Table of Contents
I have recently written a blog post on how to block registry access on Windows devices using Intune. In this blog post, we will look into blocking Command prompt (cmd.exe) access for users using Intune admin center.
There could be a number of reasons for blocking Command prompt access, for example: To Improve security on the device, due to compliance reasons or simply to prevent users from running any command on Command prompt.
This requires creating a device configuration profile and using a setting called “Prevent access to the command prompt(User)” from Settings Catalog. There is an additional setting “Disable the command prompt script processing also? (User)” which controls the execution of batch/cmd script files on the computer.
Be careful when setting Disable the command prompt script processing also? (User) to Yes as it will disable the execution of Login scripts or any execution of batch scripts on the device, If you are regularly using Login scripts, and batch script files to manage your devices, then choose No for this setting.
In the following sections of this blog post, we will look into the steps of blocking Command prompt on Windows 10/11 devices using Intune.
STEP 1 – Create a Device Configuration Profile
Let’s create a device configuration profile first and configure this setting:
- Login on Microsoft Intune admin center
- Click on Devices > Configuration profiles
- Click on + Create profile
- Platform: Windows 10 and later
- Profile type: Settings Catalog
Provide a Name and Description of the Profile. For Example:
- Name: Prevent CMD.exe access for all users
- Description: This profile will block CMD.exe on user’s devices
Click on + Add settings and then search for “command prompt” in settings picker. Select “Prevent access to the command prompt(User)” to configure.
- Toggle the switch for Prevent access to the command prompt(User) to Enable it. This will not allow users to launch Command prompt on their device.
- Keep Disable the command prompt script processing also? (User) to No. This will allow Login scripts and batch files to work on the device, while still keeping Command prompt access blocked. However, If you want to take a block-all approach where execution of cmd or bat files/scripts will also be blocked, then select Yes for this setting.
Assign this profile to an Azure AD group containing users or devices. If you add users to the Azure AD group, then the profile will get applied even if a user changes their device, But if you want to apply this profile to specific devices only then target this profile to an Azure AD group containing devices only.
Review + create
Review the profile settings and click on Create to create this policy.
Sync Intune Policies
The device check-in process might not begin immediately. If you’re testing this policy on a test device, you can manually kickstart the Intune sync either from the device itself or remotely through the Intune admin center.
Alternatively, you can use PowerShell to force the Intune sync on Windows devices. Another way to trigger the Intune device check-in process is by restarting the device.
STEP 2 – Monitoring Deployment Progress
To monitor the deployment progress of a Device configuration profile, follow below steps:
- Sign in to the Microsoft Intune admin center.
- Click on “Devices” and then select “Configuration profiles“
- Choose the Device Configuration profile you want to work with, and at the top of the page, you’ll see a quick view of the Success, Failure, Conflict, Not Applicable, and In Progress status.
- Click on “View report” to access more detailed information.
Once this policy has been successfully applied to target devices, When users launch Command prompt from Start Menu or by using Run dialog box, they will receive below message on the Command prompt window.
“The command prompt has been disabled by your administrator”. Press any key to continue.
If you also want to confirm that this device configuration profile has been applied successfully in another way, then you can open the registry editor and go to HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System registry key. On the right-hand side, you will find a DWORD registry entry called DisableCMD which will be set to 2.
When you also enable Disable the command prompt script processing also? (User) by setting it to Yes. you will find DisableCMD value is set to 1.
What is the OMA-URI setting for blocking Command Prompt?
This is an alternative method of blocking command prompt on Windows using Intune. The above method which we discussed using Setting catalog, is easier.
For your reference, below is the OMA-URI setting which you can also use to block the command prompt.
Use a String data type and provide below value. Set a value of 2 to block command prompt access and a value of 1 will block command prompt access and execution of batch and cmd scripts as well.
<data id=”DisableCMDScripts” value=”2″/>
What is the registry key and value for blocking Command Prompt access for all users on a device?
As discussed earlier, The registry key is HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System, and a DWORD entry DisableCMD of value 2 will block Command prompt access. Setting it to 1 will also block batch files / .cmd script file execution as well.
Where can I find logs related to Device Configuration Profile?
For checking the logs related to a device configuration profile deployment via Intune, you can follow below steps:
– Press Windows key + R to open Run dialog box
eventvwr and press Enter to open Event Viewer.
– Go to Application and Services logs > Microsoft > Windows > Devicemanagement-Enterprise-Diagnostics-Provider > Admin folder.
– Search for Event ID 813 or 814 and go through the logs to find the one related to the deployment.
I want to read more about DisableCMD Policy Setting.
You can read more about it at the link: ADMX_ShellCommandPromptRegEditTools Policy CSP – Windows Client Management | Microsoft Learn