This tutorial will show you how to use AppLocker to create a rule to allow or block executable (.exe and .com) files to run for all or specific users and groups in Windows 10 and Windows 11.
AppLocker is included in Local Security Policy (secpol.msc) to configure Application Control Policies in the Pro, Enterprise, and Education editions of Windows 10 and Windows 11. Local Security Policy is not available in the Home edition.
AppLocker executable rules conceptually apply to files with the .exe and .com extensions that are associated with an app. However, AppLocker executable rules actually apply to any portable executable (PE) file, regardless of the file's extension. Because all of the default rules for the executable rule collection are based on folder paths, all files under those paths can run. The following table lists the default rules that are available when added for the executable rule collection.
Any executable file not allowed by the default rules below will automatically be blocked by default unless you create a new rule to allow it for a user or group.
If you want to block an executable file allowed by the default rules below, you will need to create a new rule to block (deny) it for a user or group.
Purpose | Name | User | Rule condition type |
|---|---|---|---|
| Allow members of the local Administrators group access to run all executable files | (Default Rule) All files | BUILTIN\Administrators | Path: * |
| Allow all users to run executable files in the Windows folder | (Default Rule) All files located in the Windows folder | Everyone | Path: %windir%* |
| Allow all users to run executable files in the Program Files folder | (Default Rule) All files located in the Program Files folder | Everyone | Path: %programfiles%* |
References:
What Is AppLocker
This article for the IT professional describes what AppLocker is.
learn.microsoft.com
Executable rules in AppLocker
This article describes the file formats and available default rules for the executable rule collection.
learn.microsoft.com
You must be signed in as an administrator to use AppLocker.
AppLocker Executable rules are saved to the registry key below.
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\SrpV2\Exe
EXAMPLE: "This app has been blocked by your system administrator" message when open a blocked executable file
Here's How:
1 Open Local Security Policy (secpol.msc).
2 Expand open Application Control Policies in the left pane of the Local Security Policy window, click/tap on AppLocker, and click/tap on the Configure rule enforcement link on the right side. (see screenshot below)
3 In the Enforcement tab under Executable rules, check Configured to Enforce rules, and click/tap on OK. (see screenshot below)
This setting is what enforces any "Executable rules" you create.
4 Perform the steps below to add default rules for Packaged app Rules: (see screenshots below)
If this step is not done, AppLocker can block Microsoft Store apps from running.
If you already have the "(Default Rule) All signed packaged apps" allowed for everyone like in the right screenshot below, then you can skip this step and go to step 5 instead.
- Expand open AppLocker.
- Right click on Packed app Rules.
- Click/tap on Create Default Rules.
5 Perform the steps below to add default rules for "Executable Rules": (see screenshots below)
If this step is not done, AppLocker can block all executable files from running.
If you already have all the executable default rules like in the right screenshot below, then you can skip this step and go to step 6 instead.
- Expand open AppLocker.
- Right click on Executable Rules.
- Click/tap on Create Default Rules.
6 Right click on Executable Rules, and click/tap on Create New Rule. (see screenshot below)
7 Click/tap on Next. (see screenshot below)
8 Under Action, select (dot) Allow or Deny (block) for how you want this rule applied. (see screenshot below)
9 If you want to select a specific User or group instead of the default Everyone to apply this rule to, then follow the steps below:
If you want to allow or block executable file(s) for the default Everyone, then go to step 10 instead.
A) Click/tap on Select. (see screenshot below)
B) Click/tap on the Advanced button. (see screenshot below)
C) Click/tap on the Find Now button. (see screenshot below)
D) Select a user or group you want to allow or block executable file(s) for, and click/tap on OK. (see screenshot below)
E) Click/tap on OK. (see screenshot below)
10 Click/tap on Next. (see screenshot below)
11 Select (dot) Path, and click/tap on Next. (see screenshot below)
12 Do step 13 (file) or step 14 (folder/drive) below for the file or folder path you want to specify to allow or block executable files.
13 Allow or Block Specific Executable File
A) Click/tap on the Browse Files button. (see screenshot below)
B) Select the EXE or COM file type you want in the drop menu, navigate to and select the EXE or COM file, and click/tap on Open. (see screenshot below)
C) Click/tap on Create, and go to step 15. (see screenshot below)
14 Allow or Block All Executable Files in a Specific Folder or Drive
A) Click/tap on the Browse Folders button. (see screenshot below)
B) Navigate to and select the folder or drive you want, and click/tap on OK. (see screenshot below)
C) Click/tap on Create, and go to step 15. (see screenshot below)
15 This new rule will now be added for "Executable Rules". (see screenshots below)
To undo and remove this rule, you can right click on the rule, click/tap on Delete, and click/tap on Yes to confirm.
That's it,
Shawn Brink
Related Tutorials
Last edited:
