Blocking Command Prompt on Windows with an Intune Device Configuration profile

This article shows you how to use Intune to block the Command Prompt on Windows devices using a Configuration profile.

Navigate to and select Device from the menu on the left as shown above.

Then, select Windows on the right.

Select Configuration profiles from the menu on the left as shown.


Select Create profile.

Then select the Platform as Windows 10 and later.

Select the Profile type as Templates.

From the list of templates select Custom.

Select Create in the bottom right.


Give the policy a name and select Next to continue.


Select Add.


In the OMA-URI settings enter the following as shown above:

Name = Block Command Prompt

Description = Block Command Prompt

OMA-URI = ./user/vendor/MSFT/Policy/Config/ADMX_ShellCommandpromptRegeditTools/DisableCMD

Data type = String

Value =
<data id=”DisableCMDScripts” value=”1″/>

Ensure you enter these exactly as shown, anything else will prevent the policy working as expected.

Press Save.


You should now see the item you just entered displayed as shown above.

Select Next to continue.

Assign the policy to a group. Here it is being assigned to all Windows devices.

Select Next to continue.


You will now see a summary. Ensure the Configuration settings has the above set before selecting the Create button to complete the policy.


You should now see that the policy has been created and listed with all other Configuration profile policies as shown above.

You can edit this policy at any stage simply by selecting it.


You now need to wait until the policy is deployed successfully to devices. You can check the status of this by viewing the Device status for the policy as shown above.


If you open the Command Prompt on a device where the policy is deployed you will see the above message.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s