Using SureMDM, you can block PowerShell, Command Prompt (cmd.exe), and Registry Editor (regedit.exe) on Windows devices. This will make sure the end-users cannot run any script or command through Powershell or cmd, and cannot manually change any registry settings.
Below are the steps to follow:
- Log in to the SureMDM Console.
- Click on the Profiles at the top menu bar.
- In the Profiles section, click on Windows.
- Click on the Add button and click on the App Locker option from the list.
- Click on the Add(+) button to add the profile.
- Select the Deny radio button.
- In the Type dropdown list, select EXE.
- For the Condition field, select the Path radio button.
- In the Path text box, paste the below paths one at a time to block PowerShell, cmd, and regedit applications.
%SYSTEM32%\WindowsPowerShell\v1.0\powershell.exe %SYSTEM32%\WindowsPowerShell\v1.0\powershell_ise.exe %WINDIR%\SysWOW64\WindowsPowerShell\v1.0\powershell.exe %WINDIR%\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe %SYSTEM32%\cmd.exe %WINDIR%\regedit.exe
- Save the profile by providing the profile name, and go back to the homepage.
- Select the Windows device and click on the Apply button. Select the profile created in the previous step and click on theApply button.
- Once the profile is successfully applied to the Windows device, try to access the PowerShell, cmd.exe, and regedit.exe. You should see a message similar to the one below.
NOTE: This feature is supported on EMM enrolled devices