Use AppLocker to Allow or Block Executable Files in Windows 10

How to Use AppLocker to Allow or Block Executable Files from Running in Windows 10

AppLocker helps you control which apps and files users can run. These include executable files, scripts, Windows Installer files, dynamic-link libraries (DLLs), packaged apps (aka: Microsoft Store apps), and packaged app installers.

AppLocker defines executable rules as any files with the .exe and .com extensions that are associated with an app. Because all of the default rules for the executable rule collection are based on folder paths, all files under those paths will be allowed. The following table lists the default rules that are available for the executable rule collection.

Any executable file not allowed by the default rules below will automatically be blocked by default unless you create a new rule to allow it for a user or group.

If you want to block an executable file allowed by the default rules below, you will need to create a new rule to block (deny) it for a user or group.

Purpose Name User Rule condition type

Allow members of the local Administrators group access to run all executable files (Default Rule) All files BUILTIN\Administrators Path: *

Allow all users to run executable files in the Windows folder (Default Rule) All files located in the Windows folder Everyone Path: %windir%*

Allow all users to run executable files in the Program Files folder (Default Rule) All files located in the Program Files folder Everyone Path: %programfiles%*

See also:

AppLocker (Windows 10) | Microsoft Docs
What Is AppLocker (Windows 10) | Microsoft Docs
How AppLocker works (Windows 10) | Microsoft Docs
Requirements to use AppLocker (Windows 10) | Microsoft Docs
Executable rules in AppLocker (Windows 10) | Microsoft Docs
Removal of Windows edition checks for AppLocker

This tutorial will show you how to use AppLocker to allow or block specified executable (.exe and .com) files to run for all or specific users and groups in Windows 10 Enterprise and Windows 10 Education.

You must be signed in as an administrator to use AppLocker.

EXAMPLE: "This app has been blocked by your system administrator" message when any user opens a blocked executable (.exe and .com) file

Here's How:

1. Open an elevated command prompt.

2. Copy and paste the command below into the elevated command prompt, press Enter, and close the elevated command prompt when it has finished. (see screenshot below)

This command is to make sure the Application Identity service is enabled, set to Automatic, and running. AppLocker cannot enforce rules if this service is not running.

sc config "AppIDSvc" start=auto & net start "AppIDSvc"

3. Open Local Security Policy (secpol.msc).

4. Expand open Application Control Policies in the left pane of the Local Security Policy window, click/tap on AppLocker, and click/tap on the Configure rule enforcement link on the right side. (see screenshot below)

5. Check the Configured box under Executable rules, and click/tap on OK. (see screenshot below)

6. Expand open AppLocker in the left pane of the Local Security Policy window, click/tap on Packaged app Rules, right click or press and hold on Packaged app Rules, and click/tap on Create Default Rules. (see screenshots below)

If this step is not done, AppLocker will block all Microsoft Store apps from running.

7. Click/tap on Executable Rules, right click or press and hold on Executable Rules, and click/tap on Create Default Rules. (see screenshots below)

If this step is not done, AppLocker will block all executable files from running by default unless allowed by a created rule.

8. Right click or press and hold on Executable Rules, and click/tap on Create New Rule. (see screenshot below)

9. Click/tap on Next. (see screenshot below)

10. If you would like to specify a user or group to enforce this rule on, click/tap on Select. (see screenshot below)

The default setting is Everyone for all users and groups.

A) Click/tap on the Advanced button. (see screenshot below)

B) Click/tap on the Find Now button. (see screenshot below)

C) Select a user or group you want, and click/tap on OK. (see screenshot below)

D) Click/tap on OK. (see screenshot below)

11. Select (dot) Allow or Deny for what you want, and click/tap on Next. (see screenshot below)

12. Select (dot) Path, and click/tap on Next. (see screenshot below)

13. Do step 14 (file) or step 15 (folder/drive) below for the file or folder path you want to specify to allow or block.

14. To Specify an Executable File Path to Allow or Block

A) Click/tap on the Browse Files button. (see screenshot below)

B) Select if you want to allow or block an .exe or .com file in the drop menu at the bottom right corner. (see screenshot below)

C) Navigate to and select the .exe or .com file you want to allow or block.

D) Click/tap on Open, and go to step 16 below.

15. To Specify a Folder or Drive Path to Allow or Block All Executable Files in the Folder or Drive

A) Click/tap on the Browse Folders button. (see screenshot below)

B) Navigate to and select a folder or drive you want to allow or block all executable (.exe and .com) files in.

C) Click/tap on OK, and go to step 16 below.

16. Click/tap on Next. (see screenshots below)

17. Click/tap on Next. (see screenshots below)

18. Click/tap on Create. (see screenshots below)

19. Your new rule for "Executable Rules" will now be created. (see screenshot below)

20. Repeat steps 8 to 19 if you would like to create another new rule to allow or block another executable file for a user or group.

21. When finished, you can close the Local Security Policy window.

That's it,
Shawn Brink

Related Tutorials

How to Export and Import AppLocker Policy for Rules in Windows 10
How to Clear AppLocker Policy in Windows 10
How to Delete an AppLocker Rule in Windows 10
How to Use AppLocker to Allow or Block Windows Installer Files from Running in Windows 10
How to Use AppLocker to Allow or Block Script Files from Running in Windows 10
How to Use AppLocker to Block Microsoft Store Apps from Running in Windows 10
How to Use AppLocker to Allow or Block DLL Files from Running in Windows 10
How to Enable or Disable Microsoft Store Apps Open Files in Default Desktop App in Windows 10
How to Enable or Disable Run Dialog Box in Windows 7, Windows 8, and Windows 10
How to Enable or Disable Command Prompt in Windows 7, Windows 8, and Windows 10

Windows 11 Tutorials

Purpose	Name	User	Rule condition type
Allow members of the local Administrators group access to run all executable files	(Default Rule) All files	BUILTIN\Administrators	Path: *
Allow all users to run executable files in the Windows folder	(Default Rule) All files located in the Windows folder	Everyone	Path: %windir%*
Allow all users to run executable files in the Program Files folder	(Default Rule) All files located in the Program Files folder	Everyone	Path: %programfiles%*