configure AppLocker to restrict win10 and win11 users

Question

Hi all,

I have to restrict users to install and execute apps not authorized.

They must be able to run what is currently installed on their PC (win10 and win11.

I'm not sure the configuration to apply. This is what I'm going to do:

1. for each section (EXE, installer, script, packaged apps) create default rules
2. for the section EXE rules create automatically (allowed everyone) under the folders "c:\program files" and "c:\program files (x86)"
3. for each section (EXE, installer, script, packaged apps) enforce rules

is it correct?

thank you

Answer 1

Hello there,

If the users do not have local administrator access, you may simply disable per-user installations via Group Policy.

DisableUserInstalls is a machine policy that will block per-user installations. There is also an option for "hiding" existing per-user installed applications in favour of the per-computer installed versions.

To configure:

Open gpmc.msc, select the GPO to which you will add the policy.

Navigate Computer Configuration, Policies, Administrative Templates, Windows Components, Windows Installer.

Set the policy "Prohibit User Install" to "Enabled".

[Optional] Set the policy "User Install Behavior" to "Hide User Installs".

Hope this resolves your Query !!

--If the reply is helpful, please Upvote and Accept it as an answer–

Answer 2

Double post

Answer 3

Thank you, the users haven't admin rights (all of them only in Users localgroup) but my boss want to implement also AppLocker.

What do you think of the 3 steps above?

they are ok?