Blocking built-in apps in Windows 10 using Applocker
I wrote a blog post earlier about how to uninstall built-in apps from Windows 10 CBB using Powershell, https://ccmexec.com/2015/08/removing-built-in-apps-from-windows-10-using-powershell/ however some apps cannot be uninstalled like Microsoft Edge, Contact Support and Windows Feedback.
They can be blocked using Applocker instead that is the best workaround I have found. Blocking them using an Applocker policy is working really well, if the user never logged on to the computer before the Applocker policy is applied the application, in this case Contact support is not installed for the user at all and therefor not present either on start or by using search which is really great!
If the user have logged on to the computer before the Applocker policy is applied the applications is present but the user can no longer start it, and will get the below message displayed.
So this method could be used instead of uninstalling the apps as the end result for the end-user is basically the same if they haven’t logged on to the computer before the policy is applied.
The challenge with that right now is there is no RSAT for Windows 10 available yet so creating the policy is a a bit of a challenge. So I ended up creating the Applocker policy locally on a Windows 10 computer and then export it and then import it on a Windows 2012 R2 server with the Group Policy Management MMC installed.
Here are the steps for creating a Group Policy to block Contact Support, the same steps would be used to block Microsoft Edge and Windows Feedback if that is a requirement for you as well.
1. Create a new Group Policy for this test.
2. Under Computer Configuration\Policies\Windows Settings\Security Settings\System Services change the startup to Automatic for the Application Identity Service. This service must be started for the Applocker policies to be enforced on the client computers.
3. On a Windows 10 computer running the Enterprise version start Group Policy Editor by typing Edit Group Policy in the search Taskbar.
4. Under Computer Configuration\Windows Settings\Security Settings\Application Control Policies\Applocker right-click and select Properties and enable Packaged app Rules and select Enforce rules.
5. Then we need to create two Packaged app Rules one default rule to allow all apps to run and one rule to block the Contact Support app in this scenario.
6. Right-Click Packaged app Rules and select Create default Rules, this will create a rule that allows all signed apps to be executed. Note that this setting only applies to Apps and not Win32 applications.
7. Then we create a new Package app Rule by right-clicking Packaged app Rules and select Create New Rule
8. On the next screen we select to Deny this app to run for Everyone.
9. Then select Use and installed packaged app as a reference and click select.
10. In the next dialog select the apps you want to block, in my case the Contact Support app, then select OK, and Create
11. Now we have a policy created locally on the Windows 10 computer with the correct policy shown below.
12 In the Applocker node in Group policy editor Right-Click and select Export policy. Save the file on a share so you can access it from the computer where you are running the Group Policy Management MMC.
13. On the computer running the Group Policy Management MMC edit the Group Policy we created in AD in step 1 and under Applocker in the group policy editor select Import Policy and import the policy exported from the Windows 10 computer.
14. You will be prompted that it will overwrite all existing policies.
Now we have a policy that can be deployed to Windows 10 that will block the Contact Support app!
Time to start testing.
How to show OOBE for AzureAD Join after OSD with SCCM
Installing applications and packages dynamically during OSD
System Center 2012 Configuration Manager Survival Guide – Technet Wiki
About Author
This is awesome! I’ve been fighting with trying to find some way of doing exactly this. I never thought of trying it this way, creating the AppLocker policy locally on a Windows 10 box. I had just resigned myself to waiting for RSAT.
Very creative.
Thanks
Very helpful blog, I hoped this was the silver bullet as MS premier support pointed me to your solution as well.
However since putting in applocker to block customer contact, windows feedback and edge the entire start menu and taksbar has stopped responding. Outside that issue it restricted or removed the apps as I’d hoped, has anyone else encountered this?
Thanks for the write-up. I also have the rules working.
Same issue happened to me as well. Applied the policy and now Start Menu, Edge, etc. cannot be used anymore.
Anyone know if there is maybe a hotfix for this?
Interesting, did the user log on before the Applocker policy was applied or after for the first time and created the user profile?
Regards,
Jörgen
All user profiles already exist.
After applying the AppLocker GPO, the clients rebooted and the problem occurs.
Start button, Search icon, Edge icon (and maybe some other icons I did not check) are not responding when clicking on it.
I followed your suggestions step by step but I can’t even get the group policy to take effect. I can still open the apps I was trying to block.
Hello! Thanks for the Guilde but I doing every thing for this guilde and the APP didnt block.
Can you explain me what happen?
SO: Windows Server 2012R2
Client: Windows 8.1
See you.
Hello!!
Mark you need to know what version its running.
AppLocker is only compatibility with: Windows 7/8/8.1/10 – Enterprise or Ultimate edition. You need to upgrade at this version
😀
Same issue as Maurice. Applocker was applied to a Windows 10 computer while I was logged on. At first, all apps were blocked. After reboot, Start menu and all apps, right-clicking on shotcuts on the taksbar is disabled (no right-click menu shows).
