1. Home
  2. SureMDM
  3. How to disable Command Prompt (CMD), Windows PowerShell, and Registry Editor (REGEDIT) with SureMDM

How to disable Command Prompt (CMD), Windows PowerShell, and Registry Editor (REGEDIT) with SureMDM

KB ID: 42G2207752
Views: 193
Updated: July 2022

Using SureMDM, you can block PowerShell, Command Prompt (cmd.exe), and Registry Editor (regedit.exe) on Windows devices. This will make sure the end-users cannot run any script or command through Powershell or cmd, and cannot manually change any registry settings. 

Below are the steps to follow:

  1. Log in to the SureMDM Console.
  2. Click on the Profiles at the top menu bar.
  3. In the Profiles section, click on Windows.
  4. Click on the Add button and click on the App Locker option from the list.
  5. Click on the Add(+) button to add the profile.

    • Select the Deny radio button.
    • In the Type dropdown list, select EXE.
    • For the Condition field, select the Path radio button.
    • In the Path text box, paste the below paths one at a time to block PowerShell, cmd, and regedit applications.
    %SYSTEM32%\WindowsPowerShell\v1.0\powershell.exe
    %SYSTEM32%\WindowsPowerShell\v1.0\powershell_ise.exe
    %WINDIR%\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    %WINDIR%\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe
    %SYSTEM32%\cmd.exe
    %WINDIR%\regedit.exe
  6. Save the profile by providing the profile name, and go back to the homepage.
  7. Select the Windows device and click on the Apply button. Select the profile created in the previous step and click on theApply button.
  8. Once the profile is successfully applied to the Windows device, try to access the PowerShell, cmd.exe, and regedit.exe. You should see a message similar to the one below.

NOTE: This feature is supported on EMM enrolled devices

Related Articles