Disable Command Prompt Access using Intune

Here’s a step-by-step guide on how to disable Command Prompt Access using Intune. You can Prevent access to the command prompt from running the interactive command prompt, Cmd.exe. This setting also determines whether batch files (.cmd and .bat) can run on the device.

Preventing access to the Command Prompt (cmd.exe) is a security measure frequently implemented in organizations to enhance the overall security of their Windows-based systems. This restriction is especially important in environments where unauthorized access to the Command Prompt can pose risks, such as data breaches or the execution of malicious scripts.

Admins can configure Intune cloud policy, and Group Policies to disable Command Prompt access for specific user accounts or groups. This policy effectively blocks users from running Command Prompt sessions, helping prevent unintended or unauthorized use of command-line tools.

However, it’s important to carefully plan and implement this policy, as legitimate system administration tasks often require Command Prompt access. Administrators should ensure that necessary exceptions are made for IT staff or users who require such access for their roles.

Patch My PC

Disable Command Prompt Access using Intune

By following these steps, you can effectively disable command prompt access on devices managed by Microsoft Intune. This allows you to maintain control over the script execution process by preventing the user.

  • Sign in to the Microsoft Intune Admin portal https://intune.microsoft.com/.
  • Select Devices > Configuration profiles > Create profile.
Disable Command Prompt Access using Intune Fig.1
Disable Command Prompt Access using Intune Fig.1

In Create Profile, Select Windows 10 and later in Platform, Select Profile Type as Settings Catalog. Click on Create button.

Adaptiva
Disable Command Prompt Access using Intune Fig.2
Disable Command Prompt Access using Intune Fig.2

In Basics, enter the descriptive name for the new profile. For example, Disable Command Prompt Access or Prevent users access to command prompt, and add a description for the profile to understand the policy usage and Select Next.

Disable Command Prompt Access using Intune Fig.3
Disable Command Prompt Access using Intune Fig.3

On the Configuration settings tab, With the settings catalog, you can choose which settings you want to configure. Click on Add Settings to browse or search the catalog for the settings you want to configure.

Disable Command Prompt Access using Intune Fig.4
Disable Command Prompt Access using Intune Fig.4

Search for “Command Prompt” or “Prevent access to the command prompt”. Select the “Administrative Templates\System” from the search result. Select “Prevent access to the command prompt” and close the pane.

If you enable this setting and the user tries to open a command window, the system displays a message explaining that a setting prevents the action.

Disable Command Prompt Access using Intune Fig.5
Disable Command Prompt Access using Intune Fig.5

The next step is to toggle “Prevent access to the command prompt” to Enabled. Once you enable the option, the selected setting will appear and click on Next.

This policy setting prevents users from running the interactive command prompt, Cmd.exe. This policy setting also determines whether batch files (.cmd and .bat) can run on the computer. If you enable this policy setting and the user tries to open a command window, the system displays a message explaining that a setting prevents the action.

If you disable this policy setting or do not configure it, users can run Cmd.exe and batch files normally. You also have an option to configure the command prompt script processing, which I set to No.

Note: Do not prevent the computer from running batch files if the computer uses logon, logoff, startup, or shutdown batch file scripts, or for users that use Remote Desktop Services.

Disable Command Prompt Access using Intune Fig.6
Disable Command Prompt Access using Intune Fig.6

Using Scope tags, you can assign a tag to filter the profile to specific IT groups. One can add scope tags (if required) and click Next to continue.

Now in Assignments, in Included Groups, you need to click on Add Groups, choose Select Groups to include one or more groups, and click Next to continue.

Disable Command Prompt Access using Intune Fig.7
Disable Command Prompt Access using Intune Fig.7

In the Review + Create tab, you need to review your settings. After clicking Create, your changes are saved, and the profile will be assigned to the added devices group.

A notification will appear automatically if you see it in the top right-hand corner. One can easily see that the Policy “Disable Command Prompt User Access” was created successfully. Also, if you check the Configuration Profiles list, the Policy is visible there with the tag NEW.

Disable Command Prompt Access using Intune Fig.8
Disable Command Prompt Access using Intune Fig.8

To restrict Command Prompt access on Windows devices, especially in a business or organization setting, you typically rely on Group Policy or other centralized management tools like Microsoft Intune. This centralized approach to prevent command prompt access through Intune simplifies the administrative process.

Intune CSPOn-premises GPO
./User/Vendor/MSFT/Policy/Config/ADMX_ShellCommandPromptRegEditTools/DisableCMDAdministrative Templates (Users) > System > Prevent access to the command prompt
Table 1 – Disable Command Prompt Access

Monitor Command Prompt User Access Policy Deployment

Intune provides several features to monitor and manage device configuration profiles. Once the configuration profile is applied, Command prompt access should be disabled on the targeted devices.

Note! The device groups will receive your profile settings when the devices check in with the Intune service. The Policy applies to the device.

To monitor Intune policy assignment, from the list of Configuration Profiles, select the policy you targeted, and here you can check the device and user check-in status. If you click View Report, additional details are displayed. Additionally, you can quickly check the update as devices/users check-in status reports:

Disable Command Prompt Access using Intune Fig.9
Disable Command Prompt Access using Intune Fig.9

Track Event Log for Intune Policy Deployment

Intune event IDs 813 or 814 can indicate that a string policy has been applied to Windows 10 or 11 devices. These event IDs can provide valuable information about the policy that has been applied, including the exact value of the policy enforced on those devices.

In the case of the policy mentioned earlier, which enforces idle session time limits, event ID 814 would be used to indicate that the string policy has been applied, and you can view the specific value of the policy.

To confirm this, check the Event log path – Applications and Services Logs – Microsoft – Windows – Devicemanagement-Enterprise-Diagnostics-Provider – Admin.

MDM PolicyManager: Set policy string, Policy: (DisableCMD), Area: (ADMX_ShellCommandPromptRegEditTools), EnrollmentID requesting merge: (5B88AEF1-09E8-43BB-B144-7254ACBBDF3E), Current User: (S-1-12-1-3186897695-1137825691-1845872004-278613382), String: (), Enrollment Type: (0x6), Scope: (0x1).

Disable Command Prompt Access using Intune Fig.10
Disable Command Prompt Access using Intune Fig.10

Registry Information

To check the policy deployment, You can validate the registry details for disabling command prompt access at the below location.

Registry HiveHKEY_CURRENT_USER
Registry PathSoftware\Policies\Microsoft\Windows\System
Value NameDisableCMD
Value TypeREG_DWORD
Enabled Value2
Disabled Value1
Table 2 – Disable Command Prompt Access
Disable Command Prompt Access using Intune Fig.11
Disable Command Prompt Access using Intune Fig.11

End Users Experience

If you enable this setting and the user tries to open a command window, the system displays a message explaining that a setting prevents the action. The command prompt has been disabled by your administrator. Press any key to continue…

Disable Command Prompt Access using Intune 1

Author

About Author – JiteshMicrosoft MVP, has over six years of working experience in the IT Industry. He writes and shares his experiences related to Microsoft device management technologies and IT Infrastructure management. His primary focus is Windows 10/11 Deployment solution with Configuration Manager, Microsoft Deployment Toolkit (MDT), and Microsoft Intune.

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.