Privacy and Security Enable or Disable Enhanced Security and Performance for Batch and CMD files in Windows 11

This tutorial will show you how to turn on or off enhanced security and performance for batch and CMD files in Windows 11

Starting with Windows 11 build 26100.8328 (24H2), build 26200.8328 (25H2), and build 28000.2179 (26H1), Administrators and Application Control for Business policy authors now have additional control over how the system processes batch files and Command Prompt (CMD) scripts. Starting with this release, administrators can enable a more secure processing mode for batch files. This mode prevents batch files from changing during execution.

This enhances the performance and security of batch file processing when code integrity is enabled, as signature validation will only required to be performed a single time, instead of per statement executed in the batch file.

Policy authors can also enable this mode by using the LockBatchFilesWhenInUse application manifest control, as documented in the Application Control for Business manifest schema.

You must be signed in as an administrator to turn on or off enhanced security and performance for batch and CMD files.

1 Do step 2 (on) or step 3 (off) below for what you would like to do.





(Contents of REG file for reference)

This is the default setting.

(Contents of REG file for reference)

4 Save the .reg file to your desktop.

5 If you have Smart App Control turned on, you will need to unblock the downloaded REG file.

6 Double click/tap on the downloaded .reg file to merge it.

7 When prompted, click/tap on Run, Yes (UAC), Yes, and OK to approve the merge.

8 You can now delete the downloaded .reg file if you like.





1 Open Windows Terminal (Admin), and select either Windows PowerShell or Command Prompt.

2 Copy and paste the command below you want to use into Windows Terminal (Admin), and press Enter.





That's it,
Shawn Brink