Blocking Administrative Apps like the Command Prompt In Intune.

Blocking Administrative Apps like the Command Prompt In Intune.

Unfortunately there is no simple GUI option to block the Command Prompt/Windows Powershell and Regedit in intune.  Guess what? That’s wrong.

You can make sure these apps can be denied. To do so, open the education Intune portal instead of the normal Intune portal.

Groups –> All Devices (or create a custom group) –> Settings –> Apps –> Block Access to administrative apps

Guess what it does? It just creates a custom Applocker policy in your normal Intune Portal.

Looking at the Applocker policy you will mention an XML config. Blocking the apps with a FilePublisherCondition and allowing the rest.

The link to the XML config (converted it to txt)

Testing it from a client. You will get an Applocker Notification, the App has been blocked.


It’s nice to see there is a nice GUI to implement a simple Applocker policy to block these Administrative Apps. Of course, it’s much better to create a complete Applocker policy to prevent ransomware infections and blocking other Exe files. It is a nice solution, to begin with. And with the least impact.

7 thoughts on “Blocking Administrative Apps like the Command Prompt In Intune.

  1. Pingback: The LAPS and the furious! - Call4Cloud
  2. Pingback: The men who stare at the AppLocker event log - Call4Cloud
  3. Pingback: Blocking administrative Tools part 2 - Call4Cloud
  4. Hi,
    I tried your solution: I created a new group and blocked CMD, Powershell and Regedit.
    But there was no Applocker policy in my regular Intune. Any idea what might have gone wrong? I waited like 15 minutes. But no result.

  5. We have varying results with this – it blocks the apps for some users, and for others they can still run the apps. Local security policy shows no AppLocker rules in it on all machines. Recreated the policy and the group for membership and the same behavior. Anyone seeing this?

    1. Hi, to get some troubleshooting done, I am afraid I will need to have some more information.Can you look into the c:\windows\system32\applocker\mdm folder if there are rules created? Also checking the mdm intune registry keys.

Leave a Reply

Your email address will not be published. Required fields are marked *

5  +  2  =