How do I block an EXE file in Windows?

One of the most challenging task in system administration is to restrict usage of certain applications. Endpoint Central facilitates you to perform this task at ease. You will be able to block the required applications/executable using this feature. You can apply these restrictions for specific computers. Endpoint Central's prohibited software helps you in detecting and uninstalling the software applications which are not allowed in the network. Block executable feature, allows you to restrict the executable when it is launched, on the target computers. You can block even executables like, notepad.exe, putty.exe etc which are launched without being installed on the target computer. All the file formats supported under  Windows "Software Restriction Policy" can be blocked using Endpoint Central. There are two ways to block an application/executable, they are:

• Blocking using Path Rule
• Blocking using Hash Value

The following prerequisites should be met for blocking the executable

• Local Group Policy should be enabled on the target machine
• Local Group Policy Should be enabled on the target computer
• Default security Policy should be set as "Unrestricted"
• Local Group Policy should be enabled for Administrator

Click here to watch the video:

Blocking using Path Rule

You can choose this option to create a policy in order to block an executable. Path Rule, is used to block an executable based on the name of the executable and its extension. If the user renames the application then the application will not be recognized, which means the application will not be blocked. This rule can be used to block applications even if they are not available in your network. All you need to know is just the name of the executable and its file extension. With the help of path rule, all the versions of the specified application can be blocked.   For example, if you have created a path rule to block Google Chrome browser for a specific version, say version 44.0, this policy will block all the versions of Google Chrome browser, unless the executable is not renamed.

Blocking using Hash Value

Hash is a unique value, that represents the executable. If you choose to block an executable using the hash value, then it will be blocked even if renamed. If you want to block an executable using hash value, you should locate it on the server, for the hash value can be calculated.

Creating and Removing a Policy

If you wanted to block an executable to a specific target, then you will have to create a policy. Selecting the target computers is the first step in creating a policy. You will have to select the executable which needs to be blocked, if it exists in the database. If you wanted to block an executable for the first time, then you will have to add the executable and choose to block rule as path or hash. You can create two different policies for a single executable, one using path and the other using hash value. Policy will be applied on the target computer for the first time, after the system restart. You can also remove a policy if you wish to suspend a block rule and whitelist an executable.

Blocking Executable for All the Computers

Endpoint Central by default has a custom group, which contains all the managed computers. If you wanted to block an executable for all the managed computers, then you can choose "All Managed Computers" group and select the executable, which needs to be blocked. You will have to create a policy by specifying the target and executable which needs to be blocked.

Blocking Executable for Specific Computers

To block an executable for specific target, you will have to create a new custom group or use the existing custom groups. Custom groups can be of any type such as, unique or static. You can block executable by choosing custom group which contains computers.

Block executable" does not support blocking executable which are initiated by the system.

Troubleshooting Tips:

1. How to enable Local Group Policy on the target machine?
   You will have to perform the following steps manually on the target computer:
   1. