Blocking Command Prompt on Windows with an Intune Device Configuration profile

This article shows you how to use Intune to block the Command Prompt on Windows devices using a Configuration profile.

Navigate to https://endpoint.microsoft.com and select Device from the menu on the left as shown above.

Then, select Windows on the right.

Select Configuration profiles from the menu on the left as shown.

image

Select Create profile.

Then select the Platform as Windows 10 and later.

Select the Profile type as Templates.

From the list of templates select Custom.

Select Create in the bottom right.

image

Give the policy a name and select Next to continue.

image

Select Add.

image

In the OMA-URI settings enter the following as shown above:

Name = Block Command Prompt

Description = Block Command Prompt

OMA-URI = ./user/vendor/MSFT/Policy/Config/ADMX_ShellCommandpromptRegeditTools/DisableCMD

Data type = String

Value =
<enabled/>
<data id=”DisableCMDScripts” value=”1″/>

Ensure you enter these exactly as shown, anything else will prevent the policy working as expected.

Press Save.

image

You should now see the item you just entered displayed as shown above.

Select Next to continue.

Assign the policy to a group. Here it is being assigned to all Windows devices.

Select Next to continue.

image

You will now see a summary. Ensure the Configuration settings has the above set before selecting the Create button to complete the policy.

image

You should now see that the policy has been created and listed with all other Configuration profile policies as shown above.

You can edit this policy at any stage simply by selecting it.

image

You now need to wait until the policy is deployed successfully to devices. You can check the status of this by viewing the Device status for the policy as shown above.

Capture2

If you open the Command Prompt on a device where the policy is deployed you will see the above message.

Blocking Registry edits on Windows with an Intune Device Configuration profile

This article shows you how to use Intune to block Registry editing on Windows devices using a Configuration profile.

Navigate to https://endpoint.microsoft.com and select Device from the menu on the left as shown above.

Then, select Windows on the right.

Select Configuration profiles from the menu on the left as shown.

image

Select Create profile.

Then select the Platform as Windows 10 and later.

Select the Profile type as Templates.

From the list of templates select Custom.

Select Create in the bottom right.

image

Give the policy a name and select Next to continue.

image

Select Add.

image

In the OMA-URI settings enter the following as shown above:

Name = Block Registry

Description = Block Registry

OMA-URI = ./user/vendor/MSFT/Policy/Config/ADMX_ShellCommandpromptRegeditTools/DisableRegedit

Data type = String

Value =
<enabled/>
<data id=”DisableRegeditMode” value=”2″/>

Ensure you enter these exactly as shown, anything else will prevent the policy working as expected.

Press Save.

image

You should now see the item you just entered displayed as shown above.

Select Next to continue.

Assign the policy to a group. Here it is being assigned to all Windows devices.

Select Next to continue.

image

You will now see a summary. Ensure the Configuration settings has the above set before selecting the Create button to complete the policy.

image

You should now see that the policy has been created and listed with all other Configuration profile policies as shown above.

You can edit this policy at any stage simply by selecting it.

image

You now need to wait until the policy is deployed successfully to devices. You can check the status of this by viewing the Device status for the policy as shown above.

Capture1

If you now try and make a change to the registry on a device where the policy is deployed you will see the following message.

Techwerks 19

bw-car-vehicle

CIAOPS Techwerks returns to Melbourne CBD on Thursday the 18th of May.

The course is limited to 20 people and you can sign up and reserve your place now! You reserve a place by completing this form:

http://bit.ly/ciaopsroi

or by sending me an email (director@ciaops.com) expressing your interest.

The content of these all day face to face workshops is driven by the attendees. That means we cover exactly what people want to see and focus on doing hands on, real world scenarios. Attendees can vote on topics they’d like to see covered prior to the day and we continue to target exactly what the small group of attendees wants to see. Thus, this is an excellent way to get really deep into the technology and have all the questions you’ve been dying to know answered. Typically, the event produces a number of best practice take aways for each attendee. So far, the greatest votes are for deeper dives into the Microsoft Cloud including Microsoft 365, Azure, Intune, Defender for Endpoint, security such as Azure Sentinel and PowerShell configuration and scripts, with a focus on enabling the technology in SMB businesses.

Recent testimonial – “I just wanted to say a big thank you to Robert for the Brisbane Techworks day. It is such a good format with each attendee asking what matters them and the whole interactive nature of the day. So much better than death by PowerPoint.” – Mike H.

The cost to attend is:

Gold Enterprise Patron = Free

Gold Patron = $33 inc GST

Silver Patron = $99 inc GST

Bronze Patron = $176 inc GST

Non Patron = $399 inc GST

I hope to see you there.

Blocking USB devices on Windows with an Intune Device Configuration profile

There are a number of ways to block USB storage devices using Intune. You can also complete:

Blocking USB devices on Windows with an Intune Endpoint Security policy

The following method is very similar but uses a Device Configuration profile.

image

Navigate to https://endpoint.microsoft.com and select Device from the menu on the left as shown above.

Then, select Windows on the right.

image

Select Configuration profiles from the menu on the left as shown.

image

Select Create profile.

Then select the Platform as Windows 10 and later.

Select the Profile type as Templates.

From the list of templates select Administrative Templates.

Select Create in the bottom right.

image

Give the policy a meaningful name and description.

Select Next to continue.

image

Select Computer configuration.

Then enter the following into the Search box ‘prevent installation of devices’ and Search.

Typically, the first item returned will be ‘Prevent installation of devices not described by any other policy. Select this.

Select the option Enabled.

Select OK.

Select Next to continue.

image

Assign the policy to a group. Here it is being assigned to all Windows devices.

