- Managing shared mailboxes in Office 365 with PowerShell - Thu, May 5 2016
- Managing shared mailboxes in Office 365 with the GUI - Wed, May 4 2016
- Installing and configuring the Enhanced Mitigation Experience Toolkit (EMET) - Wed, Mar 16 2016
One of the most common questions I get about managing Windows computers is how to prevent end users from running applications that either are not authorized or may be malicious. I wrote a series a few years ago on using AppLocker in Windows 7 to control which applications are whitelisted (allowed to run) and blacklisted (not allowed to run) to address those questions. Windows 8 offers some updates to AppLocker for controlling packaged apps (also known as Metro, Modern, or Windows Store apps) as well as still being able to control executables, Windows Installers (.msi files), and scripts.
Before we get started, there are a few caveats and things you need to know. First, AppLocker is only available in Windows 8+ Enterprise and Windows Server 2012+. If you’re running Windows 8.x Professional, you’ll need to install the Enterprise SKU. Second, I highly encourage you to check out my original series on AppLocker in Windows 7. All of the information there still applies to Windows 8 and is very helpful if you want to control more than just packaged apps.
Using the Group Policy Management Console (GPMC) on a Windows 8+ (or Server 2012+) management station, we’ll need to edit an existing Group Policy Object (GPO) or create a new one for our AppLocker policies that applies to Computer objects. In the GPO, find your way to Computer Configuration > Policies > Windows Settings > Security Settings > Application Control Policies > AppLocker. Under AppLocker, you’ll see the areas for Executable Rules, Windows Installer Rules, Script Rules, and the new Packaged app Rules.
AppLocker in the Group Policy Management Editor
If you click the “Packaged app Rules” section, you’ll see that there are no rules by default. In AppLocker, we can control applications in two ways. The first option is to allow all applications by default and simply block those that we don’t want to run. The second option is to deny all applications by default and only allow those that we do want to run. (I’ve discussed both options in a bit more detail here.)
Creating the default rule
If you want to allow packaged apps by default, you’ll need to create the default rule for packaged apps that allows them to run by default. Right-click Packaged app Rules and choose Create Default Rules.
Create the Default Rule for packaged apps
After doing this, you’ll have a default rule that allows all users to run any packaged app on the system.
Creating additional rules
Right-click Packaged app Rules again and choose Create New Rule. This will open the wizard to create rules for additional packaged apps on the system. Click Next to bypass the Before You Begin screen and go to the Permissions screen. Here, you can choose whether the packaged app will be whitelisted (Allow) or blacklisted (Deny) along with which users can run (or can’t run) the app. After choosing your options, click Next.
Permissions screen in the Create Packaged app Rules wizard
On the Publisher screen, we can use packaged apps that are already installed on the system as a reference for writing the AppLocker rule. Click the Select button to see a list of packaged apps on the computer.
List of default packaged apps in Windows 8.1
The app I’m most asked about blocking is the OneDrive (formerly SkyDrive) app, so we’ll select that one as an example and click OK. Like in the other areas of AppLocker, you can use the slider to choose publisher, package name, or package version.
Publisher screen in the Create Packaged app Rules wizard
Using the Publisher option is good if you want to allow/block apps from a specific vendor. For example, you could allow all Microsoft apps by default, but not apps from other publishers. Just be aware that some publishers (including Microsoft) may use different variations in names in the Publisher field. In most cases, if you intend to block a packaged app, you’ll most likely use the “Package name” field.
Click Next when you’re finished with the publisher options to go to the Exceptions screen. The Exceptions screen lets you add options that would normally be included in the rule. Click Next to advance to the Name screen. Set a name for the AppLocker rule and click Create.
Turning on AppLocker
We need to enable two things for AppLocker to enforce our rules. First, we’ll need to run services.msc and enable the Application Identity Service. (You can enable it permanently as part of the GPO using Part 4: Deployment.) Next, you’ll need to enable enforcement of the packaged app rules. To do this, right-click AppLocker in the same area we’ve been working in the GPO and choose Properties. Click the Configured checkbox and set the pull-down to Enforce rules. Click OK to save the settings.
Set Packaged app Rules to enforce rules in AppLocker Properties
If we run a quick gpupdate.exe on our test system, we can try running the OneDrive packaged app to see what happens.
Enforcement of a packaged app rule
As you can see, I received an error: “This app has been blocked by your system administrator. Contact your system administrator for more info.”
Warnings about deny by default
If you’re planning on denying all packaged apps by default and only allowing end users to run specific apps (or apps from specific publishers), you’ll need to take a few things into consideration. Make sure you set an Allow rule for some of the default applications—specifically, the PC settings app. The operating system needs the PC settings app, but other apps, such as Check Point VPN or F5 VPN, may be necessary in your environment as well. You may also need to remove packaged apps when you deploy Windows 8.x to computers so that end users don’t have tiles or shortcuts for apps they can’t use.