Blocking Built-in Applications With AppLocker
With the new world of Windows 10 and its never-ending stream of feature updates, Microsoft has introduced a new set of “built-in” applications. Some of these “applications” can be removed as part of an MDT or SCCM task sequence or manually from PowerShell. However, there are some applications which Microsoft does not allow to be uninstalled. Microsoft Edge is one, but there are others like the “Mixed Reality Portal” and “Mixed Reality Viewer”. The value of these applications for business workstations is questionable at best, but since Microsoft does not allow them to be removed how can users be prevented from running them?
The answer is AppLocker. AppLocker can be configured to block these built-in applications (known in AppLocker as “Packaged Apps”). To get started, open Group Policy and create a new policy. AppLocker rules are a computer policy, so you can disable user configuration settings, if you like.
Inside the policy, navigate to Computer Configuration / Windows Settings / Security Settings / Application Control Policies / AppLocker. Click on the Packaged App Rules. The first thing that needs to be done is to create the Default Rules so that all non-managed packages are allowed to run. You do this by right-clicking on “Packaged app Rules” and selecting “Create Default Rules”.
This will add a single rule called “(Default Rule) All signed packaged apps” with an action of “Allow”. Next, we need to create a rule to block the application you want to disallow (in our case the Mixed Reality Viewer). Right click and select “Create New Rule…”. This brings up the “Create Packaged app Rules” dialog box as follows:
For Action, select “Deny”. For the user or group, you can select the user or group that should be prevented from running the application. We’ll use “Everyone” for this example. Next, you’ll be presented with a dialog box where you will specify the application to block. There are two options you can use when blocking an application. The first is to select an already installed packaged app as a reference.
This is the preferred method provided you are running the group policy on a Windows 2016 Server. It can also work if you have the RSAT tools on a Windows 10 workstation but be careful. Some newer versions of Windows 10 with RSAT do now allow you to browse the installed packaged apps and instead crash the group policy editor.
So that leaves you finding an APPX for the application you want to block. As it turns out Microsoft does not provide APPX files for each of its built-in applications, however, you can modify the APPX of another application you do have.
From there you can modify the Publisher to “*” to match all publishers and then use the package name to block it from running. Set Package version to “*” as well so future updates don’t require a change to your policy. If you don’t know the package name you can enable AppLocker in audit mode for packaged apps and then run the program you want to block. The name of the package will then appear in the Event Viewer under Applications and Services / Microsoft / Windows /AppLocker / Packaged app-Execution.