Menu
CCMEXEC.COM – Enterprise Mobility
  • Home
  • General
  • Configuration Manager
  • Windows 10
  • Intune
  • About the author
  • GitHub
CCMEXEC.COM – Enterprise Mobility

Blocking built-in apps in Windows 10 using Applocker

Posted on August 13, 2015 by Jörgen Nilsson

I wrote a blog post earlier about how to uninstall built-in apps from Windows 10 CBB using Powershell, https://ccmexec.com/2015/08/removing-built-in-apps-from-windows-10-using-powershell/ however some apps cannot be uninstalled like Microsoft Edge, Contact Support and Windows Feedback.

They can be blocked using Applocker instead that is the best workaround I have found. Blocking them using an Applocker policy is working really well, if the user never logged on to the computer before the Applocker policy is applied the application, in this case Contact support is not installed for the user at all and therefor not present either on start or by using search which is really great!

If the user have logged on to the computer before the Applocker policy is applied the applications is present but the user can no longer start it, and will get the below message displayed.
BlockContactSupport10So this method could be used instead of uninstalling the apps as the end result for the end-user is basically the same if they haven’t logged on to the computer before the policy is applied.

The challenge with that right now is there is no RSAT for Windows 10 available yet so creating the policy is a a bit of a challenge. So I ended up creating the Applocker policy locally on a Windows 10 computer and then export it and then import it on a Windows 2012 R2 server with the Group Policy Management MMC installed.

Here are the steps for creating a Group Policy to block Contact Support, the same steps would be used to block Microsoft Edge and Windows Feedback if that is a requirement for you as well.

1. Create a new Group Policy for this test.

2. Under Computer Configuration\Policies\Windows Settings\Security Settings\System Services change the startup to Automatic for the Application Identity Service. This service must be started for the Applocker policies to be enforced on the client computers.
BlockContactSupport

3. On a Windows 10 computer running the Enterprise version start Group Policy Editor by typing Edit Group Policy in the search Taskbar.

4. Under Computer Configuration\Windows Settings\Security Settings\Application Control Policies\Applocker right-click and select Properties and enable Packaged app Rules and select Enforce rules.
BlockContactSupport1

5. Then we need to create two Packaged app Rules one default rule to allow all apps to run and one rule to block the Contact Support app in this scenario.

6. Right-Click Packaged app Rules and select Create default Rules, this will create a rule that allows all signed apps to be executed. Note that this setting only applies to Apps and not Win32 applications.
BlockContactSupport3 7. Then we create a new Package app Rule by right-clicking Packaged app Rules and select Create New Rule

BlockContactSupport28. On the next screen we select to Deny this app to run for Everyone.
BlockContactSupport4

9.  Then select Use and installed packaged app as a reference and click select.
BlockContactSupport5 10. In the next dialog select the apps you want to block, in my case the Contact Support app, then select OK, and Create
BlockContactSupport6

11. Now we have a policy created locally on the Windows 10 computer with the correct policy shown below.

BlockContactSupport11

12 In the Applocker node in Group policy editor Right-Click and select Export policy. Save the file on a share so you can access it from the computer where you are running the Group Policy Management MMC.
BlockContactSupport7 13. On the computer running the Group Policy Management MMC edit the Group Policy we created in AD in step 1 and under Applocker in the group policy editor select Import Policy and import the policy exported from the Windows 10 computer.
BlockContactSupport814. You will be prompted that it will overwrite all existing policies.
BlockContactSupport9Now we have a policy that can be deployed to Windows 10 that will block the Contact Support app!

Time to start testing.

  • Applocker
  • Apps
  • Contact Support
  • Windows 10
  • 42 thoughts on “Blocking built-in apps in Windows 10 using Applocker”

    1. Mike says:
      August 13, 2015 at 4:03 pm

      This is awesome! I’ve been fighting with trying to find some way of doing exactly this. I never thought of trying it this way, creating the AppLocker policy locally on a Windows 10 box. I had just resigned myself to waiting for RSAT.

