If your users have no requirement for access to the command prompt, it is recommended to remove this access from them.
From Devices / Configuration Profiles - click the Create Profile Option
You need to create for Windows 10 and later and use the Template and Custom option.
Enter a Name for your policy and a description (if you wish) - personally we always like to make the name descriptive, so we can later, quickly see what the policy is doing and we like to have lots of policies delivering certain aspects, so its easy to remove if we wish.
You are then going to create a CUSTOM OMA-URI for the settings
Name
Disable Command Prompt
Description
Disable the Command Prompt
OMA-URI
./user/vendor/MSFT/Policy/Config/ADMX_ShellCommandpromptRegeditTools/DisableCMD
Data Type: String
Value
<enabled/>
<data id="DisableCMDScripts" value="1"/>
Once you have that created, you can click on NEXT and apply this to a Group or indeed all users, however, we would recommend applying to a group which contains all your users, but excludes any admin's, so you are still able to RUNAS and use an Admin account to access the command prompt.