Block apps on Windows 10 or 11 devices with custom settings

This feature is available with Cloud Identity Premium edition. Compare editions

When you manage Windows devices in your organization with Windows device management, you can restrict which apps are allowed on those devices by adding custom settings in the Google Admin console. You specify the apps in an XML file that you upload as the value of the custom setting. You can block individual apps or all app files that match a certain type, such as EXE or MSI files.

Step 1: Specify allowed and blocked apps in an XML file

To create the XML file, you can use the command line in PowerShell or the GUI in Windows Group Policy editor. These instructions show you how to build a single policy, but you can combine related policies for apps with the same file type in one XML file. See the examples.

Important: To block different types of app files (EXE, MSI, Script, StoreApps, and DLLs), you must create separate custom settings.

Option 1—Command line (PowerShell)

Use an online GUID generator to get a random GUID. Tip: In a search engine, search for online GUID generator.
If you want to block a specific app, get the app information. If you want to block all apps with a certain file type, you can skip this step.
1. On a Windows device, download the app executable file (the one that ends with .exe) that you want to block or allow.
2. Open PowerShell.
3. Run Get-AppLockerFileInformation -path PathToExe | format-list, where PathToExe is the path to the executable file.
4. In the response, find and record the values in the Publisher line. The values have the following format and correspond to values you'll use in the XML:
  PublisherName\ProductName\BinaryName,BinaryVersion
  
  The publisher name is a long string, such as O=MICROSOFT CORPORATION, L=REDWOOD, S=WASHINGTON, C=US and you must include the whole string.
Copy the following XML into a text editor:
<RuleCollection Type="Type" EnforcementMode="Enabled"> <FilePublisherRule Id=GUID Name=PolicyName Description=PolicyDescription UserOrGroupSid=UserOrGroupSid Action=[Allow|Deny]> <Conditions> <FilePublisherCondition PublisherName=PublisherName BinaryName=BinaryName ProductName=ProductName> <BinaryVersionRange HighSection=latestVersion LowSection=earliestVersion /> </FilePublisherCondition> </Conditions> </FilePublisherRule> </RuleCollection>

Edit the XML to replace the placeholders with their values. For specific use cases, such as grouping multiple policies into one file, see the examples.

Placeholder	Value
Type	The app file type (must match the OMA-URI): For EXE files, enter `"Exe"` For MSI files, enter `"Msi"` For Script files, enter `"Script"` For DLL files, enter `"Dll"` For Microsoft Store apps, enter `"Appx"`
GUID	The GUID you generated in step 1
PolicyName	A name for the policy. You can use any string.
PolicyDescription	A description of the policy
UserOrGroupSid	The users or groups the policy applies to: To apply the policy to all users on the device, enter S-1-1-0. To apply the policy to a specific user, enter their SID. To get their SID, in the command line, run: *wmic username* get name,sid** where username is the username of the user on the device. If you don't know the username, get a list of all users on the device by running: wmic useraccount get name,sid You can enter only one username. To apply the policy to more users, either put the users in a group, or copy the policy and update the name. To apply the policy to a specific group, enter its SID. To get the group SID, in the command line, run: *wmic groupName* get name,sid** where groupName is the name of the group on the device. If you don't know the group's name, you can get a list of all groups on the device by running: wmic group get name,sid
Allow\|Deny	Select the action for this policy, whether it blocks or allows the specified apps
PublisherName	The name of the app's publisher (PublisherName from step 2). You can use the * wildcard, but regular expression matching and prefix or suffix wildcards aren't supported.
BinaryName	The filename of the binary (BinaryName from step 2). You can use the * wildcard, but regular expression matching and prefix or suffix wildcards aren't supported. For example, to block all EXE files, enter * and when you add the custom setting, select the OMA-URI that ends with /EXE/Policy.
ProductName	The name of the product (ProductName from step 2). You can use the * wildcard, but regular expression matching and prefix or suffix wildcards aren't supported.
latestVersion	The latest version number of the app that this policy applies to. To block all versions of the app, enter *.
earliestVersion	The earliest version number of the app that this policy applies to. To block all versions of the app, enter *.

Save the file.

Option 2–GUI (Windows Groups Policy editor)

Follow the instructions in the "Generating the XML" section of this Microsoft article. Stop following the instructions when you get to the "Creating the Policy" section.
Note: These instructions describe how to create a policy for an app that is installed on the device. To create a policy for an app that isn't installed on the device, in step 6, select Use a packaged app installer as a reference.
After you export the XML file, in Groups Policy editor, remove the policy you created. Otherwise, the policy is enforced on the device.

Step 2: Add the custom setting

Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
In the Admin console, go to Menu DevicesMobile and endpointsSettingsWindows.
Click Custom settings.
Click Add a custom setting.
Configure the custom setting:
1. In the OMA-URI field, enter ApplicationLaunchRestriction and select the OMA-URI that corresponds to the file type of the app in the policy:
  - For EXE files, select ./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/<Enter Grouping>/EXE/Policy.
  - For apps available in Microsoft Store, select ./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/<Enter Grouping>/AppStore/Policy
  - For MSI files, select ./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/<Enter Grouping>/MSI/Policy
  - For PowerShell scripts, select ./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/<Enter Grouping>/Script/Policy
  - For DLL files, select ./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/<Enter Grouping>/DLL/Policy
  For more information, see the Microsoft AppLocker CSP documentation.
2. In the OMA-URI, replace <Enter Grouping> with a random alphanumeric string that is unique for each custom setting. For example, if you add one custom setting to block EXE files and another setting to block MSI files, use a different value for each custom setting.
3. When you select the OMA-URI, the Name field updates to "Policy". Enter a unique name to help you identify it in the list of custom settings.
4. For Data type, select String (XML), click Upload XML, and select the XML configuration file you created in the first section.
5. (Optional) Enter a description that describes the action of the custom setting and who it applies to.
Click Next to go on and select the organizational unit the custom setting applies to, or click Add another to start another. Additional policies are not applied to an organizational unit until you click Next and select the organizational unit.
Choose the organizational unit to apply the policy to.
Click Apply.

