Reputation: 342
Lock down Windows PC with InTune to block cmd and regedit etc
I am trying to use InTune to manage devices joined to Azure AD, there is no on-premise Active Directory so no access to group policy. I need to be able to completely lock down Windows 10 PC's so that the user cannot access things such as command prompt (CMD) or Regedit or anything like this that would allow them to cause any problems on the PC.
I can see in InTune where I can restrict access to the "Settings" section etc but there doesn't seem to be anything for restricting the applications mentioned above.
Imagine the PC's being in a school for example where they need to be completely restricted so that no troublesome users can mess about with them.
Does anyone know if this is possible using InTune and if so how, otherwise what are the alternatives, is there a better MDM to be using?
Upvotes: 0
Views: 2516
Answers (1)
Reputation: 13
Applocker is the only way I have found to do this. Create Custom OMA-URI ./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/000000001/EXE/Policy Value String Use XML file to detail what you want to restrict. See https://www.petervanderwoude.nl/post/managing-applocker-on-windows-10-via-oma-dm/ for fill details. Can do the same for CMD and regedit.
IE this example blocks Powershell and python
<RuleCollection Type="Exe" EnforcementMode="Enabled">
<FilePathRule Id="e16ce5e4-67f2-4ebf-ad01-c81fc8f28cd5" Name="All Files" Description="" UserOrGroupSid="S-1-5-32-544" Action="Allow">
<Conditions>
<FilePathCondition Path="*" />
</Conditions>
</FilePathRule>
<FilePathRule Id="9eb15b2e-f9c2-42d4-8692-ad1a0f6a0722" Name="All files" Description="Allows user to run files execpt powershell" UserOrGroupSid="S-1-1-0" Action="Allow">
<Conditions>
<FilePathCondition Path="*" />
</Conditions>
<Exceptions>
<FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="MICROSOFT® WINDOWS® OPERATING SYSTEM" BinaryName="POWERSHELL.EXE">
<BinaryVersionRange LowSection="*" HighSection="*" />
</FilePublisherCondition>
<FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="MICROSOFT® WINDOWS® OPERATING SYSTEM" BinaryName="POWERSHELL_ISE.EXE">
<BinaryVersionRange LowSection="*" HighSection="*" />
</FilePublisherCondition>
</Exceptions>
</FilePathRule> <!-- This is a test to block python from running --> <FilePublisherRule Id="3d6ce594-1cc7-4870-b839-48c43a8954c0" Name="Signed by O=PYTHON SOFTWARE FOUNDATION, L=WOLFEBORO, S=NEW HAMPSHIRE, C=US" Description="" UserOrGroupSid="S-1-1-0" Action="Deny">
<Conditions>
<FilePublisherCondition PublisherName="O=PYTHON SOFTWARE FOUNDATION, L=WOLFEBORO, S=NEW HAMPSHIRE, C=US" ProductName="*" BinaryName="*">
<BinaryVersionRange LowSection="*" HighSection="*" />
</FilePublisherCondition>
</Conditions>
</FilePublisherRule> </RuleCollection>
Upvotes: 0
Related Questions
- Limiting access to azure key vault
- Cannot Restrict access to Azure AD administration portal
- Block user from portal.azure.com
- AzureAD - Block Access by EmployeeID
- Disable user browsing in Azure Active Directory for standard users
- Azure AD how to prevent app users from login into azure portal
- How to lock an Azure web app down to a specific group of users
- Preventing access to applications in Azure AD B2C
- c# Lock windows computer on startup
- Prevent non-administrators from logging in on Windows for a specific period of time