In Windows 8, end users can easily install Window Store apps whenever they want. In this article, I’ll show you how you can use AppLocker to control which Windows Store (Metro/Modern) apps end users can run without disabling the store completely.

One of the most common questions I get about managing Windows computers is how to prevent end users from running applications that either are not authorized or may be malicious. I wrote a series a few years ago on using AppLocker in Windows 7 to control which applications are whitelisted (allowed to run) and blacklisted (not allowed to run) to address those questions. Windows 8 offers some updates to AppLocker for controlling packaged apps (also known as Metro, Modern, or Windows Store apps) as well as still being able to control executables, Windows Installers (.msi files), and scripts.

Before we get started, there are a few caveats and things you need to know. First, AppLocker is only available in Windows 8+ Enterprise and Windows Server 2012+. If you’re running Windows 8.x Professional, you’ll need to install the Enterprise SKU. Second, I highly encourage you to check out my original series on AppLocker in Windows 7. All of the information there still applies to Windows 8 and is very helpful if you want to control more than just packaged apps.

Using the Group Policy Management Console (GPMC) on a Windows 8+ (or Server 2012+) management station, we’ll need to edit an existing Group Policy Object (GPO) or create a new one for our AppLocker policies that applies to Computer objects. In the GPO, find your way to Computer Configuration > Policies > Windows Settings > Security Settings > Application Control Policies > AppLocker. Under AppLocker, you’ll see the areas for Executable Rules, Windows Installer Rules, Script Rules, and the new Packaged app Rules.

AppLocker in the Group Policy Management Editor

AppLocker in the Group Policy Management Editor

If you click the “Packaged app Rules” section, you’ll see that there are no rules by default. In AppLocker, we can control applications in two ways. The first option is to allow all applications by default and simply block those that we don’t want to run. The second option is to deny all applications by default and only allow those that we do want to run. (I’ve discussed both options in a bit more detail here.)

Creating the default rule

If you want to allow packaged apps by default, you’ll need to create the default rule for packaged apps that allows them to run by default. Right-click Packaged app Rules and choose Create Default Rules.

Create the default rule for Packaged apps

Create the Default Rule for packaged apps

After doing this, you’ll have a default rule that allows all users to run any packaged app on the system.

Creating additional rules ^

Right-click Packaged app Rules again and choose Create New Rule. This will open the wizard to create rules for additional packaged apps on the system. Click Next to bypass the Before You Begin screen and go to the Permissions screen. Here, you can choose whether the packaged app will be whitelisted (Allow) or blacklisted (Deny) along with which users can run (or can’t run) the app. After choosing your options, click Next.

Permissions screen in the Create Packaged app Rules wizard

Permissions screen in the Create Packaged app Rules wizard

On the Publisher screen, we can use packaged apps that are already installed on the system as a reference for writing the AppLocker rule. Click the Select button to see a list of packaged apps on the computer.

List of default packaged apps in Windows 8.1

List of default packaged apps in Windows 8.1

The app I’m most asked about blocking is the OneDrive (formerly SkyDrive) app, so we’ll select that one as an example and click OK. Like in the other areas of AppLocker, you can use the slider to choose publisher, package name, or package version.

Publisher screen in the Create Packaged app Rules wizard

Publisher screen in the Create Packaged app Rules wizard

Using the Publisher option is good if you want to allow/block apps from a specific vendor. For example, you could allow all Microsoft apps by default, but not apps from other publishers. Just be aware that some publishers (including Microsoft) may use different variations in names in the Publisher field. In most cases, if you intend to block a packaged app, you’ll most likely use the “Package name” field.

Click Next when you’re finished with the publisher options to go to the Exceptions screen. The Exceptions screen lets you add options that would normally be included in the rule. Click Next to advance to the Name screen. Set a name for the AppLocker rule and click Create.

Turning on AppLocker ^

We need to enable two things for AppLocker to enforce our rules. First, we’ll need to run services.msc and enable the Application Identity Service. (You can enable it permanently as part of the GPO using Part 4: Deployment.) Next, you’ll need to enable enforcement of the packaged app rules. To do this, right-click AppLocker in the same area we’ve been working in the GPO and choose Properties. Click the Configured checkbox and set the pull-down to Enforce rules. Click OK to save the settings.

Set Packaged app Rules to enforce rules in AppLocker Properties

Set Packaged app Rules to enforce rules in AppLocker Properties

Testing ^

If we run a quick gpupdate.exe on our test system, we can try running the OneDrive packaged app to see what happens.

This app has been blocked by your system administrator

Enforcement of a packaged app rule

As you can see, I received an error: “This app has been blocked by your system administrator. Contact your system administrator for more info.”

Warnings about deny by default ^

If you’re planning on denying all packaged apps by default and only allowing end users to run specific apps (or apps from specific publishers), you’ll need to take a few things into consideration. Make sure you set an Allow rule for some of the default applications—specifically, the PC settings app. The operating system needs the PC settings app, but other apps, such as Check Point VPN or F5 VPN, may be necessary in your environment as well. You may also need to remove packaged apps when you deploy Windows 8.x to computers so that end users don’t have tiles or shortcuts for apps they can’t use.

9 Comments
  1. Kasun 6 years ago

    Can do this in domain controller to deploy to client PCs

    • Author

      I'm not totally sure I understand the question. The Group Policy is stored on the Domain Controllers and can technically be edited there, but I would edit Group Policy from a management station, not the DC.

  2. Kasun 6 years ago

    when i configure it through GPO how can i point the packages to blocked app the apps install in client PC are not include in windows server

    Thanks

    • Author

      The computer will have to be joined to Active Directory, have the GPO applied to it, and be a SKU that supports AppLocker.

  3. hifz 6 years ago

    I am implementing App Locker in Windows 10 Enterprise. I can white list Selected Apps, but my Windows store is also getting blocked. I am not using default rules. Can you help?

    • Author

      It sounds like you have your Packaged app Ruled Configured and set to Enforce rules. If you're not using any rules, then the default is going to be to block everything. You'll need to allow/whitelist the Windows Store app along with any other apps you want users to be able to access.

  4. Bruno 6 years ago

    I have a domain in a DC (Server 2012 R2) with five hundred client machines (Windows 10). I want to deploy GPO rule to block access to all store applications except one. Is this possible?
    I trieyed to use applocker on the DC but it does not show any store app. Do i have to install all client apps in DC?

    • Author

      You shouldn't be logging into a DC to manage Group Policy; you should be using a management station. I would set up a Windows 10 box, install RSAT, install your application that you want to allow, and then write your rules.

  5. StephenW 5 years ago

    windows 10 1607, I would it so users can download approved apps. ATM they can visit the store, search and click on download, but then we get a error MSG, but if i have (Default Rule) All signed packaged apps / Everyone (right click on packaged app rule and select create default rules) then they can download apps, but they can download and run anything they want. ideas? is there an app that controls the downloads? Folder permissions?

Leave a reply

Please enclose code in pre tags

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2021

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account