Here’s a step-by-step guide on how to disable Command Prompt Access using Intune. You can Prevent access to the command prompt from running the interactive command prompt, Cmd.exe. This setting also determines whether batch files (.cmd and .bat) can run on the device.
Preventing access to the Command Prompt (cmd.exe) is a security measure frequently implemented in organizations to enhance the overall security of their Windows-based systems. This restriction is especially important in environments where unauthorized access to the Command Prompt can pose risks, such as data breaches or the execution of malicious scripts.
Admins can configure Intune cloud policy, and Group Policies to disable Command Prompt access for specific user accounts or groups. This policy effectively blocks users from running Command Prompt sessions, helping prevent unintended or unauthorized use of command-line tools.
However, it’s important to carefully plan and implement this policy, as legitimate system administration tasks often require Command Prompt access. Administrators should ensure that necessary exceptions are made for IT staff or users who require such access for their roles.
- Enforce Users To Enroll Devices With Intune Conditional Access Policies
- Disable Stay Signed In To All Your Apps Prompt Using Intune While Accessing Windows 365 AVD
Disable Command Prompt Access using Intune
By following these steps, you can effectively disable command prompt access on devices managed by Microsoft Intune. This allows you to maintain control over the script execution process by preventing the user.
- Sign in to the Microsoft Intune Admin portal https://intune.microsoft.com/.
- Select Devices > Configuration profiles > Create profile.
In Create Profile, Select Windows 10 and later in Platform, Select Profile Type as Settings Catalog. Click on Create button.
In Basics, enter the descriptive name for the new profile. For example, Disable Command Prompt Access or Prevent users access to command prompt, and add a description for the profile to understand the policy usage and Select Next.
On the Configuration settings tab, With the settings catalog, you can choose which settings you want to configure. Click on Add Settings to browse or search the catalog for the settings you want to configure.
Search for “Command Prompt” or “Prevent access to the command prompt”. Select the “Administrative Templates\System” from the search result. Select “Prevent access to the command prompt” and close the pane.
If you enable this setting and the user tries to open a command window, the system displays a message explaining that a setting prevents the action.
The next step is to toggle “Prevent access to the command prompt” to Enabled. Once you enable the option, the selected setting will appear and click on Next.
This policy setting prevents users from running the interactive command prompt, Cmd.exe. This policy setting also determines whether batch files (.cmd and .bat) can run on the computer. If you enable this policy setting and the user tries to open a command window, the system displays a message explaining that a setting prevents the action.
If you disable this policy setting or do not configure it, users can run Cmd.exe and batch files normally. You also have an option to configure the command prompt script processing, which I set to No.
Note: Do not prevent the computer from running batch files if the computer uses logon, logoff, startup, or shutdown batch file scripts, or for users that use Remote Desktop Services.
Using Scope tags, you can assign a tag to filter the profile to specific IT groups. One can add scope tags (if required) and click Next to continue.
Now in Assignments, in Included Groups, you need to click on Add Groups, choose Select Groups to include one or more groups, and click Next to continue.
In the Review + Create tab, you need to review your settings. After clicking Create, your changes are saved, and the profile will be assigned to the added devices group.
A notification will appear automatically if you see it in the top right-hand corner. One can easily see that the Policy “Disable Command Prompt User Access” was created successfully. Also, if you check the Configuration Profiles list, the Policy is visible there with the tag NEW.
To restrict Command Prompt access on Windows devices, especially in a business or organization setting, you typically rely on Group Policy or other centralized management tools like Microsoft Intune. This centralized approach to prevent command prompt access through Intune simplifies the administrative process.
|Intune CSP||On-premises GPO|
|./User/Vendor/MSFT/Policy/Config/ADMX_ShellCommandPromptRegEditTools/DisableCMD||Administrative Templates (Users) > System > Prevent access to the command prompt|
Monitor Command Prompt User Access Policy Deployment
Intune provides several features to monitor and manage device configuration profiles. Once the configuration profile is applied, Command prompt access should be disabled on the targeted devices.
Note! The device groups will receive your profile settings when the devices check in with the Intune service. The Policy applies to the device.
To monitor Intune policy assignment, from the list of Configuration Profiles, select the policy you targeted, and here you can check the device and user check-in status. If you click View Report, additional details are displayed. Additionally, you can quickly check the update as devices/users check-in status reports:
Track Event Log for Intune Policy Deployment
Intune event IDs 813 or 814 can indicate that a string policy has been applied to Windows 10 or 11 devices. These event IDs can provide valuable information about the policy that has been applied, including the exact value of the policy enforced on those devices.
In the case of the policy mentioned earlier, which enforces idle session time limits, event ID 814 would be used to indicate that the string policy has been applied, and you can view the specific value of the policy.
To confirm this, check the Event log path – Applications and Services Logs – Microsoft – Windows – Devicemanagement-Enterprise-Diagnostics-Provider – Admin.
MDM PolicyManager: Set policy string, Policy: (DisableCMD), Area: (ADMX_ShellCommandPromptRegEditTools), EnrollmentID requesting merge: (5B88AEF1-09E8-43BB-B144-7254ACBBDF3E), Current User: (S-1-12-1-3186897695-1137825691-1845872004-278613382), String: (), Enrollment Type: (0x6), Scope: (0x1).
To check the policy deployment, You can validate the registry details for disabling command prompt access at the below location.
End Users Experience
If you enable this setting and the user tries to open a command window, the system displays a message explaining that a setting prevents the action. The command prompt has been disabled by your administrator. Press any key to continue…
About Author – Jitesh, Microsoft MVP, has over six years of working experience in the IT Industry. He writes and shares his experiences related to Microsoft device management technologies and IT Infrastructure management. His primary focus is Windows 10/11 Deployment solution with Configuration Manager, Microsoft Deployment Toolkit (MDT), and Microsoft Intune.