How to configure AppLocker Group Policy to prevent software from running

بسم الله الرحمن الرحيم

 Firstly: What is AppLocker?

AppLocker is a set of Group Policy settings that evolved from Software Restriction Policies, to restrict which applications can run on a corporate network, including the ability to restrict based on the application’s version number or publisher.

  • Click Start – All programs – Administrative Tools – Group Policy Management.
  • Create or Edit Group Policy Objects.
  • Expand Computer Configuration –  Policies – Windows Settings – Security Settings – Application Control Policies – AppLocker .
  • In right pane click on Configure rule enforcement


  1. Executable rules: .exe, .com
  2. Windows Installer rules: .msi, .msp
  3. Scripts rules: .ps1, .bat, .cmd, .vbs, .js
  • Under Executable rules check configured box and select Enforce rules then click ok
  • In left pane under AppLocker right click on Executable Rules  then  select Create New Rule
  • Select Deny and select what user or group will prevent.


Publisher rules: This condition identifies an application based on its digital signature and extended attributes. The digital signature contains information about the company that created the application (the publisher). The extended attributes, which are obtained from the binary resource, contain the name of the product that the application is part of and the version number of the application.

Path rules: This condition identifies an application by its location in the file system of the computer or on the network.

File hash: This condition identifies an application which is not digitally signed can be restricted by a file hash rule instead of a publisher rule.

  • Select Publisher and click Next

  • Click browse then select executable file example.exe
  • Choose any options from prevent with any publisher, publisher, product name, file name and file version then click Next.

  • Read it and click Next
  •   Click Create
  • You will now be prompted to create some default rules that ensure that you don’t accidently stop Windows from working. Click “Yes” to this if you don’t already have these rules created.


If you want to apply this role on computer administrator then right-click on the BUILTIN\Administrators rule and click Delete

Now we will active the Application Identity service to enable AppLocker on the computers

  • In the same Group Policy Object you were just editing Computer Configuration – Policies – Windows Settings – Security Settings – System Services
  • Right click Application Identity service then properties
  • Check Define this policy setting box and Automatic then OK.

Now when users try run program he will get this


About Mohamed Abd Elhamid

Microsoft System Administrator

Posted on October 23, 2011, in Group Policy, HOW TO ? and tagged , , , , , , , . Bookmark the permalink. 9 Comments.

  1. Cool stuff 🙂 Keep up the great job 🙂

  2. after configure this rule the administrator not loging !!!!! i have the big problem

  3. what relation between this rule and administrator login? explain me more

  4. Very good. Still helped me in Win Server 2012.

  5. great article! Thanks.

  6. hi, Thanks for such a great article, I have one concern, where i have to link this GPO. I mean on users OU or Computer OU.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: