In today's cybersecurity landscape, preventing unauthorized applications from running on corporate or personal devices is critical. Whether you’re securing an enterprise environment or managing a home lab, AppLocker is a powerful Windows feature that can help you enforce application control policies - especially to block executables from common attack vectors like the Downloads folder.
In this blog post, I’ll guide you step-by-step on how to use AppLocker to block .exe files from running in these locations without affecting the rest of your system.
🎯 Why Block Executables from Downloads?
Attackers often rely on users downloading and running malicious files from their browsers. These files typically land in Downloads and Temp Folders. Blocking execution in these folders significantly reduces the risk of malware infections caused by user-initiated downloads.
🛠️ What is AppLocker?
AppLocker is a Windows feature that allows administrators to create rules that control which applications can or cannot run on a system. You can apply rules based on:
- File path
- Publisher
- File hash
For this scenario, we’ll use Path Rules to deny execution in the target folders.
📝 Prerequisites
- Windows 10/11 All Editions*
- Group Policy Editor or Local Security Policy
- Admin privileges
🚀 Step-by-Step Guide
🔹 Step 1: Open the Local Security Policy
- Press Win + R, type secpol.msc, and press Enter.
- Navigate to: Application Control Policies > AppLocker > Executable Rules
🔹 Step 2: Create a Deny Rule
- Right-click on Executable Rules, then click Create New Rule.
- Click Next on the Before You Begin screen.
- Under Permissions, choose:
- Action: Deny
- User or group: Select Everyone
- Click Next.
🔹 Step 3: Choose Condition Type
- Select Path as the condition type.
- Click Next.
🔹 Step 4: Define the Path
- Input the folder path where you want to block executable files. Use environmental variables for flexibility:
📝 You may need to create separate rules as required
- Click Next, add exceptions if needed, then Create.
- If prompt to create Default Rules, select Yes. If not; Right click on Executable Rules, then click Create Default Rules
🔹 Step 5: Enforce AppLocker Rules
- By default, AppLocker rules are in Audit mode. To enforce them:
- Go to Application Control Policies > AppLocker.
- Click on Configure rule enforcement (on the right pane).
- Under Executable Rules, check Enforce rules.
Click OK.
🔹 Step 6: Confirm the Application Identity Service is Running
- Press Win + R, type services.msc, and press Enter.
- Verify Application Identity Service is running
- If not; right-click it and select Start.
- Set it to Automatic for persistence (Optional).
✅ Test the Policy
Now try to run a .exe file from the Desktop or Downloads folder. You should get a message like:
"This app has been blocked by your system administrator."
Perfect! The policy is working.
💡 Bonus Tips
- You can whitelist specific apps or folders using Allow rules above the deny rule.
- Use Group Policy Management to deploy this across multiple machines in a domain environment.
- Use Intune Configuration Profiles to deploy this across Intune Enrolled Devices.
- Switch back to Audit mode if you want to monitor without blocking initially.
🔐 Final Thoughts
AppLocker is a powerful but underused feature in Windows environments. By blocking executable files in high-risk folders like Downloads and Temporary Folders, you take a big step toward minimizing user-initiated malware infections.
This method is clean, native and doesn’t require third-party software.
0 Comments