Windows 10: Use AppLocker to Allow or Block Windows Installer Files in Windows 10

How to: Use AppLocker to Allow or Block Windows Installer Files in Windows 10

How to Use AppLocker to Allow or Block Windows Installer Files from Running in Windows 10


packaged apps (aka: Microsoft Store apps), and packaged app installers.

AppLocker defines Windows Installer rules to include only the .msi, .msp, and .mst file formats.

The purpose of this rule collection is to allow you to control the installation of files on client computers and servers through Group Policy or the Local Security Policy snap-in. The following table lists the default rules that are available for the Windows Installer rule collection.

Any Windows Installer file not allowed by the default rules below will automatically be blocked by default unless you create a new rule to allow it for a user or group.

If you want to block a Windows Installer file allowed by the default rules below, you will need to create a new rule to block (deny) it for a user or group.

[table][tr]Purpose Name User Rule condition type [/tr] [tr][td]Allow members of the local Administrators group to run all Windows Installer files[/td] [td](Default Rule) All Windows Installer files[/td] [td]BUILTIN\Administrators[/td] [td]Path: *[/td] [/tr] [tr][td]Allow all users to run Windows Installer files that are digitally signed[/td] [td](Default Rule) All digitally signed Windows Installer files[/td] [td]Everyone[/td] [td]Publisher: * (all signed files)[/td] [/tr] [tr][td]Allow all users to run Windows Installer files that are located in the Windows Installer folder[/td] [td](Default Rule) All Windows Installer files in %systemdrive%\Windows\Installer[/td] [td]Everyone[/td] [td]Path: %windir%\Installer*[/td] [/tr] [/table]

See also:

• AppLocker (Windows 10) | Microsoft Docs
• What Is AppLocker (Windows 10) | Microsoft Docs
• ​How AppLocker works (Windows 10) | Microsoft Docs
• Requirements to use AppLocker (Windows 10) | Microsoft Docs
• Windows Installer rules in AppLocker (Windows 10) | Microsoft Docs

This tutorial will show you how to use AppLocker to allow or block specified Windows Installer (.msi, .msp, and .mst) files to run for all or specific users and groups in Windows 10 Enterprise and Windows 10 Education.

*Warning You must be signed in as an administrator to use AppLocker.


EXAMPLE: "This system administrator has set policies to prevent this installation" message when any user opens a blocked Windows Installer (.msi, .msp, and .mst) file






Here's How:

1. Open an elevated command prompt.

2. Copy and paste the command below into the elevated command prompt, press Enter, and close the elevated command prompt when it has finished. (see screenshot below)

*note This command is to make sure the Application Identity service is enabled, set to Automatic, and running. AppLocker cannot enforce rules if this service is not running.
*Arrow sc config "AppIDSvc" start=auto & net start "AppIDSvc"




3. Open Local Security Policy (secpol.msc).

4. Expand open Application Control Policies in the left pane of the Local Security Policy window, click/tap on AppLocker, and click/tap on the Configure rule enforcement link on the right side. (see screenshot below)



5. Check the Configured box under Windows Installer rules, and click/tap on OK. (see screenshot below)



6. Expand open AppLocker in the left pane of the Local Security Policy window, right click or press and hold on Windows Installer Rules, and click/tap on Create Default Rules. (see screenshots below)

*note If this step is not done, AppLocker will block all Windows Installer files from running by default unless allowed by a created rule.





7. Right click or press and hold on Windows Installer Rules, and click/tap on Create New Rule. (see screenshot below)



8. Click/tap on Next. (see screenshot below)



9. If you would like to specify a user or group to enforce this rule on, click/tap on Select. (see screenshot below)

*note The default setting is Everyone for all users and groups.