Follow-up: After starting gpedit (or secpol.msc) and creating the default rules, and activating the packaged apps policy, as per your guide, the Start menu and apps were enabled again (without reboot).
Thank you for the very informative Article but what about Windows 10 Home users ? , I have found a solution and seems working wery well , there is a portable freeware “Edge Blocker v1.0”
Here is the download Link:
http://www.sordum.org/downloads/?st-edge-block
This doesn’t work with Windows 10 Professional apparently, i must have tried this 25 times already.
Though this is nice with Windows 10 enterprise, what about Windows 10 professional, is there a way to turn off the built in apps using a group policy or automated script that can be pushed through a GPO? Microsoft is making it very difficult for organizations without a mdm or enterprise editions.
@cwseagle
You can remove them with powershell commands Get-AppxPackage and Remove-AppxPackage
Get-AppxPackage *people* | Remove-AppxPackage
The command above will remove People app.
Was anyone able to fix the issue concerning start button, search button and edge not working anymore?
A little bit complicated../ Mark, I will see it later! A question: Iobit Applock, LEO Privacy and applock… I had used them all, well prefer LEO Privacy better, are there any other applocks, would you recommend one and give your reason! Thanks!
https://www.microsoft.com/en-gb/download/details.aspx?id=45520
RSAT for Windows 10, But you must have the English US Language Pack installed
It has been update to support more Lang Packs but check first the link above “System Requirements”
Hi,
Yea, it wasn’t available when I wrote the post… RSAT makes it much easier.
/Jörgen
Hi Jörgen,
When I try this with Win10 1607 it seems that i get the app still visable in the start menu, but it never starts. Am i geting things wrong here, or it this not working in 1607?
BR
/Tomas
Hi,
Which app is it? Should work just fine.
/Jörgen
Tried “3DBuildder” and “Solitare Collection”, both seem to remain in the start menu but will not start. Not starting is kind of good, but them remaining less good 🙂
/T
Hi,
Thanks for this. trying to roll out w10 for teachers and students in our school ( w10 1607 edu edition). after we did the build and deployed the image and during testing we found that any user can search for and run powershell and powershell ise. Using applocker we have stopped the ability to run powershell executables. They can still search for it and find it ( which is really annoying). By the way this behaviour is not present in W7 and we have never needed to user applocker for this purpose. In w7 you can’t get search results if you search for powershell.
We have a partial solution but why has MS allowed search of c:\windows? I will be grateful if someone can tell us a way to stop the search results.
Thanks again.
Does anyone care to link to instructions how to do this with the now available RSAT?
I don’t see Packaged app Rules? I have Windows Server 2008 R2.
Without “?”. I don’t see Packaged app Rules in Applocker. I have Windows Server 2008 R2.
Hi Jörgen,
I get the same results as Tomas did 4 month’s ago. Our DCs are running Windows Server 2012 R2 with the latest ADMX files and out clients are running Windows 10 build 1607.
I’ve followed your instructions and the apps always show up in the start meny but they are blocked. When you click on a blocked app the “download/install indicator” activates and then nothing happens.
The event log says that the application is blocked but it would be nice if it could work as per your guide. I’ve tried blocking notepad and it exhibits the same kind of behaviour.
Could this perhaps be an issue with localization (clients in swedish and servers in english) or maybe something to do with the policy version?
/Klas
Blocking Windows.ContactSupport with AppLocker is not working anymore in 1703… its blocked, syslog is saying app start was blocked – but it IS starting. 🙁
Hi,
Yes that is not possible in 1703, you need to use remove-windowscapatibilites in Powershell:
Remove-WindowsCapability –Name -online App.Support.ContactSupport~~~~0.0.1.0
or with Dism
DISM /Online /Remove-Capability /CapabilityName:App.Support.ContactSupport~~~~0.0.1.0
that will do it.
Regards
Jörgen
Thanks for this, I’ve gotten Applocker to block the applications – but (at least in 1703) the functionality you mention about new user profiles not even seeing the apps is not working. The behavior I’m seeing is that on the user profile that was preexisting, the icons are still there but users would see “administrator has blocked this application”. On a new user profile, the icons are still there, but clicking them turns them gray (no message), until a log out/log in at which point they are still there and once again illuminated. How do I enable the behavior of new users not even seeing the blocked applications?
yeah same issue for us with 1703. This sucks M$, really making the life of sysadmins difficult…
Yes, same issue. Missing the messagebox that the app is blocked. Only a icon, that does nothing. Unless you allow the app (gpupdate /force) and disable it again (gpupdate /force) the messagebox is back.
hi
I have created local policy for edge, 3d Paint, but it is not working
I have windows 10 enterprise(1709)…Please suggest.
Make Sure AppID services is running, Windows Firewall Service is running. UI, MS Store and Packaged apps will not run if these are disabled.