Disable Windows Key from Keyboard via Group Policy

I received a request to disable Windows Key from Keyboard via Group Policy on any hardware keyboard brand. The request was not disable the keyboard shortcut like: WinKey+L. I researched and found all the solutions talked about “ScanCode” registry keys. I tested it in my environment by following below steps:

1- Create the GPO as shown below

2- Link it to a test OU
3- Move machine to the test OU
4- Logon to the  machine and run gpupdate /force 5- Run “regedit” and go to the following path “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard” and confirm that the new value (ScanCode Map) is created with value: hex:00,00,00,00,00,00,00,00,03,00,00,00,00,00,5b,e0,00,00,5c,e0,00,00,00,00

Unfortunately, this solution failed and The users still can use keyboard shortcut.

Resolution:

After deep investigation and analysis, I found A ScanCode Map is used to convert unusual OEM ScanCode into standard and more likely for OEM specific use only. Different types of keyboards and different drivers from different hardware brands make ScanCode Map doesn’t work on machines even if you add registry key.

It would be more recommended to use the keyboard filter than to use a custom scancode map. The following script extracted from Microsoft used to block the keys: https://docs.microsoft.com/en-us/windows-hardware/customize/enterprise/wekf-predefinedkey 

I tested the approach and worked fine on different hardware brand by following below steps:

  1. Enable keyboard filter feature with Restart by running below commands on admin PowerShell:

Enable-WindowsOptionalFeature -Online -FeatureName Client-KeyboardFilter -All -OutVariable result
Restart-Computer -Force

  1. Block Windows key by below script on admin PowerShell:

function Enable-Predefined-Key($Id)
{                     
  $predefined = Get-WMIObject -class WEKF_PredefinedKey @CommonParams |
  where {
$_.Id -eq “$Id”
};
  if ($predefined)
  {
    $predefined.Enabled = 1;
$predefined.Put() | Out-Null;
    Write-Host Enabled $Id
  }
  else
  {
  Write-Error “$Id is not a valid predefined key”
  }
}
   $CommonParams = @{ “namespace” = “root\standardcimv2\embedded” };
if ($PSBoundParameters.ContainsKey(“ComputerName”))
{
$CommonParams += @{ “ComputerName” = $ComputerName };
}
#Enable filters
Get-WMIObject -class WEKF_Settings @CommonParams -ErrorAction Stop         
Enable-Predefined-Key “Windows

You can find all predefind key lists on https://docs.microsoft.com/en-us/windows-hardware/customize/enterprise/predefined-key-combinations and the scripts can be deployed through group policy. If you have questions please let me know on below comments.

3 thoughts on “Disable Windows Key from Keyboard via Group Policy

Leave a Reply

%d bloggers like this: