Using SureMDM, you can block PowerShell, Command Prompt (cmd.exe), and Registry Editor (regedit.exe) on Windows devices. This will make sure the end-users cannot run any script or command through PowerShell or cmd and cannot manually change any registry settings.
Purpose
The purpose of this knowledge article is to provide a guide on how to disable Command Prompt (CMD), Windows PowerShell, and Registry Editor (REGEDIT) using SureMDM.
Prerequisites
- This feature is supported on EMM-enrolled devices.
Steps
1. Log in to the SureMDM console.
2. Click on Profiles at the top menu bar.
3. In the Profiles section, click on Windows.
4. Click on the Add button and click on the App Locker option from the list.
5. Click on the Add (+) button to add the profile.
- Select the Action as DENY.
- Select the Type as Custom App.
- In the App Type drop-down list, select EXE.
- For the Condition field, select Path.
- In the Path text box, paste the below paths one at a time to block PowerShell, cmd, and regedit applications.
%SYSTEM32%\WindowsPowerShell\v1.0\powershell.exe
%SYSTEM32%\WindowsPowerShell\v1.0\powershell_ise.exe
%WINDIR%\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
%WINDIR%\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe
%SYSTEM32%\cmd.exe
%WINDIR%\regedit.exe
Example:
6. Save the profile by providing the profile name, and go back to the homepage.
7. Select the Windows device and click on the Apply button. Select the profile created in the previous step and click on the Apply button.
8. Once the profile is successfully applied to the Windows device, try to access PowerShell, cmd.exe, and regedit.exe. You should see a message similar to the one below.
Need help? CONTACT US