If a user in the organizational unit tries to install or open a blocked app on their Windows device, they get an error message that the app was blocked by their system administrator.

Example XML files

Allow only signed apps (Block all unsigned apps)

This policy allows users to install only signed apps, which also blocks users from installing unsigned apps with the file type specified in the OMA-URI.

To block all unsigned apps for all file types, add a custom setting for each file type and use the following XML for the value.

Note: In RuleCollection, Type must match the app file type. The value can be "Exe" for EXE files, "Msi" for MSI files, "Script" for Script files, "Dll" for DLL files, or "Appx" for StoreApps. In FilePublisherRule, replace GUID with a random GUID you get from an online GUID generator.

<RuleCollection Type="Type" EnforcementMode="Enabled">
  <FilePublisherRule Id=GUID Name="Allow all signed apps" Description="Allows all users to run signed apps" UserOrGroupSid="S-1-1-0" Action="Allow">
     <Conditions>
       <FilePublisherCondition PublisherName="*" ProductName="*" BinaryName="*">   
         <BinaryVersionRange LowSection="*" HighSection="*" />
       </FilePublisherCondition>
     </Conditions>
   </FilePublisherRule>      
</RuleCollection>

Block specific apps

To block apps, you must include a <FilePublisherRule> section that allows apps and <FilePublisherRule> blocks for each app you want to block.

The general format is:

<RuleCollection Type="Type" EnforcementMode="Enabled">
  <FilePublisherRule...>
    ...allow apps...
  </FilePublisherRule>
  <FilePublisherRule...>
    ...conditions for first app to block...
  </FilePublisherRule>
  <FilePublisherRule...>
    ...conditions for second app to block...
  </FilePublisherRule>
</RuleCollection>

For example, this policy blocks users from running both "App A" and "App B", which are EXE files:

<RuleCollection Type="Exe" EnforcementMode="Enabled">
  <FilePublisherRule Id=GUID Name="Allow all signed apps" Description="Allows all users to run signed apps" UserOrGroupSid="S-1-1-0" Action="Allow">
    <Conditions>
      <FilePublisherCondition PublisherName="*" ProductName="*" BinaryName="*">
  <BinaryVersionRange LowSection="*" HighSection="*" />
      </FilePublisherCondition>
    </Conditions>
  </FilePublisherRule>
  <FilePublisherRule Id=GUID Name="Block app A" Description="Blocks app A for all users" UserOrGroupSid="S-1-1-0" Action="Deny">
    <Conditions>
      <FilePublisherCondition PublisherName="O=Software Company, L=London, C=GB" ProductName="APPLICATION A" BinaryName="APPA.EXE">
        <BinaryVersionRange LowSection="*" HighSection="*" /> 
      </FilePublisherCondition>
    </Conditions>
  </FilePublisherRule>
  <FilePublisherRule Id=GUID Name="Block app B" Description="Blocks app B for all users" UserOrGroupSid="S-1-1-0" Action="Deny">
    <Conditions>
      <FilePublisherCondition PublisherName="O=Solarmora Inc, L=Mountain View, S=California, C=US" ProductName="APPLICATION B" BinaryName="APPB.EXE">
        <BinaryVersionRange LowSection="*" HighSection="*" /> 
      </FilePublisherCondition> 
    </Conditions>
 </FilePublisherRule>
</RuleCollection>

Block apps that are bundled in the Windows operating system

This sample, based on the example in the Microsoft documentation, blocks users from using Windows Mail. Before you use it, replace GUID with a random GUID you get from an online GUID generator.

Note: This app file is a Microsoft Store app, so the OMA-URI must be ./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/<Enter Grouping>/AppStore/Policy.

<RuleCollection Type="Appx" EnforcementMode="Enabled">
  <FilePublisherRule Id=GUID Name="Allow all signed apps" Description="Allows all users to run signed apps" UserOrGroupSid="S-1-1-0" Action="Allow">
    <Conditions>
      <FilePublisherCondition PublisherName="*" ProductName="*" BinaryName="*">
        <BinaryVersionRange LowSection="*" HighSection="*" />
      </FilePublisherCondition>
    </Conditions>
  </FilePublisherRule>
  <FilePublisherRule Id=GUID Name="Block Windows Mail" Description="Blocks all users from using Windows Mail" UserOrGroupSid="S-1-1-0" Action="Deny"> 
    <Conditions> 
      <FilePublisherCondition PublisherName="O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="microsoft.windowscommunicationsapps" BinaryName="*"> 
        <BinaryVersionRange LowSection="*" HighSection="*" /> 
      </FilePublisherCondition> 
    </Conditions> 
  </FilePublisherRule>      
</RuleCollection>

_{Google, Google Workspace, and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.}

Was this helpful?

How can we improve it?