configure AppLocker to restrict win10 and win11 users

Ale Madama 276 Reputation points

Hi all,

I have to restrict users to install and execute apps not authorized.

They must be able to run what is currently installed on their PC (win10 and win11.

I'm not sure the configuration to apply. This is what I'm going to do:

  1. for each section (EXE, installer, script, packaged apps) create default rules
  2. for the section EXE rules create automatically (allowed everyone) under the folders "c:\program files" and "c:\program files (x86)"
  3. for each section (EXE, installer, script, packaged apps) enforce rules

is it correct?

thank you

Windows 10
Windows 10
A Microsoft operating system that runs on personal computers and tablets.
10,512 questions
Windows 11
Windows 11
A Microsoft operating system designed for productivity, creativity, and ease of use.
8,044 questions
0 comments No comments
{count} votes

3 answers

Sort by: Most helpful
  1. Limitless Technology 43,916 Reputation points

    Hello there,

    If the users do not have local administrator access, you may simply disable per-user installations via Group Policy.

    DisableUserInstalls is a machine policy that will block per-user installations. There is also an option for "hiding" existing per-user installed applications in favour of the per-computer installed versions.

    To configure:

    Open gpmc.msc, select the GPO to which you will add the policy.

    Navigate Computer Configuration, Policies, Administrative Templates, Windows Components, Windows Installer.

    Set the policy "Prohibit User Install" to "Enabled".

    [Optional] Set the policy "User Install Behavior" to "Hide User Installs".

    Hope this resolves your Query !!

    --If the reply is helpful, please Upvote and Accept it as an answer–

    0 comments No comments

  2. Limitless Technology 43,916 Reputation points

    Double post

    0 comments No comments

  3. Ale Madama 276 Reputation points

    Thank you, the users haven't admin rights (all of them only in Users localgroup) but my boss want to implement also AppLocker.

    What do you think of the 3 steps above?

    they are ok?

    0 comments No comments