Block apps on Windows 10 or 11 devices with custom settings

1. Use an online GUID generator to get a random GUID. Tip: In a search engine, search for online GUID generator.
2. If you want to block a specific app, get the app information. If you want to block all apps with a certain file type, you can skip this step.
   1. On a Windows device, download the app executable file (the one that ends with .exe) that you want to block or allow.
   2. Open PowerShell.
   3. Run Get-AppLockerFileInformation -path PathToExe | format-list, where PathToExe is the path to the executable file.
   4. In the response, find and record the values in the Publisher line. The values have the following format and correspond to values you'll use in the XML:

      PublisherName\ProductName\BinaryName,BinaryVersion

      The publisher name is a long string, such as O=MICROSOFT CORPORATION, L=REDWOOD, S=WASHINGTON, C=US and you must include the whole string.

3. Copy the following XML into a text editor:

   <RuleCollection Type="Type" EnforcementMode="Enabled">
  <FilePublisherRule Id=GUID Name=PolicyName Description=PolicyDescription UserOrGroupSid=UserOrGroupSid Action=[Allow|Deny]>
     <Conditions>
       <FilePublisherCondition PublisherName=PublisherName BinaryName=BinaryName ProductName=ProductName>
         <BinaryVersionRange HighSection=latestVersion LowSection=earliestVersion />
       </FilePublisherCondition>
     </Conditions>
   </FilePublisherRule>
</RuleCollection>

4. Edit the XML to replace the placeholders with their values. For specific use cases, such as grouping multiple policies into one file, see the examples.

   Placeholder	Value
   Type	The app file type (must match the OMA-URI): For EXE files, enter "Exe" For MSI files, enter "Msi" For Script files, enter "Script" For DLL files, enter "Dll" For Microsoft Store apps, enter "Appx"
   GUID	The GUID you generated in step 1
   PolicyName	A name for the policy. You can use any string.
   PolicyDescription	A description of the policy
   UserOrGroupSid	The users or groups the policy applies to: To apply the policy to all users on the device, enter S-1-1-0. To apply the policy to a specific user, enter their SID. To get their SID, in the command line, run: wmic username get name,sid where username is the username of the user on the device. If you don't know the username, get a list of all users on the device by running: wmic useraccount get name,sid You can enter only one username. To apply the policy to more users, either put the users in a group, or copy the policy and update the name. To apply the policy to a specific group, enter its SID. To get the group SID, in the command line, run: wmic groupName get name,sid where groupName is the name of the group on the device. If you don't know the group's name, you can get a list of all groups on the device by running: wmic group get name,sid
   Allow|Deny	Select the action for this policy, whether it blocks or allows the specified apps
   PublisherName	The name of the app's publisher (PublisherName from step 2). You can use the * wildcard, but regular expression matching and prefix or suffix wildcards aren't supported.
   BinaryName	The filename of the binary (BinaryName from step 2). You can use the * wildcard, but regular expression matching and prefix or suffix wildcards aren't supported. For example, to block all EXE files, enter * and when you add the custom setting, select the OMA-URI that ends with /EXE/Policy.
   ProductName	The name of the product (ProductName from step 2). You can use the * wildcard, but regular expression matching and prefix or suffix wildcards aren't supported.
   latestVersion	The latest version number of the app that this policy applies to. To block all versions of the app, enter *.
   earliestVersion	The earliest version number of the app that this policy applies to. To block all versions of the app, enter *.

5. Save the file.

1. Follow the instructions in the "Generating the XML" section of this Microsoft article. Stop following the instructions when you get to the "Creating the Policy" section.

   Note: These instructions describe how to create a policy for an app that is installed on the device. To create a policy for an app that isn't installed on the device, in step 6, select Use a packaged app installer as a reference.

2. After you export the XML file, in Groups Policy editor, remove the policy you created. Otherwise, the policy is enforced on the device.

This policy allows users to install only signed apps, which also blocks users from installing unsigned apps with the file type specified in the OMA-URI.

To block all unsigned apps for all file types, add a custom setting for each file type and use the following XML for the value.

Note: In RuleCollection, Type must match the app file type. The value can be "Exe" for EXE files, "Msi" for MSI files, "Script" for Script files, "Dll" for DLL files, or "Appx" for StoreApps. In FilePublisherRule, replace GUID with a random GUID you get from an online GUID generator.

<RuleCollection Type="Type" EnforcementMode="Enabled">
  <FilePublisherRule Id=GUID Name="Allow all signed apps" Description="Allows all users to run signed apps" UserOrGroupSid="S-1-1-0" Action="Allow">
     <Conditions>
       <FilePublisherCondition PublisherName="*" ProductName="*" BinaryName="*">   
         <BinaryVersionRange LowSection="*" HighSection="*" />
       </FilePublisherCondition>
     </Conditions>
   </FilePublisherRule>      
</RuleCollection> 

To block apps, you must include a <FilePublisherRule> section that allows apps and <FilePublisherRule> blocks for each app you want to block.

The general format is:

<RuleCollection Type="Type" EnforcementMode="Enabled">
  <FilePublisherRule...>
    ...allow apps...
  </FilePublisherRule>
  <FilePublisherRule...>
    ...conditions for first app to block...
  </FilePublisherRule>
  <FilePublisherRule...>
    ...conditions for second app to block...
  </FilePublisherRule>
</RuleCollection>

Note: In RuleCollection, Type must match the app file type. The value can be "Exe" for EXE files, "Msi" for MSI files, "Script" for Script files, "Dll" for DLL files, or "Appx" for StoreApps. In FilePublisherRule, replace GUID with a random GUID you get from an online GUID generator.

For example, this policy blocks users from running both "App A" and "App B", which are EXE files:

<RuleCollection Type="Exe" EnforcementMode="Enabled">
  <FilePublisherRule Id=GUID Name="Allow all signed apps" Description="Allows all users to run signed apps" UserOrGroupSid="S-1-1-0" Action="Allow">
    <Conditions>
      <FilePublisherCondition PublisherName="*" ProductName="*" BinaryName="*">
  <BinaryVersionRange LowSection="*" HighSection="*" />
      </FilePublisherCondition>
    </Conditions>
  </FilePublisherRule>
  <FilePublisherRule Id=GUID Name="Block app A" Description="Blocks app A for all users" UserOrGroupSid="S-1-1-0" Action="Deny">
    <Conditions>
      <FilePublisherCondition PublisherName="O=Software Company, L=London, C=GB" ProductName="APPLICATION A" BinaryName="APPA.EXE">
        <BinaryVersionRange LowSection="*" HighSection="*" /> 
      </FilePublisherCondition>
    </Conditions>
  </FilePublisherRule>
  <FilePublisherRule Id=GUID Name="Block app B" Description="Blocks app B for all users" UserOrGroupSid="S-1-1-0" Action="Deny">
    <Conditions>
      <FilePublisherCondition PublisherName="O=Solarmora Inc, L=Mountain View, S=California, C=US" ProductName="APPLICATION B" BinaryName="APPB.EXE">
        <BinaryVersionRange LowSection="*" HighSection="*" /> 
      </FilePublisherCondition> 
    </Conditions>
 </FilePublisherRule>
</RuleCollection>