0.19042.1202] and later ✅ Windows 10, version 21H1 with KB5005101 [10.0.19043.1202] and later ✅ Windows 11, version 21H2 [10.0.22000] and later |
./User/Vendor/MSFT/Policy/Config/ADMX_ShellCommandPromptRegEditTools/RestrictApps
Limits the Windows programs that users have permission to run on the computer.
If you enable this policy setting, users can only run programs that you add to the list of allowed applications.
If you disable this policy setting or don't configure it, users can run all applications.
This policy setting only prevents users from running programs that are started by the File Explorer process. It doesn't prevent users from running programs such as Task Manager, which are started by the system process or by other processes. Also, if users have access to the command prompt (Cmd.exe), this policy setting doesn't prevent them from starting programs in the command window even though they would be prevented from doing so using File Explorer.
Note
Non-Microsoft applications with Windows 2000 or later certification are required to comply with this policy setting.
Note
To create a list of allowed applications, click Show. In the Show Contents dialog box, in the Value column, type the application executable name (e.g., Winword.exe, Poledit.exe, Powerpnt.exe).
Description framework properties:
Property name | Property value |
---|---|
Format | chr (string) |
Access Type | Add, Delete, Get, Replace |
Tip
This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.
ADMX mapping:
Name | Value |
---|---|
Name | RestrictApps |
Friendly Name | Run only specified Windows applications |
Location | User Configuration |
Path | System |
Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer |
Registry Value Name | RestrictRun |
ADMX File Name | Shell-CommandPrompt-RegEditTools.admx |