On Windows 11 or Windows 10 computers, PC users can apply stringent security measures like protect against and prevent Ransomware attacks & infections, block users from installing or running programs, and can use AppLocker to prevent users from installing or running applications. In this post, we walk you through the steps on how to block .exe files from running on Windows client or Windows Server by applying Software Restriction Policies, a set of rules that can be configured using Group Policy Editor.
What are Software Restriction Policies?
According to Microsoft documentation, Software Restriction Policies (SRP) is Group Policy-based feature that identifies software programs running on computers in a domain, and controls the ability of those programs to run. Software restriction policies are part of the Microsoft security and management strategy to assist enterprises in increasing the reliability, integrity, and manageability of their computers.
SRPs are integrated with Microsoft Active Directory and Group Policy – but can be used to create highly restricted configuration policies on stand-alone computers as well, in which you allow only specifically identified applications to run on the system.
How to block EXE files from running using Group Policy
Similar to configuring Controlled Folder Access using Group Policy & PowerShell, which when enabled, the feature is able to track executable files, scripts, and DLLs that attempt to make changes to files in the protected folders, PC users can block .exe files in vulnerable folders from running with Software Restriction Policies on Windows 11/10.
To block exe files from running using Group Policy in Windows 11/10, do the following:
- Press Windows key + R to invoke the Run dialog.
- In the Run dialog box type gpedit.msc and press Enter to open Group Policy Editor.
- Inside the Local Group Policy Editor, use the left pane to navigate to the path below:
Computer Configuration > Windows Settings > Security Settings > Software Restriction Policies
- At the location, on the left navigation pane, click the Software Restriction Policies folder to collapse it.
- Next, right-click the Additional Rules folder node.
- Select New Path Rule… from the context menu.
- Now, enter the path to the folder that you want to prevent executable files to run from and make sure to suffix the *.exe at the end, so that you will only block executable files.
- Add a description if you like.
- Click Apply > OK to save the changes.
- Repeat for additional folders.
You can block (at least) the following:
- C:\Windows\Temp\*.exe
- C:\Windows\Temp\*\*.exe
- %USERPROFILE%\AppData\Local\*.exe
- %USERPROFILE%\AppData\Local\*\*.exe
- %USERPROFILE%\AppData\Roaming\*.exe
- %USERPROFILE%\AppData\Roaming\*\*.exe
Once done, you can exit the Local Group Policy Editor. If you want to allow some specific executable files to run in these folders, simply create an exception by selecting the Unrestricted option in the Security level drop-down.
For Windows 11/10 Home users, you can add Local Group Policy Editor feature and then carry out the instructions as provided above.
That’s it on how to block exe files from running using Group Policy in Windows 11/10!
Related post: Block Macros from running in Microsoft Office using Group Policy
How do I block an EXE file?
You can block exe in Windows 11/10 in either of the following ways:
- Using Path Rule: Based on the name of the executable and its file extension, all the versions of the specified application are blocked.
- Using Hash Value: After locating the executable on the server, the hash value of the executable is calculated.
Read: Exe files getting deleted randomly.
How do I fix this program is blocked by Group Policy?
To fix this program is blocked by Group Policy error on your system, do the following:
- Open Group Policy Editor.
- Expand User Configuration > Policies > Administrative Templates > System.
- Click the Show button.
- Remove the target program or application from the disallowed list.
- Click OK.
How do I run a program that is blocked by administrator?
To run a program that is blocked by an administrator, you need to unblock the file. Here’s how:
- Right-click on the file you’re trying to launch.
- Select Properties from the context menu.
- Switch to the General tab.
- Under the Security section, check the Unblock box.
- Click Apply > OK button.
Hope you find this post useful!
Related reads:
- Bock users from installing programs in Windows.
- Windows Program Blocker is a free App or Application blocker software to block software from running
- How to block third-party app installations in Windows.