In this guide, I will be demonstrating how to block certain apps from running on this computer. This can be achieved via the group policy and by tweaking the registry settings.
Block Apps: I will be demonstrating how this is done via the registry and group policy.
– Via the Registry Settings: Launch the registry settings using “regedit.exe” from the search button and accept the UAC as shown below
This will open the Registry Editor. Navigate through the registry hive to the following key as shown below.
– HKEY_CURRENT_USER
– SOFTWARE
– Microsoft
– Windows
– CurrentVersion
– Policies
Next, create a new sub-key inside the Policies key.
– Right-click the Policies key,
– Select New
– Select Key,
– Name the new key Explorer
Next, create a value inside the new Explorer key by right-clicking on the Explorer key and
– Select New
– Select DWORD (32-bit) value
– Name the new value DisallowRun
Next, double click the new “DisallowRun” value (This will open its properties window)
– Change the value from 0 to 1 in the “Value data” box
– Finally, click on then click “OK.”
Next, you will have to create a new sub-key in the Explorer key by performing the following below.
– Right clicking on the Explorer key
– Select New
– Select Key.
– Name the new key DisallowRun
In the next steps, we will start populating (adding) the apps we wish to block. Below are the steps to achieve this.
– Create a new string value inside the DisallowRun key (You will do this for every application you desire to block).
– Right-click on the DisallowRun value
– Select New
– Select String-Value.
Modify the value to 1 as shown below (we will have to start the numbering from 1 (one).
Now, double-click the new value to open its property windows
– Enter the name of the executable you want to block into the “Value data” as shown below. In my example, I will be blocking Internet Explorer from running.
When you hit “ok”, the string should look this way in the registry editor.
This process should be repeat by naming each string alphabetically from value “2”, “3” and “4” etc., for each and editing the properties by adding the the executable file you wish to block. I only had to block the explorer in my lab and this is enough to work you through.
When you are done, ensure you restart your device to have the settings applied.
– Note: If you do not restart, the settings will not be applied. When you try to launch Internet Explorer after restarting, you will get the following message below.
This can be achieved via Group policy as well. I will be testing with Notepad++ using group policy .
Via Group Policy Object: Launch “group policy as shown below,
In the Group Policy window navigate through the
– User Configuration
– Administrative Templates
– System.
Next, click on “Enabled”
– Click on show as shown below
In the Show Contents dialog box,
– Click on every line in the list and type the name of the executable you do not want users to run.
– Click on “OK.”
The settings will display enabled as shown below.
To ensure the settings applies immediately, run “gpupdate” via the command prompt as shown below.
for the difference between GPUpdate and GPUpdate/force, see https://techdirectarchive.com/2020/02/26/all-about-gpupdate-switches-gpupdate-vs-gpupdate-force/
Now when you try to launch Notepad++, the following restriction message will be prompted as shown below.
Note, the registry and group policy steps for blocking and apps are also similar to permitting only specific apps to run in Windows.
See the following link below on how to permit only a specify app to run https://techdirectarchive.com/2020/03/15/how-to-permit-run-only-certain-apps-in-windows/