I think that you could simply apply the profile Windows_10_Basic_Recommended_Settings and additionally:
- Enhanced Sponsors + CMD
- Validate Admin C.S. = ON
- Block Windows Script Host = ON
- Disable SMB = ON123
Besides your current protection, this would protect also shortcuts and prevent the user from opening files with non-safe extensions.
Edit.
If you remove the file extensions from the Designated File Types, then you will get the equivalent of the settings from your previous post (*.bat and *.cmd scripts will be protected).