Blocking Built-in Applications With AppLocker

With the new world of Windows 10 and its never-ending stream of feature updates, Microsoft has introduced a new set of “built-in” applications.  Some of these “applications” can be removed as part of an MDT or SCCM task sequence or manually from PowerShell.  However, there are some applications which Microsoft does not allow to be uninstalled.  Microsoft Edge is one, but there are others like the “Mixed Reality Portal” and “Mixed Reality Viewer”.  The value of these applications for business workstations is questionable at best, but since Microsoft does not allow them to be removed how can users be prevented from running them?

The answer is AppLocker.  AppLocker can be configured to block these built-in applications (known in AppLocker as “Packaged Apps”).  To get started, open Group Policy and create a new policy.  AppLocker rules are a computer policy, so you can disable user configuration settings, if you like.

Inside the policy, navigate to Computer Configuration / Windows Settings / Security Settings / Application Control Policies / AppLocker.  Click on the Packaged App Rules.  The first thing that needs to be done is to create the Default Rules so that all non-managed packages are allowed to run.  You do this by right-clicking on “Packaged app Rules” and selecting “Create Default Rules”.

Blocking Built-in Applications With AppLocker

This will add a single rule called “(Default Rule) All signed packaged apps” with an action of “Allow”.  Next, we need to create a rule to block the application you want to disallow (in our case the Mixed Reality Viewer).  Right click and select “Create New Rule…”.  This brings up the “Create Packaged app Rules” dialog box as follows:

Blocking Built-in Applications With AppLocker

For Action, select “Deny”.  For the user or group, you can select the user or group that should be prevented from running the application.  We’ll use “Everyone” for this example.  Next, you’ll be presented with a dialog box where you will specify the application to block.  There are two options you can use when blocking an application.  The first is to select an already installed packaged app as a reference.

Blocking Built-in Applications With AppLocker

This is the preferred method provided you are running the group policy on a Windows 2016 Server.  It can also work if you have the RSAT tools on a Windows 10 workstation but be careful.  Some newer versions of Windows 10 with RSAT do now allow you to browse the installed packaged apps and instead crash the group policy editor.

Blocking Built-in Applications With AppLocker

So that leaves you finding an APPX for the application you want to block.  As it turns out Microsoft does not provide APPX files for each of its built-in applications, however, you can modify the APPX of another application you do have.

From there you can modify the Publisher to “*” to match all publishers and then use the package name to block it from running.  Set Package version to “*” as well so future updates don’t require a change to your policy.  If you don’t know the package name you can enable AppLocker in audit mode for packaged apps and then run the program you want to block.  The name of the package will then appear in the Event Viewer under Applications and Services / Microsoft / Windows /AppLocker / Packaged app-Execution.

Did you find this helpful?

Share it on social media!

Todd is the Chief Technology Officer and has been working in the field of legal IT since the early 1990’s. In his role at Adaptive, Todd functions as our most senior systems engineer. He works closely with our customers on the proper design and scaling of back-end and front-end network upgrades, including both desktop and server virtualization, backup and DR, document management and best practices for ongoing service and support. Specialties: • Technology Strategy & Roadmap • Infrastructure Design & Optimization • Technology Needs Assessments • Disaster Recovery / Business Continuity • Virtualization Design & Implementation

1 Comment

  1. Mike on March 30, 2019 at 9:51 am

    I have been able to block the mixed reality portal but not the viewer. How did you do this?

Leave a Comment