Windows 10: Use AppLocker to Block Microsoft Store Apps in Windows 10

How to: Use AppLocker to Block Microsoft Store Apps in Windows 10

How to Use AppLocker to Block Microsoft Store Apps from Running in Windows 10


dynamic-link libraries (DLLs), packaged apps, and packaged app installers.

Packaged apps are also known as Universal Windows Platform (UWP) apps from the Microsoft Store or already included with Windows 10.

See also:

• AppLocker (Windows 10) | Microsoft Docs
• What Is AppLocker (Windows 10) | Microsoft Docs
• ​How AppLocker works (Windows 10) | Microsoft Docs
• Requirements to use AppLocker (Windows 10) | Microsoft Docs
• Manage packaged apps with AppLocker (Windows 10) | Microsoft Docs
• ​Packaged apps and packaged app installer rules in AppLocker (Windows 10) | Microsoft Docs
• Create a rule for packaged apps (Windows 10) | Microsoft Docs

This tutorial will show you how to use AppLocker to block specified Microsoft Store apps from running for all or specific users and groups in Windows 10 Enterprise and Windows 10 Education.

*Warning You must be signed in as an administrator to use AppLocker.


EXAMPLE: "This app has been blocked by your system administrator" message when any user opens a blocked app






Here's How:

1. Open an elevated command prompt.

2. Copy and paste the command below into the elevated command prompt, press Enter, and close the elevated command prompt when it has finished. (see screenshot below)

*note This command is to make sure the Application Identity service is enabled, set to Automatic, and running. AppLocker cannot enforce rules if this service is not running.
*Arrow sc config "AppIDSvc" start=auto & net start "AppIDSvc"




3. Open Local Security Policy (secpol.msc).

4. Expand open Application Control Policies in the left pane of the Local Security Policy window, click/tap on AppLocker, and click/tap on the Configure rule enforcement link on the right side. (see screenshot below)



5. Check the Configured box under Packaged app Rules, and click/tap on OK. (see screenshot below)



6. Expand open AppLocker in the left pane of the Local Security Policy window, right click or press and hold on Packaged app Rules, and click/tap on Create Default Rules. (see screenshots below)

*note If this step is not done, AppLocker will block all Microsoft Store apps from running.





7. Right click or press and hold on Packaged app Rules, and click/tap on Create New Rule. (see screenshot below)



8. Click/tap on Next. (see screenshot below)



9. If you would like to specify a user or group to enforce this rule on, click/tap on Select. (see screenshot below)

*note The default setting is Everyone for all users and groups.




A) Click/tap on the Advanced button. (see screenshot below)



B) Click/tap on the Find Now button. (see screenshot below)



C) Select a user or group you want, and click/tap on OK. (see screenshot below)



D) Click/tap on OK. (see screenshot below)



10. Select (dot) Deny, and click/tap on Next. (see screenshot below)



11. Select (dot) Use an installed packaged app as a reference, and click/tap on Select. (see screenshot below)



12. Check an app (ex: "Your Phone") you want to block, and click/tap on OK. (see screenshot below)



13. Click/tap on Next. (see screenshot below)



14. Click/tap on Next. (see screenshot below)



15. Click/tap on Create. (see screenshot below)



16. Your new rule for "Packaged app Rules" will now be created. (see screenshot below)



17. Repeat steps 7 to 16 if you would like to create another new rule to block a different Microsoft Store app (aka: packaged app) for a user or group.

18. When finished, you can close the Local Security Policy window.


That's it,
Shawn


Related Tutorials

• How to Export and Import AppLocker Policy for Rules in Windows 10
• How to Clear AppLocker Policy in Windows 10
• How to Delete an AppLocker Rule in Windows 10
• How to Use AppLocker to Allow or Block Executable Files from Running in Windows 10
• How to Use AppLocker to Allow or Block Windows Installer Files from Running in Windows 10
• How to Use AppLocker to Allow or Block Script Files from Running in Windows 10
• How to Use AppLocker to Allow or Block DLL Files from Running in Windows 10
• How to Allow or Block Access to Microsoft Store App in Windows 10
• How to Run Microsoft Store Apps at Startup in Windows 10
• How to Enable or Disable Remotely Install Apps from Microsoft Store Online in Windows 10
• How to Enable or Disable Microsoft Store Apps in Windows 10

:)

 

AppLocker Blocks Windows Store Apps Downloads

It's now March 2017, this problem is dragging on since August 2015. I've installed Windows 10 Pro in total 4 times on two machines because of this issue.

My conclusion is that some installer changes the working of AppLocker. But, Windows 10 Pro lacks the ability to change AppLocker settings (you cannot even switch on or off its identity service).

Interestingly, the many people here on 'answers'.microsoft.com trying to answer this question all come up with the same suggestions that do not work (in my case):

• wsreset.exe or run the troubleshooter for apps (https://support.microsoft.com/en-us...790db/run-the-troubleshooter-for-windows-apps)
• Adjust the settings of AppLocker in Local Security Policy (in secpol.msc). This obviously does not work because Windows 10 Pro is not supposed to have AppLocker at all. AppLocker is only available in Enterprise versions.
• Fiddle around with permission settings
• Create c:\Windows\AppReadiness
• Reinstall Windows 10 Pro

The Pro in Windows 10 Pro stands for Probably.: Probably you need to reinstall.

