A customer recently asked how they could prevent their users from using the Run command. The run command is invoked by hitting Win+R, or going to Start - Windows System - Run (there are other ways, but these are the primary ones).
The easy way to solve this is via Group Policy. In the GPO management console, go to User Configuration - Administrative Templates - Start Menu and Taskbar and enable Remove Run menu from Start Menu
That's great for Group Policy and domain joined machines (or Hybrid Azure AD Joined). But what about Azure AD Joined and Intune managed?
Create a Powershell script with the following command
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /V NoRun /t REG_DWORD /d 1
Save it as a PS1 file and upload to Intune with the following settings (every powershell script I create I always make sure to select Run script in 64 bit Powershell host). Once saved, target the script to a group of users.