A) Click/tap on the Advanced button. (see screenshot below)



B) Click/tap on the Find Now button. (see screenshot below)



C) Select a user or group you want, and click/tap on OK. (see screenshot below)



D) Click/tap on OK. (see screenshot below)



10. Select (dot) Allow or Deny for what you want, and click/tap on Next. (see screenshot below)



11. Select (dot) Path, and click/tap on Next. (see screenshot below)



12. Do step 13 (file) or step 14 (folder/drive) below for the file or folder path you want to specify to allow or block.


13. To Specify a Windows Installer File Path to Allow or Block
A) Click/tap on the Browse Files button. (see screenshot below)



B) Select if you want to allow or block a .msi, .msp,or .mst file in the drop menu at the bottom right corner. (see screenshots below)

C) Navigate to and select the .msi, .msp,or .mst file you want to allow or block.

D) Click/tap on Open, and go to step 15 below.







14. To Specify a Folder or Drive Path to Allow or Block All Windows Installer Files in the Folder or Drive
A) Click/tap on the Browse Folders button. (see screenshot below)



B) Navigate to and select a folder or drive you want to allow or block all Windows Installer (.msi, .msp, and .mst) files in.

C) Click/tap on OK, and go to step 15 below.




15. Click/tap on Next. (see screenshots below)





16. Click/tap on Next. (see screenshots below)





17. Click/tap on Create. (see screenshots below)





18. Your new rule for "Windows Installer Rules" will now be created. (see screenshot below)



19. Repeat steps 7 to 18 if you would like to create another new rule to allow or block another Windows Installer file for a user or group.

20. When finished, you can close the Local Security Policy window.


That's it,
Shawn


Related Tutorials

• How to Export and Import AppLocker Policy for Rules in Windows 10
• How to Clear AppLocker Policy in Windows 10
• How to Delete an AppLocker Rule in Windows 10
• How to Use AppLocker to Allow or Block Executable Files from Running in Windows 10
• How to Use AppLocker to Allow or Block Script Files from Running in Windows 10
• How to Use AppLocker to Block Microsoft Store Apps from Running in Windows 10
• How to Use AppLocker to Allow or Block DLL Files from Running in Windows 10

:)

 

How to set up AppLocker restrictions on Windows 10 Pro?

Hello @ahmd, *Smile

If you like, here are out AppLocker tutorials below that may be able to help with this for you.

• Use AppLocker to Allow or Block DLL Files from Running in Windows 10
• Use AppLocker to Allow or Block Executable Files in Windows 10
• Use AppLocker to Allow or Block Script Files in Windows 10
• Use AppLocker to Allow or Block Windows Installer Files in Windows 10
• Use AppLocker to Block Microsoft Store Apps in Windows 10
• Export and Import AppLocker Policy for Rules in Windows 10
• Clear AppLocker Policy in Windows 10
• Delete AppLocker Rule in Windows 10

 

How to set up AppLocker restrictions on Windows 10 Pro?

Dude, thanks for the info and sorry for my late reply. I've been bashing my head against it but I still can't make it work. I did everything like it says there but it still didn't do anything. It doesn't block anything. The only difference that I see in your tutorial is this line:

Like I said I have Pro.

 

Windows 10 Tweaks

Pressing “Windows+Pause Break” (it’s up there next to scroll lock) opens the “System” Window.

Windows 10: In the new version of Windows, Explorer has a section called Quick Access. This includes your frequent folders and recent files. Explorer defaults to opening this page when you open a new window. If you’d rather open the usual This PC, with links to your drives and library folders, follow these steps:

• Open a new Explorer window.
• Click View in the ribbon.
• Click Options.
• Under General, next to “Open File Explorer to:” choose “This PC.”
• Click OK

credit to Lifehacker.

 

Installing Windows 10 on New PC?

I'm going to be building a new PC on Christmas and want to install Windows 10 on it. I have Windows 10 on my current PC, which I installed upgrading from 8.1 with the files on a USB. How do I go about installing a clean copy of Windows 10 on this new PC? I think I recall something about installing it once makes Microsoft recognize your hardware, but since this will be a PC I'm not sure what steps I need to take. Do I need to go 8.1 -> 10 or is there a method of going directly to 10?

 

windows xp installation and dual core am

could someone please list the steps they follow to install windows with a dual core processor and windows xp service pack to. I'm reletively new to amd dual core and i feel i'm missing a step. All help will be appreciated. thanx