Den här webbläsaren stöds inte längre.
Uppgradera till Microsoft Edge och dra nytta av de senaste funktionerna och säkerhetsuppdateringarna, samt teknisk support.
Tips
This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see Understanding ADMX-backed policies.
The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.
| Scope | Editions | Applicable OS |
|---|---|---|
| ❌ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 2004 with KB5005101 [10.0.19041.1202] and later ✅ Windows 10, version 20H2 with KB5005101 [10.0.19042.1202] and later ✅ Windows 10, version 21H1 with KB5005101 [10.0.19043.1202] and later ✅ Windows 11, version 21H2 [10.0.22000] and later |
./User/Vendor/MSFT/Policy/Config/ADMX_ShellCommandPromptRegEditTools/DisableCMD
This policy setting prevents users from running the interactive command prompt, Cmd.exe. This policy setting also determines whether batch files (.cmd and .bat) can run on the computer.
If you enable this policy setting and the user tries to open a command window, the system displays a message explaining that a setting prevents the action.
If you disable this policy setting or don't configure it, users can run Cmd.exe and batch files normally.
Anteckning
Don't prevent the computer from running batch files if the computer uses logon, logoff, startup, or shutdown batch file scripts, or for users that use Remote Desktop Services.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
Tips
This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.
ADMX mapping:
| Name | Value |
|---|---|
| Name | DisableCMD |
| Friendly Name | Prevent access to the command prompt |
| Location | User Configuration |
| Path | System |
| Registry Key Name | Software\Policies\Microsoft\Windows\System |
| ADMX File Name | Shell-CommandPrompt-RegEditTools.admx |
| Scope | Editions | Applicable OS |
|---|---|---|
| ❌ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 2004 with KB5005101 [10.0.19041.1202] and later ✅ Windows 10, version 20H2 with KB5005101 [10.0.19042.1202] and later ✅ Windows 10, version 21H1 with KB5005101 [10.0.19043.1202] and later ✅ Windows 11, version 21H2 [10.0.22000] and later |
./User/Vendor/MSFT/Policy/Config/ADMX_ShellCommandPromptRegEditTools/DisableRegedit
Disables the Windows registry editor Regedit.exe.
If you enable this policy setting and the user tries to start Regedit.exe, a message appears explaining that a policy setting prevents the action.
If you disable this policy setting or don't configure it, users can run Regedit.exe normally.
To prevent users from using other administrative tools, use the "Run only specified Windows applications" policy setting.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
Tips
This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.
ADMX mapping:
| Name | Value |
|---|---|
| Name | DisableRegedit |
| Friendly Name | Prevent access to registry editing tools |
| Location | User Configuration |
| Path | System |
| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System |
| ADMX File Name | Shell-CommandPrompt-RegEditTools.admx |
| Scope | Editions | Applicable OS |
|---|---|---|
| ❌ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 2004 with KB5005101 [10.0.19041.1202] and later ✅ Windows 10, version 20H2 with KB5005101 [10.0.19042.1202] and later ✅ Windows 10, version 21H1 with KB5005101 [10.0.19043.1202] and later ✅ Windows 11, version 21H2 [10.0.22000] and later |
./User/Vendor/MSFT/Policy/Config/ADMX_ShellCommandPromptRegEditTools/DisallowApps
Prevents Windows from running the programs you specify in this policy setting.
If you enable this policy setting, users can't run programs that you add to the list of disallowed applications.
If you disable this policy setting or don't configure it, users can run any programs.
This policy setting only prevents users from running programs that are started by the File Explorer process. It doesn't prevent users from running programs, such as Task Manager, which are started by the system process or by other processes. Also, if users have access to the command prompt (Cmd.exe), this policy setting doesn't prevent them from starting programs in the command window even though they would be prevented from doing so using File Explorer.
Anteckning
Non-Microsoft applications with Windows 2000 or later certification are required to comply with this policy setting.
Anteckning
To create a list of allowed applications, click Show. In the Show Contents dialog box, in the Value column, type the application executable name (e.g., Winword.exe, Poledit.exe, Powerpnt.exe).
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
Tips
This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.
ADMX mapping:
| Name | Value |
|---|---|
| Name | DisallowApps |
| Friendly Name | Don't run specified Windows applications |
| Location | User Configuration |
| Path | System |
| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer |
| Registry Value Name | DisallowRun |
| ADMX File Name | Shell-CommandPrompt-RegEditTools.admx |
| Scope | Editions | Applicable OS |
|---|---|---|
| ❌ Device ✅ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 2004 with KB5005101 [10.0.19041.1202] and later ✅ Windows 10, version 20H2 with KB5005101 [10.0.19042.1202] and later ✅ Windows 10, version 21H1 with KB5005101 [10.0.19043.1202] and later ✅ Windows 11, version 21H2 [10.0.22000] and later |
./User/Vendor/MSFT/Policy/Config/ADMX_ShellCommandPromptRegEditTools/RestrictApps
Limits the Windows programs that users have permission to run on the computer.
If you enable this policy setting, users can only run programs that you add to the list of allowed applications.
If you disable this policy setting or don't configure it, users can run all applications.
This policy setting only prevents users from running programs that are started by the File Explorer process. It doesn't prevent users from running programs such as Task Manager, which are started by the system process or by other processes. Also, if users have access to the command prompt (Cmd.exe), this policy setting doesn't prevent them from starting programs in the command window even though they would be prevented from doing so using File Explorer.
Anteckning
Non-Microsoft applications with Windows 2000 or later certification are required to comply with this policy setting.
Anteckning
To create a list of allowed applications, click Show. In the Show Contents dialog box, in the Value column, type the application executable name (e.g., Winword.exe, Poledit.exe, Powerpnt.exe).
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
Tips
This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.
ADMX mapping:
| Name | Value |
|---|---|
| Name | RestrictApps |
| Friendly Name | Run only specified Windows applications |
| Location | User Configuration |
| Path | System |
| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer |
| Registry Value Name | RestrictRun |
| ADMX File Name | Shell-CommandPrompt-RegEditTools.admx |
Utbildning
Modul
Explore advanced protection methods - Training
This module explores additional tools used to provide additional layers of security within an organization.
Certifiering
Microsoft Certified: Information Protection and Compliance Administrator Associate - Certifications
Demonstrate the fundamentals of data security, lifecycle management, information security, and compliance to protect a Microsoft 365 deployment.
Dokumentation
Deploy OMA-URIs to target a CSP through Intune, and a comparison to on-premises - Intune
This article describes the significance of CSPs, Open Mobile Alliance – Uniform Resources (OMA-URIs), and how custom mobile device management (MDM) policies are delivered to a Windows 10-based device with Microsoft Intune.
Learn more about the DMClient CSP.
LocalPoliciesSecurityOptions Policy CSP
Learn more about the LocalPoliciesSecurityOptions Area in Policy CSP.