In this article, you’ll learn how to disable command prompt using Group Policy. You can restrict access to the command prompt for Windows users with a GPO.
The command-line interpreter known as Command Prompt (CMD.exe) lets you run commands to perform advanced administrative functions. It can also be used to troubleshoot and solve certain kinds of Windows issues. Furthermore, a user with administrative privileges can use the command prompt to execute commands on remote computers, which can have serious consequences.
Some organizations prefer to disable the command prompt for users to avoid running bad or malicious commands that can harm your system and cause irreversible damage. If your Windows computers are joined to Active Directory, the GPO is the best method to disable the command prompt.
Methods for disabling access to the command prompt
There are several methods on Windows for blocking command prompt access, which are listed below.
- Group Policy
- Microsoft Intune
Manually tweaking the registry is not recommended. We recommend using Group Policy or Microsoft Intune to disable command prompt access for multiple users in your organization. Refer to the following guide on preventing access to the command prompt using Intune.
Useful Article: Disable Microsoft Edge Workspaces using Intune and GPO
Disable Command Prompt using Group Policy
In this section, we will show you how to create a new GPO that will disable access to the command prompt. To create a new GPO, you can either log in to a domain controller or a member server installed with GPMC. You can also install the GPMC on Windows 11 and configure the group policies.
- Launch Server Manager from the Start menu and select Tools > Group Policy Management Console.
- In the Group Policy Management console, expand the domain, right-click Group Policy Objects or an OU, and select New.
- Enter the GPO name as “Disable Command Prompt Access” and click OK.
Right-click the GPO that you just created and select Edit. In the Group Policy Management Editor, navigate to User Configuration/Administrative Templates/System. Look for the policy setting “Prevent access to the command prompt” and select Edit.
Note: The Local Group Policy Editor is available only on Windows Pro and Enterprise editions. Windows 10 Home Edition users don’t have access to the GP Editor on their computer. Learn how to upgrade Windows 11 Home edition to Windows 11 Pro.
From the policy description, we see there are two settings
- Prevent access to the command prompt: Enabling this GPO policy setting prevents users from running the interactive command prompt, Cmd.exe. This policy setting also determines whether batch files (.cmd and .bat) can run on the computer. Select Enabled.
- Disable the command prompt script processing also?: If you configure this setting to Yes, it will prevent the computer from running batch files if the computer uses logon, logoff, startup, or shutdown batch file scripts. We will configure this setting to No.
Click Apply and OK. Close the GPMC editor.
After the above group policy object is configured, you need to link the GPO to an OU if you haven’t already. You can also link it to the domain, but doing so will make the GPO applicable to every computer in the domain, so it is not advised. The best approach is to choose a test OU, connect your GPO, and test the policy settings.
Note: The Prevent access to the command prompt GPO applies to users and not computers. So ensure the GPO is applied to an OU consisting of users.
It’s time to wait for the group policy to be updated on the client computers and check to see if the command prompt access is disabled. You can use multiple ways to perform the group policy update on remote computers. On a test client machine, you can manually perform the group policy update by running the gpupdate /force command. If the group policies have already been updated, you should no longer have access to the command prompt.
After the group policy has been refreshed, on the Windows computer, click Start and launch the command prompt. You may also run the shortcut command “cmd.exe” to launch the CMD prompt. The command prompt launches with the message “The command prompt has been disabled by your administrator“. This confirms you can disable command prompt for users using group policy.