This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(262.40000000000003, 82%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVS%3C/text%3E%3C/svg%3E)
How to block all the (.MSC) commands/windows in Windows devices via Intune?
For example: lusrmgr.msc this command/window
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 30%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECM%3C/text%3E%3C/svg%3E)
@Vinod Survase, Thanks for posting in Q&A. Based on my researching, I find we can configure "Restrict Users to the explicitly permitted list of snap-ins" and "Restricted/Permitted snap-ins" to restrict the .msc access. Here is a link with more details:
https://www.itprotoday.com/windows-78/how-can-i-restrict-access-mmc-snap-ins
Note: Non-Microsoft link, just for the reference.
In Intune, the policy settings are also available in Setting Catalog, you can configure there:
Hope the above information can help.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Thanks for sharing this. I have tested this on test device and seems it does not block the access as I got "Error" prompt before opening MMC console on device but it was opened successfully and was able to make changes on it.
@Vinod Survase, How's everything going? Could you help to confirm the above information to go further?
Thanks for sharing this. It worked with policy as you showed above.
@Vinod Survase, Thanks for the confirmation. It seems to work with policy now. Congratulations! Would you mind clicking "Accept Answer" to help others quick find the solution. Thanks!
@Vinod Survase, Thanks for the reply. Based on my test, when I configure the policy as below:
After the policy is applied, I get the following error when I enter lusrmgr.msc in run
And is unable to access as below:
From your description, I know you also get error. Is it the same as the one I get? Which snap ins you are testing? If it is a different one, please let me know the name to let me test.