Featured - How to Use AppLocker to Allow or Block Script Files from Running in Windows 10

As an admin, it’s important to have the tools to control the apps and files users can run. The truth is that in a day-to-day work environment there are many applications and file types that employees don’t need, but present a significant risk. One example of this is scripts. As a result, today we’ll be showing you how to use AppLocker to block script files from running in Windows 10.

What is AppLocker?

AppLocker is a built-in tool for Windows 10 Enterprise and Education that lets IT professionals define the apps and file types users can or cannot run. It provides a simple interface to block an application from running based on a series of rules.

Advertisement

How to use AppLocker to block a script

To block a script file with Windows 10 AppLocker, you must define a new rule to deny it for a user or group. You can, for example, block scripts for all general users, but allow them for admins. Heer’s how you can configure AppLocker to do so in Windows 10:

How to Configure AppLocker to Allow or Block Script Files from Running in Windows 10

Before we start adding rules, we need to make sure the application identify service is enabled and set to automatically start. Without this service, AppLocker will be unable to enforce any rules you define and therefore be essentially useless. Here’s how you can enable it and then block scripts using Windows 10 AppLocker

  1. Open Command Prompt as an admin
     

    Press the Start button and type “Command Prompt”, then click “Run as administrator” on the right-hand side.

    Windowa 10 - Open Elevated Command Prompt

  2. Run the sc config command
     

    To ensure the application identity service is running and set to automatic, you can run the following command:

    sc config "AppIDSvc" start=auto & net start "AppIDSvc"

    Windowa 10 - Elevated Command Prompt - Enter the Command

  3. Open the Local Security Policy app
     

    Press Start and then type “secpol.msc”. Click the top result.

    Windowa 10 - Open Local Security Policy

  4. Configure AppLocker rule enforcement via the Application Control Policies Folder
     

    Specifically, you’ll find the option by expanding the “Application Control Policies” folder in the sidebar, clicking on “AppLocker” below it, then pressing “Configure rule enforcement” in the main pane.

    Windowa 10 - Local Security Policy - AppLocker - Open Configure Rule Enforcement

  5. In the AppLocker Properties window, tick “Script rules > Configured” and press “OK”
     

     

    Windowa 10 - Local Security Policy - AppLocker - Configure Rule Enforcement - Check the Configured Script Rules

  6. Create new default rules for your scripts
     

    Back in the main Local Security Policy app, expand “AppLocker” in your sidebar, right-click “Script Rules”, and select “Create Default Rules”.

    Windowa 10 - Local Security Policy - AppLocker - Configure Rule Enforcement - Create Default Rules

  7. Check for the default rules in your main pane
     

    There should be three allow rules: All scripts located in the Windows folder, All Scripts located in the Program Files folder, and All Scripts (for admin users).

    Windowa 10 - Local Security Policy - AppLocker - Configure Rule Enforcement - Create Default Rules

  8. Create a new script rule
     

    To create a new rule, right-click the “Script Rules” icon again and click “Create New Rule…”.

    Windows 10 - Local Security Policy - AppLocker - Configure Rule Enforcement - Create New Rule

  9. Press “Next” on the “Before You Begin screen”
     

     

    Windows 10 - Local Security Policy - AppLocker - Configure Rule Enforcement - Create New Rule - Next

  10. Specify a user or group by clicking “Select…”
     

    Alternatively, you can leave it as it is to apply the rule to everyone and skip the next few steps.

    Windows 10 - Local Security Policy - AppLocker - Configure Rule Enforcement - Create New Rule - Next - Allow - Select

  11. Click “Advanced…” in the “Select User or Group” window
     

    Windows 10 - Local Security Policy - AppLocker - Configure Rule Enforcement - Create New Rule - Next - Allow - Select - Advanced

  12. Press “Find Now” to return a list of users and groups
     

     

    Windows 10 - Local Security Policy - AppLocker - Configure Rule Enforcement - Create New Rule - Next - Allow - Select - Advanced - Find Now

  13. Select your user or group and press “OK”
     

     

    Windows 10 - Local Security Policy - AppLocker - Configure Rule Enforcement - Create New Rule - Next - Allow - Select - Advanced - Find Now - Select User or Group - Accept

  14. Press “OK” again
     

     

    Windows 10 - Local Security Policy - AppLocker - Configure Rule Enforcement - Create New Rule - Next - Allow - Select - Advanced - Find Now - Select User or Group - Accept

  15. Select “Allow” or “Deny” under the “Action:” heading and press “Next”
     

    Which you choose will naturally depend on the user or group you have selected and your purpose.

    Windows 10 - Local Security Policy - AppLocker - Configure Rule Enforcement - Create New Rule - Deny - Next

  16. Select “Path” and press “Next”
     

     

    Windowa 10 - Local Security Policy - AppLocker - Configure Rule Enforcement - Create New Rule - Deny - Path - Next

  17. Click on “Browse Files…” to block a specific script
     

     

    Windows 10 - Local Security Policy - AppLocker - Configure Rule Enforcement - Create New Rule - Deny - Path - Browse files

  18. Choose .ps1, .bat, .cmd, .vbs, or .js from the file type dropdown
     

     

    Windows 10 - Local Security Policy - AppLocker - Configure Rule Enforcement - Create New Rule - Deny - Path - Browse Files - Select .ps1

  19. Navigate to the script you want to block and press “Open”
     

     

    Windows 10 - Local Security Policy - AppLocker - Configure Rule Enforcement - Create New Rule - Deny - Path - Browse Files - Select .ps1 - Select the File - Open

  20. OR: Click “Browse Folders…” to block all scripts in a folder
     

     

    Windows 10 - Local Security Policy - AppLocker - Configure Rule Enforcement - Create New Rule - Deny - Path - Browse Folders

  21. Select your folder from the list and press “OK”
     

     

    Windows 10 - Local Security Policy - AppLocker - Configure Rule Enforcement - Create New Rule - Deny - Path - Browse Folders - Select the Folder

  22. Click “Next” in the wizard
     

     

    Windows 10 - Local Security Policy - AppLocker - Configure Rule Enforcement - Create New Rule - Deny - Path - Browse Files - Select the File - Next

  23. Add an exception or click “Next” on the exceptions screen
     

     

    Windows 10 - Local Security Policy - AppLocker - Configure Rule Enforcement - Create New Rule - Deny - Path - Browse Files - Select the File - Next

  24. Enter an identifying name and description and press “Create”
     

     

    Windows 10 - Local Security Policy - AppLocker - Configure Rule Enforcement - Create New Rule - Deny - Path - Browse Files - Select the File - Create

  25. View and test your new rules in the “Script” rules folder
     

    You can repeat this process as many times as you like to add rules for new user groups and different scripts to further lock down your security. Once you’re done, you can close the Local Security Policy window.

    Windows 10 - Local Security Policy - AppLocker - Configure Rule Enforcement - Create New Rule - Deny - Path - Browse File or Folder - Create - Result

How to Enable/Disable PowerShell Scripts via Execution Policy or Disable PowerShell Entirely

With that, you should have a good idea of how you can block a script using AppLocker for Windows 10. You can now take this knowledge and apply it to many other policies in AppLocker, from software restrictions to the executables users can run.

If you want an alternate method to enable or disable PowerShell scripts, however, you may want to check our PowerShell Execution Policy guide. Alternatively, you can learn how to disable PowerShell in Windows 10 entirely using a group policy.

Advertisement