I'm currently in the middle of a Windows 8 implementation in which most of the AppX packages need to be disabled and blocked so that users cannot access them.
One of the more important one's as you can imagine is SkyDrive. Why these kind of applications have found their way into a default installation of Windows for an enterprise environment I do not know, and it really frustrates me.
However rather than use some of the registry hacks out their I've seen to disable various aspects or powershell to remove the apps on a per user basis which is difficult to manage I looked around for what I thought was a much better solution.
You can you AppLocker to block access to not just .exe's and scripts but also AppX packages. It's managed and applied by GPOs which makes it easy for everyone supporting the environment to understand. And the control can be granular, from a single GPO you could allow a group of users to run and app but disallow everyone else, all in 1 GPO and for multiple apps.
1. First things first, you will need to edit the GPO from a Windows 8 desktop (not Server 2012).
This is because we need to be on a computer where the appx packages are installed.
Install the Remote Server Administration Tools for Windows 8 from here:
2. Create a GPO named "AppLocker" and apply it to a test OU and test desktop only.
Note: If you apply it to all your computers and accidentally deny all your apps don't come crying to daddy.
3. Enable the "Application Identity" service.
Under Computer Configuration --> Policies --> Windows Settings --> Security Settings --> System Services
Set the "Application Identity" Startup to Automatic.
4. Enable and configure AppLocker
Under Computer Configuration --> Policies --> Windows Settings --> Security Settings --> Application Control Policies --> AppLocker
Click "Configure Rule Enforcement"
5. Tick "Configured" and "Enforce rules" for the following:
6. Create default rules
You need to create the default rules before you do anything else, otherwise you will block everything which will result in your computers not booting up or working.
Right click "Excutable rules" and select "Create Default Rules"
Right click "Packaged app rules" and select "Create Default Rules"
You will now see Allow rules that will allow the computer to work once you apply your GPO.
Next we will add Deny rules for our specific applications...
7. Create a Packaged app rule to Deny an application
Right click "Packaged app rules" and select "Create New Rule".
8. Select your appx packaged application to deny.
Tick the box, you can only select one per rule, I chose SkyDrive.
Note: If your not editing your GPO from Windows 8 you will not see the applications to select them.
9. Slide the selector to the "Package Name" so we are covered for any future versions of this AppX packaged app.
10. Your new Deny rule will now show under the list of rules with the allow beneath it for everything else.
11. Ensure the GPO has applied to your test desktop and test your AppLocker settings are now blocking your Appx packaged app.
12. If your satisfied you have sufficiently tested your AppLocker GPO, apply it to the rest of your computers.
Share this blog post on social media:Tweet
All advice, installation/configuration how to guides, troubleshooting and other information on this website are provided as-is with no warranty or guarantee. Whilst the information provided is correct to the best of my knowledge, I am not reponsible for any issues that may arise using this information, and you do so at your own risk. As always before performing anything; check, double check, test and always ensure you have a backup.