Windows 10

Disable Shift-F10 in OOBE

The ability to press Shift-F10 to open a command prompt during the out-of-box experience (OOBE) in Windows has been around for many years.  But if you want to turn that off, there are two ways you can do it:

  • Buy a device that ships with Windows 10 in S Mode.  When Windows 10 is running in S Mode, Shift-F10 is disabled by default.  You can always then “unlock” the device (getting it out of S Mode) as part of the Windows Autopilot device provisioning process, via Intune, or manually via the Microsoft Store.
  • Create a file named DisableCMDRequest.TAG in the C:\Windows\Setup\Scripts folder.  With that file present, Shift-F10 will be disabled.  You can ask your OEM to include that file in the preinstalled Windows 10 image that ships on the device.

Of course you will then get exactly what you ask for: no more command prompt means no more troubleshooting during the OOBE process.

Note that if you take the file route (DisableCMDRequest.TAG), you’ll find that the file is removed any time you reset the device, so if you want that file to be persisted, create a provisioning package that recreates it.  (There are various techniques to do that, but running a simple PowerShell script from the PPKG is probably the easiest.)

If you are interested in a way to disable that by default, feel free to vote for one or more of the Windows Autopilot uservoice items:

While I’m soliciting votes for ideas, here’s another one for you to consider:

Categories: Windows 10

1 reply »

  1. Dear Michael,
    We’re testing some provisioning package for adding that TAG file for preventing Shift-F10 during OOBE, but during those tests I noticed that when pressing the Win key once (during the “Setting up your device for work” phase), I could type in “cmd” and run as admin, the cmd would never come to foreground, which sounds ok like that, but when using Alt-TAB to select the windows (either OOBE or cmd), when selecting cmd it remains in the background but the cmd process has focus, so I could type in anything I want, even bad things like :
    net user /add [username] [password]
    net localgroup administrators [username] /add
    And at the end of OOBE that account would obviously still be there. I’m sure our security team will not appreciate. Maybe another TAG file for disabling the Windows search box during OOBE too ? Maybe it’s there for a while and I simply don’t know yet, if yes, I’m sorry for that, but I could not find anything yet.
    Thanks a lot !