      Very creative.

      Thanks

      Reply
    2. Pingback: Applocker: How to block built-in Apps | IT Consultant Everyday Notes
    3. Fred Max says:
      September 16, 2015 at 9:26 am

      Very helpful blog, I hoped this was the silver bullet as MS premier support pointed me to your solution as well.
      However since putting in applocker to block customer contact, windows feedback and edge the entire start menu and taksbar has stopped responding. Outside that issue it restricted or removed the apps as I’d hoped, has anyone else encountered this?

      Reply
    4. Maurice says:
      September 18, 2015 at 9:35 am

      Thanks for the write-up. I also have the rules working.
      Same issue happened to me as well. Applied the policy and now Start Menu, Edge, etc. cannot be used anymore.
      Anyone know if there is maybe a hotfix for this?

      Reply
      1. Jörgen Nilsson says:
        September 20, 2015 at 9:23 pm

        Interesting, did the user log on before the Applocker policy was applied or after for the first time and created the user profile?
        Regards,
        Jörgen

        Reply
    5. Maurice says:
      September 21, 2015 at 1:40 pm

      All user profiles already exist.
      After applying the AppLocker GPO, the clients rebooted and the problem occurs.
      Start button, Search icon, Edge icon (and maybe some other icons I did not check) are not responding when clicking on it.

      Reply
    6. Mark says:
      September 29, 2015 at 5:48 pm

      I followed your suggestions step by step but I can’t even get the group policy to take effect. I can still open the apps I was trying to block.

      Reply
    7. Juan says:
      October 17, 2015 at 6:07 pm

      Hello! Thanks for the Guilde but I doing every thing for this guilde and the APP didnt block.

      Can you explain me what happen?
      SO: Windows Server 2012R2
      Client: Windows 8.1

      See you.

      Reply
    8. Juan says:
      October 19, 2015 at 9:50 pm

      Hello!!

      Mark you need to know what version its running.

      AppLocker is only compatibility with: Windows 7/8/8.1/10 – Enterprise or Ultimate edition. You need to upgrade at this version

      😀

      Reply
    9. Pingback: RONNIPEDERSEN.COM Windows 10 Innovation Series, Pictures, Notes and Links - RONNIPEDERSEN.COM
    10. Tommy Stephansen says:
      November 27, 2015 at 10:07 am

      Same issue as Maurice. Applocker was applied to a Windows 10 computer while I was logged on. At first, all apps were blocked. After reboot, Start menu and all apps, right-clicking on shotcuts on the taksbar is disabled (no right-click menu shows).

      Reply
    11. Tommy Stephansen says:
      November 27, 2015 at 10:09 am

      Follow-up: After starting gpedit (or secpol.msc) and creating the default rules, and activating the packaged apps policy, as per your guide, the Start menu and apps were enabled again (without reboot).

      Reply
      1. Kamlesh says:
        February 27, 2019 at 3:45 am

        Hi Tommy,
        I have created default rules by click on “Create Default Rules” and activate packaged app policy Enforced Rule.
        After that still Start menu not working after restart.
        Do you have any resolution for this problem?

        Reply
        1. Jörgen Nilsson says:
          March 1, 2019 at 3:47 pm

          Hi,
          No, I haven’t used this option since it was changed so the apps gave an error message when started instead of simply disappear.
          Regards,
          Jörgen

          Reply
    12. Pingback: Windows 10 Start Menu - A Working Solution - Page 4
    13. Grossman says:
      January 24, 2016 at 7:41 pm

      Thank you for the very informative Article but what about Windows 10 Home users ? , I have found a solution and seems working wery well , there is a portable freeware “Edge Blocker v1.0”

      Here is the download Link:
      http://www.sordum.org/downloads/?st-edge-block

      Reply
      1. Timy gregor says:
        February 14, 2019 at 4:22 pm

        Hi Grossman I have found better solution on the same webpage , AskAdmin v1.6 is a Freemium portable Application and capable to block All build-in Apps and microsoft store here is the link
        UWP (Store Apps) and Microsoft store

        Reply
    14. CWSEagle says:
      May 21, 2016 at 1:40 am

      This doesn’t work with Windows 10 Professional apparently, i must have tried this 25 times already.