Select Next to continue.

image

You will now see a summary. Ensure the Configuration settings has the above set before selecting the Create button to complete the policy.

image

You can also review these settings at any time by simply selecting the policy in the list and viewing its details as shown above.

image

You now need to wait until the policy is deployed successfully to devices. You can check the status of this by viewing the Device status for the policy as shown above.

Screenshot 2023-03-20 145033

If you now try and plug in an unknow USB storage device you may see the above warning. In other cases, you will see no warning but USB device storage will be blocked.

Some points to remember:

1. The above policy is only designed for Windows 10 and above

2. The above policy won’t prevent USB storage devices that have already been used on an endpoint. These need to be removed from the device manager on the device to be blocked in future.

3. Some USB devices that don’t appear as storage devices in fact have a small amount of storage on them (for video and projector drivers for example). These will also be blocked.

Blocking USB devices on Windows with an Intune Endpoint Security policy

There are a number of ways to block USB devices using Intune. The following method uses an Endpoint Security Policy.

image

Navigate to https://endpoint.microsoft.com and select Endpoint security from the menu on the left as shown above.

Then select Attack surface reduction from the options that appear on the right as shown above.

image

Select Create policy.

Select Platform as Windows 10 and later as shown.

Select Profile as Device Control as shown.

Select Create in the bottom right.

image

Give the policy a meaningful name and description.

Select Next to continue.

image

Under the System > Device Installation > Device Installation Restrictions heading locate the Prevent installation of removable devices item and set this to Enabled as shown above.

Select Next to continue.

image

Scroll down the list of available settings to locate the Device Control section as shown. To prevent ANY new USB from installing ensure this option is set to Not configured.

Select Next to continue.

image

Assign the policy to a group. Here it is being assigned to all Windows devices.

Select Next to continue.

image

On the summary screen, expand the Administrative Templates option as shown. In here you should see that Prevent installation of removable devices is set to Enabled.

Select Create.

image

The created policy should now be listed as shown above. Click on it to view.

image

When the policy has been successfully applied to the devices the policy was assigned to you should see the status of devices as shown above.

Select View report button.

image

You should now see all the listed that have this policy applied to them as shown above.

Screenshot 2023-03-20 145033

If you now try and plug in an unknow USB storage device you may see the above warning. In other cases, you will see no warning but USB device storage will be blocked.

Some points to remember:

1. The above policy is only designed for Windows 10 and above

2. The above policy won’t prevent USB storage devices that have already been used on an endpoint. These need to be removed from the device manager on the device to be blocked in future.

3. Some USB devices that don’t appear as storage devices in fact have a small amount of storage on them (for video and projector drivers for example). These will also be blocked.

4. You can create exceptions to this policy via the device id if you wish.

Need to Know podcast–Episode 299

In this episode I take a stroll through Microsoft Compliance manager and highlight some important features that you should consider taking advantage of. In the news and updates I share information about the new Microsoft Co-pilot services and how that brings the power of AI and Chat GPT to the full suite of Microsoft 365 services.

You can listen directly to this episode at:

https://ciaops.podbean.com/e/episode-299-compliance-manager/

Subscribe via iTunes at:

https://itunes.apple.com/au/podcast/ciaops-need-to-know-podcasts/id406891445?mt=2

The podcast is also available on Stitcher at:

http://www.stitcher.com/podcast/ciaops/need-to-know-podcast?refid=stpr

Don’t forget to give the show a rating as well as send me any feedback or suggestions you may have for the show.

This episode was recorded using Microsoft Teams and produced with Camtasia 2022.

Brought to you by www.ciaopspatron.com

Resources

@directorcia

@directorcia@twit.social

Join my shared channel

CIAOPS merch store

Become a CIAOPS Patron

CIAOPS Blog

YouTube edition of this podcast

Introducing Microsoft 365 Copilot – your copilot for work

Introducing Microsoft 365 Copilot—A whole new way to work

Introducing Microsoft 365 Copilot — your copilot for work

Build solutions faster with Microsoft Power Platform and next-generation AI

Configuring BitLocker via Microsoft Intune settings catalog

Announcing support of the new Microsoft Store apps during Windows Autopilot

Playlists, offline viewing and more in Stream (on SharePoint)

XDR attack disruption in action – Defending against a recent BEC attack

Microsoft is named a Leader in the 2022 Gartner® Magic Quadrant™ for Endpoint Protection Platforms

CIAOPS Need to Know Microsoft 365 Webinar – March

laptop-eyes-technology-computer

Join me for the free monthly CIAOPS Need to Know webinar. Along with all the Microsoft Cloud news we’ll be taking a look at Daa protection in Microsoft 365

Shortly after registering you should receive an automated email from Microsoft Teams confirming your registration, including all the event details as well as a calendar invite.

You can register for the regular monthly webinar here:

March Webinar Registrations

(If you are having issues with the above link copy and paste – https://bit.ly/n2k2303

The details are:

CIAOPS Need to Know Webinar – March 2023
Tuesday 28th of March 2023
11.00am – 12.00am Sydney Time

All sessions are recorded and posted to the CIAOPS Academy.

The CIAOPS Need to Know Webinars are free to attend but if you want to receive the recording of the session you need to sign up as a CIAOPS patron which you can do here:

http://www.ciaopspatron.com

or purchase them individually at:

http://www.ciaopsacademy.com/

Also feel free at any stage to email me directly via director@ciaops.com with your webinar topic suggestions.

I’d also appreciate you sharing information about this webinar with anyone you feel may benefit from the session and I look forward to seeing you there.