Block keyboard shortcuts on your devices with Intune
In this post I will show you how to block some keyboard shortcuts on your devices with Intune.
Context
See below what do we want:
- Block some keyboards combinations on devices like Windows+R, Windows+E...
- Deploy this through Intune with a script, remediation script
The solution
The solution is pretty easy and not something really new.
Actually in Windows you can find a cool feature called Keyboard filter allowing you to block some keyboard shortcut.
The solution is to enable this feature through a script and block keyboard combinations we want to block.
To get more info about blocking combinations see my post here.
PowerShell and keyboard feature
As mentioned previously, to block some keyboard combinations the feature to use is Keyboard filter.
See below how to enable the feature with PowerShell:
This feature includes two classes:
- WEKF_PredefinedKey: includes existing keyboard combinations
- WEKF_CustomKey: add keyboard combinations not found in the PredefinedKey
To find which class to use, just list existing keyboard combinations using the WEKF_PredefinedKey class.
The PredefinedKey class allows you to list existing combinations that you can block.
You need to enable the feature first.
See below the code to do this:
If you don't find the combination you want to block in the PredefinedKey, you need to use the WEKF_CustomKey.
The WEKF_CustomKey class does not give the possibility to list existing combinations but only applied combinations.
Get the script
Click on the below picture to get the remediation script
Add keyboard shortcuts you want to block in the $Keyboard_Shortcuts variable.
What does the remediation script ?
The detection script will proceed as below:
- Check if the KeyboardFilter feature is enabled
- Check if keyboard shortcuts are blocked or not
- If not run the remediation script
The remediation script will proceed as below:
- Check if keyboard shortcuts are blocked or not
- If not, it will block them
Creating the Remediation script
To block some keyboard shortcuts, use both Detection and Remediation scripts mentioned above.
1. Go to the Intune portal
2. Go to Devices
3. Go to Remediations
4. Click on Create script package
5. Type a name
6. Click on Next
7. Click on Detection script file
8. Browse to Detection.ps1
9. Click on Remediation script file
10. Browse to Remediation.ps1
11. Click on Next
12. Click on Next
13. Click on Create
1 commentaire
There exist a dependency of "Windows Optional Features"
$FeatureNamePrerequisite1 = "Client-DeviceLockdown" # prerequisite for KeyboardFilter
$Check_DeviceLockdown_Feature = Get-WindowsOptionalFeature -online -FeatureName $FeatureNamePrerequisite1
$Check_DeviceLockdown_Feature
<#
FeatureName : Client-DeviceLockdown
DisplayName : Device Lockdown
Description : Services and tools to provide a controlled and specialized experience for the end user of a device
RestartRequired : Possible
State : Enabled
CustomProperties :
#>
<#
# TAke care about dependency of 'Client-KeyboardFilter'
Error: 50
The operation is complete but Client-KeyboardFilter feature was not enabled.
A required parent feature may not be enabled. You can use the /enable-feature /all option to automatically enable each parent feature from the following list.
If the parent feature(s) are already enabled, refer to the log file for further diagnostics.
Client-DeviceLockdown
#>
$FeatureName = "Client-KeyboardFilter"
$Check_Keyboard_Feature = Get-WindowsOptionalFeature -online -FeatureName $FeatureName
$Check_Keyboard_Feature
<#
FeatureName : Client-KeyboardFilter
DisplayName : Keyboard Filter
Description : Enables controls to suppress undesirable key presses or key combinations
RestartRequired : Possible
State : Disabled
CustomProperties :
#>
Enregistrer un commentaire