      Reply
    15. cwseagle says:
      May 24, 2016 at 7:29 pm

      Though this is nice with Windows 10 enterprise, what about Windows 10 professional, is there a way to turn off the built in apps using a group policy or automated script that can be pushed through a GPO? Microsoft is making it very difficult for organizations without a mdm or enterprise editions.

      Reply
    16. binarylab says:
      July 23, 2016 at 8:29 pm

      @cwseagle

      You can remove them with powershell commands Get-AppxPackage and Remove-AppxPackage

      Get-AppxPackage *people* | Remove-AppxPackage
      The command above will remove People app.

      Reply
    17. Philipp says:
      August 10, 2016 at 2:30 pm

      Was anyone able to fix the issue concerning start button, search button and edge not working anymore?

      Reply
    18. Niki says:
      August 30, 2016 at 5:57 am

      A little bit complicated../ Mark, I will see it later! A question: Iobit Applock, LEO Privacy and applock… I had used them all, well prefer LEO Privacy better, are there any other applocks, would you recommend one and give your reason! Thanks!

      Reply
    19. ASC says:
      September 9, 2016 at 1:30 pm

      https://www.microsoft.com/en-gb/download/details.aspx?id=45520
      RSAT for Windows 10, But you must have the English US Language Pack installed
      It has been update to support more Lang Packs but check first the link above “System Requirements”

      Reply
      1. Jörgen Nilsson says:
        September 13, 2016 at 11:26 pm

        Hi,
        Yea, it wasn’t available when I wrote the post… RSAT makes it much easier.
        /Jörgen

        Reply
    20. Tomas says:
      November 23, 2016 at 11:54 am

      Hi Jörgen,

      When I try this with Win10 1607 it seems that i get the app still visable in the start menu, but it never starts. Am i geting things wrong here, or it this not working in 1607?

      BR

      /Tomas

      Reply
      1. Jörgen Nilsson says:
        November 23, 2016 at 1:22 pm

        Hi,
        Which app is it? Should work just fine.

        /Jörgen

        Reply
    21. Tomas says:
      November 23, 2016 at 2:04 pm

      Tried “3DBuildder” and “Solitare Collection”, both seem to remain in the start menu but will not start. Not starting is kind of good, but them remaining less good 🙂

      /T

      Reply
    22. Nalin says:
      February 2, 2017 at 4:48 pm

      Hi,

      Thanks for this. trying to roll out w10 for teachers and students in our school ( w10 1607 edu edition). after we did the build and deployed the image and during testing we found that any user can search for and run powershell and powershell ise. Using applocker we have stopped the ability to run powershell executables. They can still search for it and find it ( which is really annoying). By the way this behaviour is not present in W7 and we have never needed to user applocker for this purpose. In w7 you can’t get search results if you search for powershell.

      We have a partial solution but why has MS allowed search of c:\windows? I will be grateful if someone can tell us a way to stop the search results.

      Thanks again.

      Reply
    23. eric says:
      February 4, 2017 at 11:24 pm

      Does anyone care to link to instructions how to do this with the now available RSAT?

      Reply
    24. Tom says:
      February 8, 2017 at 5:03 pm

      I don’t see Packaged app Rules? I have Windows Server 2008 R2.

      Reply
    25. Tom says:
      February 8, 2017 at 5:05 pm

      Without “?”. I don’t see Packaged app Rules in Applocker. I have Windows Server 2008 R2.

      Reply
    26. Klas says:
      April 3, 2017 at 10:30 am

      Hi Jörgen,

      I get the same results as Tomas did 4 month’s ago. Our DCs are running Windows Server 2012 R2 with the latest ADMX files and out clients are running Windows 10 build 1607.

