As an admin, it’s important to have the tools to control the apps and files users can run. The truth is that in a day-to-day work environment there are many applications and file types that employees don’t need, but present a significant risk. One example of this is scripts. As a result, today we’ll be showing you how to use AppLocker to block script files from running in Windows 10.
What is AppLocker?
AppLocker is a built-in tool for Windows 10 Enterprise and Education that lets IT professionals define the apps and file types users can or cannot run. It provides a simple interface to block an application from running based on a series of rules.
How to use AppLocker to block a script
To block a script file with Windows 10 AppLocker, you must define a new rule to deny it for a user or group. You can, for example, block scripts for all general users, but allow them for admins. Heer’s how you can configure AppLocker to do so in Windows 10:
How to Configure AppLocker to Allow or Block Script Files from Running in Windows 10
Before we start adding rules, we need to make sure the application identify service is enabled and set to automatically start. Without this service, AppLocker will be unable to enforce any rules you define and therefore be essentially useless. Here’s how you can enable it and then block scripts using Windows 10 AppLocker
- Open Command Prompt as an admin
Press the Start button and type “Command Prompt”, then click “Run as administrator” on the right-hand side.
- Run the sc config command
To ensure the application identity service is running and set to automatic, you can run the following command:
sc config "AppIDSvc" start=auto & net start "AppIDSvc"
- Open the Local Security Policy app
Press Start and then type “secpol.msc”. Click the top result.
- Configure AppLocker rule enforcement via the Application Control Policies Folder
Specifically, you’ll find the option by expanding the “Application Control Policies” folder in the sidebar, clicking on “AppLocker” below it, then pressing “Configure rule enforcement” in the main pane.
- In the AppLocker Properties window, tick “Script rules > Configured” and press “OK”
- Create new default rules for your scripts
Back in the main Local Security Policy app, expand “AppLocker” in your sidebar, right-click “Script Rules”, and select “Create Default Rules”.
- Check for the default rules in your main pane
There should be three allow rules: All scripts located in the Windows folder, All Scripts located in the Program Files folder, and All Scripts (for admin users).
- Create a new script rule
To create a new rule, right-click the “Script Rules” icon again and click “Create New Rule…”.
- Press “Next” on the “Before You Begin screen”
- Specify a user or group by clicking “Select…”
Alternatively, you can leave it as it is to apply the rule to everyone and skip the next few steps.
- Click “Advanced…” in the “Select User or Group” window
- Press “Find Now” to return a list of users and groups
- Select your user or group and press “OK”
- Press “OK” again
- Select “Allow” or “Deny” under the “Action:” heading and press “Next”
Which you choose will naturally depend on the user or group you have selected and your purpose.
- Select “Path” and press “Next”
- Click on “Browse Files…” to block a specific script
- Choose .ps1, .bat, .cmd, .vbs, or .js from the file type dropdown
- Navigate to the script you want to block and press “Open”
- OR: Click “Browse Folders…” to block all scripts in a folder
- Select your folder from the list and press “OK”
- Click “Next” in the wizard
- Add an exception or click “Next” on the exceptions screen
- Enter an identifying name and description and press “Create”
- View and test your new rules in the “Script” rules folder
You can repeat this process as many times as you like to add rules for new user groups and different scripts to further lock down your security. Once you’re done, you can close the Local Security Policy window.
How to Enable/Disable PowerShell Scripts via Execution Policy or Disable PowerShell Entirely
With that, you should have a good idea of how you can block a script using AppLocker for Windows 10. You can now take this knowledge and apply it to many other policies in AppLocker, from software restrictions to the executables users can run.
If you want an alternate method to enable or disable PowerShell scripts, however, you may want to check our PowerShell Execution Policy guide. Alternatively, you can learn how to disable PowerShell in Windows 10 entirely using a group policy.