Disable Win 11 factory reset (GPO/MDM)

lmgmcg 110 Reputation points
2024-11-26T17:22:17.37+00:00

I want to create a GPO & a MDM ( Hybrid environment) policy to disable users from performing factory reset to their Win11 PCs/Laptops. (Something like denying access to C:\Windows\system32\systemreset.exe = Which I cannot find on Win 11)

Also, it will be much better if I could create something that will allow reset feature to domain admins only, not even the local admin cannot reset the PC.

Cheers.

~lmgmcg~

Windows for business | Windows Client for IT Pros | Directory services | Active Directory
Windows for business | Windows Client for IT Pros | User experience | Other
Microsoft Security | Intune | Other
{count} votes

Accepted answer
  1. hossein jalilian 11,055 Reputation points Volunteer Moderator
    2024-11-26T18:24:55.7566667+00:00

    Thanks for posting your question in the Microsoft Q&A forum.

    • Disable Windows Recovery Environment , use the command reagentc.exe /disable to disable the Windows Recovery Environment. This can be executed via a startup script in GPO. This command will prevent users from performing a reset through the settings or advanced startup options
    • Create an AppLocker policy to deny access to systemreset.exe
    • You can also block access to the recovery settings page using URI commands in GPO. This involves creating a policy that blocks the specific settings page for reset options

    Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful

    0 comments No comments

2 additional answers

Sort by: Most helpful
  1. Darrell Nielsen 0 Reputation points
    2024-11-26T18:45:32.4633333+00:00

    Configure Windows Reset Settings in Intune: (MDM)

    Navigate to Endpoint security > Windows settings in the Intune portal.

    Create a policy to restrict resetting options.

    Set Block users from resetting their devices to Yes (apply this policy to all users except domain admins).

    Prevent factory reset using GPO

    1. Disable Access to Recovery Options: Use Group Policy to disable access to the recovery options, including the reset functionality. Here's how to configure it:
    2. Open Group Policy Management: On a domain controller or machine with the GPO management tools, open Group Policy Management Console (GPMC).
    3. Create or Edit a GPO: Right-click on an existing GPO or create a new one. Navigate to the following path:
    4. Computer Configuration ``->`` Administrative Templates ``->`` System ``->`` Recovery
    5. Enable the policy to disable Reset:
      • Disable or Hide the "Reset this PC" option: This prevents users from accessing the "Reset this PC" feature from the Settings.
      • Policy Name: Do not allow reset of the PC
      • Set this policy to: Enabled
      • This will prevent users from accessing the "Reset this PC" option in the settings.
      • Apply the GPO: Link the GPO to the appropriate Organizational Unit (OU) where your user and computer accounts reside.
    6. Disable Recovery Environment: Additionally, you can disable access to the Recovery Environment entirely, which would further prevent users from performing a reset in any situation.
      • Path: Computer Configuration -> Administrative Templates -> System -> Recovery
      • Policy Name: Disable Recovery Environment
      • Set to: Enabled
    0 comments No comments

  2. Anonymous
    2024-11-27T01:39:38.2+00:00

    @lmgmcg Thanks for posting in our Q&A.

    From intune's point of view, there is no built-in setting can disable Win 11 factory reset. To make it, it is suggested to write a PowerShell script with commend "reagentc.exe /disable" and deploy this script via intune.

    https://learn.microsoft.com/en-us/mem/intune/apps/intune-management-extension

    Hope it will give you some ideas.


    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.