      I’ve followed your instructions and the apps always show up in the start meny but they are blocked. When you click on a blocked app the “download/install indicator” activates and then nothing happens.

      The event log says that the application is blocked but it would be nice if it could work as per your guide. I’ve tried blocking notepad and it exhibits the same kind of behaviour.

      Could this perhaps be an issue with localization (clients in swedish and servers in english) or maybe something to do with the policy version?

      /Klas

      Reply
    27. Hauke says:
      May 8, 2017 at 4:22 pm

      Blocking Windows.ContactSupport with AppLocker is not working anymore in 1703… its blocked, syslog is saying app start was blocked – but it IS starting. 🙁

      Reply
      1. Jörgen Nilsson says:
        May 8, 2017 at 6:48 pm

        Hi,
        Yes that is not possible in 1703, you need to use remove-windowscapatibilites in Powershell:
        Remove-WindowsCapability –Name -online App.Support.ContactSupport~~~~0.0.1.0

        or with Dism
        DISM /Online /Remove-Capability /CapabilityName:App.Support.ContactSupport~~~~0.0.1.0
        that will do it.
        Regards
        Jörgen

        Reply
    28. Patrick Mussell says:
      June 28, 2017 at 4:58 pm

      Thanks for this, I’ve gotten Applocker to block the applications – but (at least in 1703) the functionality you mention about new user profiles not even seeing the apps is not working. The behavior I’m seeing is that on the user profile that was preexisting, the icons are still there but users would see “administrator has blocked this application”. On a new user profile, the icons are still there, but clicking them turns them gray (no message), until a log out/log in at which point they are still there and once again illuminated. How do I enable the behavior of new users not even seeing the blocked applications?

      Reply
      1. Michael Gregory says:
        August 21, 2017 at 11:27 pm

        yeah same issue for us with 1703. This sucks M$, really making the life of sysadmins difficult…

        Reply
      2. Roy says:
        November 6, 2017 at 2:58 pm

        Yes, same issue. Missing the messagebox that the app is blocked. Only a icon, that does nothing. Unless you allow the app (gpupdate /force) and disable it again (gpupdate /force) the messagebox is back.

        Reply
    29. Sarfraz says:
      February 27, 2018 at 2:50 pm

      hi
      I have created local policy for edge, 3d Paint, but it is not working
      I have windows 10 enterprise(1709)…Please suggest.

      Reply
    30. Helper says:
      April 10, 2018 at 9:21 pm

      Make Sure AppID services is running, Windows Firewall Service is running. UI, MS Store and Packaged apps will not run if these are disabled.

      Reply
    31. Fix Windows Error 0xC1900208 says:
      March 19, 2019 at 9:53 am

      If there is any way to block Microsoft push apps that are downloaded via user after first logging into Windows 10 PRO version (not Enterprise), I know I ca n’t use GPO or Applocker in Professional version.

      Reply
    32. Chikaboo jones says:
      May 21, 2019 at 4:24 pm

      Works Well in Enterprise Environment

      Reply
    33. Pingback: 3 Ways To Remove Contact Support In Windows 10

    Leave a Reply Cancel reply

    Your email address will not be published. Required fields are marked *

    This site uses Akismet to reduce spam. Learn how your comment data is processed.

    My name is Jörgen Nilsson and I work as a Senior Consultant at Onevinn in Malmö, Sweden. This is my blog where I will share tips and stuff for my own and everyone elses use on Enterprise Mobility and Windows related topics.
    All code is provided "AS-IS" with no warranties.

    Tweets by ccmexec

    Recent Posts

    • Show DP information during OSD using TSBackground
    • Using Install-language during AutoPilot Windows 11 insider
    • Co-Management and the importance of device token enrollment.
    • Windows 11 Insider Start Menu layout registry customizations
    • MEMCM 2203 released with great features

    ©2022 CCMEXEC.COM – Enterprise Mobility | WordPress Theme by Superb Themes
    This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish.Accept Reject Read More
    Privacy & Cookies Policy

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
    Non-necessary
    Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
    SAVE & ACCEPT