Prevent Access to Command Prompt using Intune
In this article, we will show you how to prevent access to command prompt using Intune on Windows devices. Using the Intune policy, you can also disable both command prompt access (cmd.exe) and command prompt script processing for Windows users.
We are all aware that the majority of Windows operating systems include the command-line interpreter known as Command Prompt. From the command prompt, you can enter commands and perform advanced administrative functions. You can also perform troubleshooting tasks with the command prompt.
While the command prompt has many benefits, for some organizations, it can also be a security risk. For example, a user can use the command prompt to download and run a malicious Visual Basic script that can infect multiple computers. A user with administrative privileges can use the command prompt to execute commands on remote computers, which can have serious consequences.
Organizations can use either group policy or Intune to restrict access to the command prompt, preventing users from using it to perform administrative tasks. This is typically done as a security measure, thereby preventing users from executing commands and scripts via the command prompt.
Also Read: How to Block Registry Access using Intune
Settings to Block Command Prompt using Intune
Intune offers two settings to block access to the command prompt for Windows users:
- Prevent access to the command prompt (user): As per the policy description, this policy setting prevents users from running the interactive command prompt, Cmd.exe. This policy setting also determines whether batch files (.cmd and .bat) can run on the computer. If you enable this policy setting and the user tries to open a command window, the system displays a message that command prompt access has been disabled by your administrator.
- Disable the command prompt script processing also: We recommend that you first understand this setting before configuring it. Enabling this setting will prevent the execution of .bat files and .cmd files on client computers. Microsoft advises not to prevent the computer from running batch files if the computer uses logon, logoff, startup, or shutdown batch file scripts, or for users that use Remote Desktop Services. So, configure this setting with caution.
Both of the above settings will be configured while creating a device configuration profile in Microsoft Intune. So let’s get started.
Useful Article: Easily Block Removable Storage using Intune
Prevent Access to Command Prompt using Intune
Perform the following steps to block command prompt using Intune on Windows 10/11 devices:
- First, sign in to the Microsoft Intune admin center.
- Go to Devices > Windows > Configuration Profiles.
- Create a new configuration profile to block command prompt access.
On the Create a profile pane, choose the following:
- Platform: Windows 10 and later
- Profile Type: Settings Catalog
Click Next.
On the Basics tab, specify the policy name and a brief description of the policy. This will make it easier for other Intune administrators to find this profile.
- Name: Prevent access to command prompt using Intune
- Description: Disable command prompt access (cmd.exe) and command prompt script processing for users
Click Next.
In the Configuration Settings section, under Settings Catalog, click Add Settings. The Intune Settings catalog allows you to enable or disable the command prompt for Windows users.
On the Settings picker window, type “prevent access to the command prompt” in the search box and click Search. From the search results, select the Administrative Templates\System category.
In the bottom pane, select the setting “Prevent access to the command prompt (User).” Notice that another sub-setting, “Disable the command prompt script processing also? (User)” is also enabled by default. Close the Settings Picker window.
Configure the following settings to disable regedit access for Windows users:
- Prevent access to the command prompt (User): Enable this setting by moving the slider to the right. When you enable this setting, Intune will block cmd.exe access for Windows users.
- Disable the command prompt script processing also? (User): Click the drop-down and select No. Turn this setting on if you want to permanently block batch files from running on the computer, such as logon, logoff, startup, or shutdown batch file scripts.
Click Next.
On the scope tags tab, you may specify scope tags. Specifying scope tags is optional, and you may skip this step. Click Next.
In the Assignments window, specify the Entra ID groups for which you want to prevent access to the command prompt. We recommend deploying the profile to a few test groups first and then expanding it to more groups if the testing is successful. Select Next.
Finally, on the Review+Create tab, take a look at all the settings you’ve configured to prevent access to the command prompt in Intune.
After you create the above configuration policy in Intune, you’ll see a notification: “Policy created successfully“. This confirms that the policy has been created and is being applied to the groups we chose. The newly created configuration profile appears in Intune’s list of configuration profiles.
Ensure the Windows devices are online so that they receive the policy settings from Microsoft Intune. You can also force sync Intune policies using different methods on your Windows computers to download the latest policies from Microsoft Intune.
While the settings are being applied to Windows devices, you can monitor the Block Command Prompt Access policy in Intune. In the Intune admin center, select the policy and review the Device and user check-in status. Under “Device and user check-in status“, you get to see the total number of devices and users who successfully received the policy settings. In some cases, the policy may fail to apply to certain users or devices. To resolve the issues, we recommend reviewing Intune logs on Windows computers.
End User Experience
Alright, let’s check if the Intune policy has blocked access to the command prompt (cmd.exe) for users on Windows devices. Log in to one of the Windows 10/11 devices and launch the command prompt by running the shortcut command “cmd.exe“.
When a user tries to launch the command prompt, it launches with the following message: “The command prompt has been disabled by your administrator“. Even if a user attempts to launch the prompt with the run as administrator option, the same message appears. With this, we can conclude that you can easily block Windows command prompt access using the Intune policy.
OMA-URI Settings to DisableCMD using Intune
An alternate way to block command prompt using Intune is via OMA-URI Settings. The below screenshot has been referenced from a Microsoft article describing the Intune Policy CSP – ADMXshellcommandpromptregedittools settings to effectively block command prompt access for Windows users.
The below Intune OMA-URI settings can be used to disable command-prompt access for users.
./User/Vendor/MSFT/Policy/Config/ADMX_ShellCommandPromptRegEditTools/DisableCMD
Great write up, THANK YOU.- I have been working on this project. THANK YOU!. Question- I enabled this setup and it’s working, but this setup is now blocking GPO batch files being pushed out, how can this setup remain and still allow the GPO to push batch files during startup of laptops and desktops?