Hello,
I am looking for helps blocking executables and unwatned apps from being ran on corporate and field PCs. We have windows pro and enterprise editions and I am looking for what would be the most efficient way of doing this. I have tried configuration profiles in intune which give mixy results with delays in processing the rules. I tried using application control within local security policy on a test PC, and this gave me a few different configurations that I can block the store entirely, but that blocks all of the apps that windows and microsoft publish. This makes things like the camera and calculator and basic windows services to be blocked --not good. I tried a test user group to apply to app control policies too and it seemed to apply it to admins as well being my admin profile. So to conclude, I am wanting to find a way to block executables from running at the user level, but if we need to remote into a pc and download something, we can with our admin permissions.
This seemed to change whenever apps became a thing, haha. But I feel like im close to getting what I want, its just fine tuning it.
This is also for windows 10 and 11 devices.
This is the XML file i found and have been trying at this link in order to allow the store, but block microsoft apps from being downloaded. It doesnt only work for one user, it works on the device. Even though I have the exception for the user added ( https://call4cloud.nl/2020/06/managing-apps-in-the-microsoft-store/ )
<RuleCollection Type="Appx" EnforcementMode="Enabled">
<FilePublisherRule Id="617edd5b-3360-4281-9724-21e453587fce" Name="Whitelist Store apps" Description="Allow Store apps while whitelisting store." UserOrGroupSid="S-1-1-0" Action="Allow">
<Conditions>
<FilePublisherCondition PublisherName="CN=MICROSOFT CORPORATION, O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="*" BinaryName="*">
<BinaryVersionRange LowSection="0.0.0.0" HighSection="*" />
</FilePublisherCondition>
</Conditions>
</FilePublisherRule>
<FilePublisherRule Id="617edd5b-3360-4281-9724-21e443587fce" Name="Whitelist Microsoft Windows app" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">
<Conditions>
<FilePublisherCondition PublisherName="CN=MICROSOFT Windows, O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="*" BinaryName="*">
<BinaryVersionRange LowSection="0.0.0.0" HighSection="*" />
</FilePublisherCondition>
</Conditions>
</FilePublisherRule>
</RuleCollection>
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 30%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECM%3C/text%3E%3C/svg%3E)