There is a Surface Area Configuration facet in PBM as well as a Server Configuration Facet. Both of these have the XPCmdShell check to see if it is enabled. But neither of these facets (when applied to a condition and used in a policy) can prevent the change of the server configuration. These facets are designed to report on configurations that are out of compliance and not prevent them.

A good alternative to preventing is to have a policy in place that it is not to be used unless otherwise documented. Then audit for the use of xp_cmdshell. When somebody uses it, then you have a log of the use and the individual can be spoken to.