Table of Contents
I recently wrote a blog post on blocking registry access on Windows devices using Intune. This blog post will provide the steps for blocking the command prompt (cmd.exe) using Intune.
There could be several reasons for blocking Command prompt access, such as improving device security, complying with regulations, or simply preventing users from running any command on the Command prompt.
This requires creating a device configuration profile and using a setting called Prevent access to the command prompt(User) from Settings Catalog. There is an additional setting Disable the command prompt script processing also? (User) which controls the execution of batch/cmd script files on the computer.
Be careful when setting Disable the command prompt script processing also? (User) to Yes, as it will disable the execution of Login scripts or any execution of batch scripts on the device. If you regularly use Login scripts and batch script files to manage your devices, choose No for this setting.
In the following sections of this blog post, we will examine the steps for blocking the Command prompt on Windows 10/11 devices using Intune.
STEP 1 – Create a Device Configuration Profile
Let’s create a device configuration profile first and configure this setting:
- Sign in to the Intune admin center
- Click on Devices > Configuration > Create > New Policy.
- Platform: Windows 10 and later
- Profile type: Settings Catalog
Basics
Provide a Name and Description of the Profile. For Example:
- Name: Prevent CMD.exe access for all users
- Description: This profile will block CMD.exe on user’s devices
Configuration settings
Click on + Add settings and search for the command prompt in the settings picker. Select Prevent access to the command prompt(User) to configure.
- To enable it, toggle the switch to prevent access to the command prompt(User). This will not allow users to launch the Command prompt on their device.
- Keep Disable the command prompt script processing also? (User) to No. This will allow Login scripts and batch files to work on the device while blocking Command prompt access. However, if you want to take a block-all approach, where execution of cmd or bat files/scripts will also be blocked, select Yes for this setting.
Assignments
Assign this profile to an Entra security group containing users or devices. If you add users to the group, the profile will get applied even if a user changes their device. But if you want to apply this profile to specific devices only, then target this profile to an Entra security group containing devices only.
Review + create
Review the profile settings and click on Create to create this policy.
Sync Intune Policies
The device check-in process might not begin immediately. If you’re testing this policy on a test device, you can manually kickstart the Intune sync from the device itself or remotely through the Intune admin center.
Alternatively, you can use PowerShell to force the Intune sync on Windows devices. Restarting the device is another way to trigger the Intune device check-in process.
STEP 2 – Monitoring Deployment Progress
To monitor the deployment progress of a Device configuration profile, follow the below steps:
- Sign in to the Intune admin center.
- Click on Devices and then select Configuration.
- Choose the Device Configuration profile you want to work with, and at the top of the page, you’ll see a quick view of the Success, Failure, Conflict, Not Applicable, and In Progress status.
- Click on View report to access more detailed information.
End-user Experience
Once this policy has been successfully applied to target devices, when users launch the command prompt from the start menu or using the Run dialog box, they will receive the message below in the command prompt window.
The command prompt has been disabled by your administrator. Press any key to continue.
If you also want to confirm that this device configuration profile has been applied successfully in another way, then you can open the registry editor and go to HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System registry key. On the right-hand side, you will find a DWORD registry entry called DisableCMD, which will be set to 2.
When you enable Disable the command prompt script processing (User) by setting it to Yes, you will find the DisableCMD value set to 1.
FAQs
What is the OMA-URI setting for blocking Command Prompt?
This is an alternative method of blocking command prompt on Windows using Intune. The above method we discussed using the Setting catalog is more straightforward.
For your reference, below is the OMA-URI setting, which you can use to block the command prompt.
./User/Vendor/MSFT/Policy/Config/ADMX_ShellCommandPromptRegEditTools/DisableCMD.
Use a String data type and provide the below value. Set a value of 2 to block command prompt access, and a value of 1 will block command prompt access and execution of batch and cmd scripts.
<enabled/>
<data id=”DisableCMDScripts” value=”2″/>
What is the registry key and value for blocking Command Prompt access for all users on a device?
As discussed earlier, the registry key is HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System, and a DWORD entry DisableCMD of value 2 will block Command prompt access. Setting it to 1 will block batch file .cmd script file execution.
Where can I find logs related to the Device Configuration Profile?
For checking the logs related to a device configuration profile deployment via Intune, you can follow the below steps:
– Press the Windows key + R to open the Run dialog box
– Type eventvwr and press Enter to open Event Viewer.
– Go to Application and Services logs > Microsoft > Windows > Devicemanagement-Enterprise-Diagnostics-Provider > Admin folder.
– Search for Event ID 813 or 814 and go through the logs to find the one related to the deployment.
I want to read more about DisableCMD Policy Setting.
You can read more about it at the link: ADMX_ShellCommandPromptRegEditTools Policy CSP – Windows Client Management | Microsoft Learn
