This article shows you how to use Intune to block Registry editing on Windows devices using a Configuration profile.
Navigate to https://endpoint.microsoft.com and select Device from the menu on the left as shown above.
Then, select Windows on the right.
Select Configuration profiles from the menu on the left as shown.
Select Create profile.
Then select the Platform as Windows 10 and later.
Select the Profile type as Templates.
From the list of templates select Custom.
Select Create in the bottom right.
Give the policy a name and select Next to continue.
Select Add.
In the OMA-URI settings enter the following as shown above:
Name = Block Registry
Description = Block Registry
OMA-URI = ./user/vendor/MSFT/Policy/Config/ADMX_ShellCommandpromptRegeditTools/DisableRegedit
Data type = String
Value =
<enabled/>
<data id=”DisableRegeditMode” value=”2″/>
Ensure you enter these exactly as shown, anything else will prevent the policy working as expected.
Press Save.
You should now see the item you just entered displayed as shown above.
Select Next to continue.
Assign the policy to a group. Here it is being assigned to all Windows devices.
Select Next to continue.
You will now see a summary. Ensure the Configuration settings has the above set before selecting the Create button to complete the policy.
You should now see that the policy has been created and listed with all other Configuration profile policies as shown above.
You can edit this policy at any stage simply by selecting it.
You now need to wait until the policy is deployed successfully to devices. You can check the status of this by viewing the Device status for the policy as shown above.
If you now try and make a change to the registry on a device where the policy is deployed you will see the following message.
CIAOPS 