There are times when you would need to deny certain users from opening applications, files, or folders. AppLocker is a security feature in Windows that helps you to do it. AppLocker is part of Windows Professional and Enterprise editions.
In this article, I will show you how to enable AppLocker and use it in your organizations.
In order to use AppLocker and create deny rules, we will use Local Group Policy Editor (local computers) or Group Policy Editor (for domain-joined machines).
- Hold the Windows logo and press R.
- Type gpedit.msc and press Enter to open Local Group Policy Editor.
- Expand Computer Configuration > Windows Settings > Security Settings > Application Control Policies.
- Expand Application Control Policies > AppLocker.
- Right click on Executable Rules and click Create New Rule…
- Under Before Your Begin click Next.
- Under Permissions click Deny and then click on Select to choose the account that will be denied from accessing certain apps.
- Select the type of primary condition that you would like to create and then click Next. You can choose one of the three conditions including Publisher, Path, and File hash. So, what is the difference?
- Publisher – related to applications signed by the publisher.
- Path – related to a file or folder path.
- File hash – related to applications that are not signed by the publisher.
- Under the Publisher, click Browse to select the reference file you want to deny.
- In my example, I selected DaVinci Resolve software used for video editing. You can also use the slider to select which properties defined the rule, as you move down, the rule becomes more specific. When the slider is in any publisher position, the rule is applied to all signed files.
I keep the default settings for the slider. Once done, click Next.
- You can also add exceptions. Exceptions are optional and allow you to exclude files that would normally be included in the rule. To continue configuring this rule without adding an exception, click Next.
- Enter a name to identify this rule and click Create.
- Under Do you want to create the default rules now? click Yes. The default rules are currently not in the rule list for this rule collection. When creating rules, it is recommended that you also create the default rules to ensure that important system files will be allowed to run.
- You have successfully denied the application of your choice. As you can see it is listed under Executable Rules.
- Close the Local Group Policy Editor.
- Now, when you try to open the app, it will be blocked.
Wrap Up
There are moments when you would need to deny certain local or domain users from opening certain applications, files, or folders. By using AppLocker which is integrated into Windows 11, you can create policies and disable targets by the publisher, path, and file hash.
This article covers step-by-step instructions on how to do it.
