How-To

How to Block Desktop App Access on Windows

By Brian Burgess

Updated October 17, 2023

You might want to block apps if you manage PCs for your family or small business. Learn how to block desktop app access on Windows in this guide.

If you’re a computer administrator, there are going to be times when you’ll need to block access to specific desktop apps. For example, you might want to disable access to system tools like PowerShell to prevent unauthorized access.

Restricting access to apps like these also help to prevent a user from running harmful scripts or making unwanted system changes. Perhaps you need to block a browser like Chrome or a specific app within the Office 365 suite.

Whatever your needs are, you can block desktop app access on Windows 11 or Windows 10 using either Group Policy or Security Policy rules by following the steps below.

How to Block Desktop App Access Using Group Policy on Windows

Blocking access to desktop apps is easily done using Local Group Policy rules on Windows 11 and Windows 10. Note that to use this option you’ll need to be running Windows 10 0r 11 Pro or above. Home versions of Windows do not  include Group Policy Editor.

To Block Desktop App Access on Windows via Group Policy

1. Log in as administrator on the PC you want to block app access.
2. Open the Start menu.
3. Type gpedit and choose Edit group policy under the Best match section.
4. When Local Group Policy Editor opens, navigate to the following path and press Enter:

   User Configuration > Administrative Templates > System

5. Scroll down the policies on the right column and double click the Don’t run specified Windows applications policy.
6. Select the Enabled option on the upper left side of the Window.
7. Under the Options section, click the Show button.
8. Enter the apps you want to block access on each line, including the “.exe” file extension. In this example, we are blocking access to Command Prompt, PowerShell, and Google Chrome.
9. Click OK when done.
10. After entering the apps to block, click Apply and OK.

After following the above steps, when a user tries to launch the apps you specify, they can find them from the Start menu, but they will simply not open.

Note: While the specified app access should be blocked immediately after configuring it in Group Policy, you might need to restart Windows for the change to take effect.

Unblocking Apps Using Group Policy

If you need to unblock an app that you’ve previously blocked using Group Policy, you can.

To do this, open the Local Group Policy Editor and select User Configuration > Administrative Templates > System. Click the Show button under the Options section, delete the app you want to unblock, and click OK.

You can also set the policy to Not configured to unblock all the blocked apps you include in your block list. Also, remember you may need to restart the PC for the changes to take effect.

How to Block Desktop App Access Using Security Policy on Windows

In addition to using Local Group Policy, you can prevent users from launching specific apps using the Local Security Policy options. These steps will work for Windows 11 and Windows 10 users.

To block desktop app access using Local Security Policy:

1. Open the Start menu.
2. Type local security policy and click the top result under Best match.
3. When the Local Security Policy window opens, expand the Software Restriction Policies branch.
4. Right-click the Additional Rules folder and select New Hash Rule from the menu.
5. If the category isn’t present, right-click Software Restrictions Policies and choose New Software Restriction Policies.
6. In the New Hash Rule window, click the Browse button.
7. Navigate to the location of the app’s EXE file you want to block access, highlight it, and click the Open button. For example, we are choosing PowerShell.
8. The app’s data will be added to the New Hash Rule window.
9. Ensure the Security level field is set to Disallowed and click Apply and OK.
10. Restart the PC.

After following the above steps to block desktop access on Windows, when you return from the restart, sign in, and access to the app you specify will no longer be allowed.

When the user tries to access a blocked app, an error message will appear, telling them to contact the system administrator.

Unblocking Apps Using Local Security Policy

To undo the changes to app access, go back to Local Security Policy > Software Restriction Policies > Additional Rules. Right-click the hash of the blocked app and select the Delete option.

Managing Apps and Users on Windows

If you need to block users from accessing specific desktop apps, using Local Group Policy or Local Security Policy will get the job done. It’s a straightforward way to prevent inexperienced users from messing with system utilities you don’t want them to.

Windows includes other ways to manage users and apps. For example, you can manage user account privileges or add a local user account on Windows 11. If you create multiple user accounts, you need to know how to switch between users.

In addition to user accounts, you can manage other app security on Windows. For example, you can block an app’s internet access or disable startup apps for better boot times.

Also, if you don’t want a user to install untrusted apps from sketchy sources, you can set Windows to install apps from the Microsoft Store only. And for better system performance, learn how to stop apps from running in the background.