For Microsoft (if you want to do something):

a. The trouble shooter mentions a 'possible' problem with the Store cache. But is does not offer/is unable to do a repair

b. Doing a harddisk chkdsk could result in a blue screen of death and a subsequent repair of Windows (to a previous version).

c. Sometimes (at least in my current installed system), it is possible to add a new user to the system, but that user's settings are defected. That user cannot use the start-menu at all, looks like an even more serious problem there.

 

AppLocker Blocks Windows Store Apps Downloads

For those of you who are suffering from the AppLocker issue...

First, to set context. AppLocker is a built in security mechanism that allows you to control (Block or Allow) "stuff" from running on your computer. In the context of Modern Apps and the Store, it does not prohibit the use of the store, rather the download,
installation, and launch of Modern\Universal Applications.

At our company we have a good number of Windows 8.1 machines in the environment. We use AppLocker to restrict the use of all unknown "Modern Apps" by creating a global Deny rule. In order for all of the "built-in" Windows apps to load correctly (at fist
login and on update), we had to configure the global deny rule with a wildcard(*) exceptions (you do this that have a values of "*" in the scope of the ). This is similar to a typical firewall configuration where you block everything then make your exceptions
of stuff you want to allow. Once you have allowed exceptions, you need to have "allow" rules to pass through the global "deny" rule. That means that you have to create specific allow rules for the apps you want users to be able to download, install, and
launch.

We also have an allow rule for a specific user group that has '*' as the scope. This rule is necessary if you want to give certain users, such as your Desktop Admins, the ability to download, install, and run all modern apps. This was also an important piece
for Developers trying to debug a modern app that they are developing. Without this rule developer will not be able to run their modern apps in Visual Studio. This all worked beautifully with Windows 8.1...along comes Windows 10...

When we first starting building Windows 10 computers, at the time it was 1511, we added new rules to allow all of the new built-in apps. Life was good...or so it seemed. What we found was that any time a modern (or universal app) was trying to update,
that the updates were being blocked with an 0x80073CF9 error in the store. There was also a corresponding event in the AppLocker logs about the blocked attempt.

When 1607 came out we tested the issue again hoping that we'd find that it was magically resolved. As we starting re-testing this AppLocker issue when we found that users who were in the "Allow All Apps" group were getting denied the right to "install"
software by Applocker (I put "install" in quotes intentionally. After doing some troubleshooting and testing on both 1511 and 1607, I found that on both versions the steps to install a modern app are slightly different than they were in Windows 8.1 and that
AppLocker does not like the changes. In W10 and W8.1 when the apps from the store are first downloaded before they are installed. In Windows 8.1, the app is download under the logged in users context. In Windows 10, the download occurs under local SYSTEM
and is then passed over to the user context to perform the install. I figured this my looking closely at the user whom the AppLocker log was written for.

Since "SYSTEM" is not a member of the group that is allowed to use the app (download, install, and run), the action is not allowed to pass through the deny rule exception and AppLocker stops the download process resulting in the 0x80073CF9 error. Just to
prove my theory I added a test rule to allow "NT AUTHORITY\SYSTEM" and everything stared working as they did in Windows 8.1. I was able to update installed apps and new apps from the store.

Additionally, we happen to have a Microsoft consultant onsite so I had him run the same exact tests in his lab. He had the same exact issue. This was not a problem caused by a configuration or policy in our environment.

The bottom line is that Microsoft changed the behavior of how apps are downloaded and installed from the Windows Store. This change broke the way AppLocker works. I REALLY hop that Microsoft fixes this. What I have mentioned in this post is not an acceptable
workaround...I did this as a test.

For security reasons, I HIGHLY DISCOURAGE anyone from giving "NT AUTHORITY\SYSTEM" permissions to install ANYTHING from the store.

 

How to set up AppLocker restrictions on Windows 10 Pro?

Hello @ahmd, *Smile

If you like, here are out AppLocker tutorials below that may be able to help with this for you.

• Use AppLocker to Allow or Block DLL Files from Running in Windows 10
• Use AppLocker to Allow or Block Executable Files in Windows 10
• Use AppLocker to Allow or Block Script Files in Windows 10
• Use AppLocker to Allow or Block Windows Installer Files in Windows 10
• Use AppLocker to Block Microsoft Store Apps in Windows 10
• Export and Import AppLocker Policy for Rules in Windows 10
• Clear AppLocker Policy in Windows 10
• Delete AppLocker Rule in Windows 10

 

How to set up AppLocker restrictions on Windows 10 Pro?

Dude, thanks for the info and sorry for my late reply. I've been bashing my head against it but I still can't make it work. I did everything like it says there but it still didn't do anything. It doesn't block anything. The only difference that I see in your tutorial is this line:

Like I said I have Pro.

 

AppLocker Blocks Windows Store Apps Downloads

That didn't fix my problem.

As I've mentioned, Windows Store opens fine... it's just that downloads get blocked by AppLocker.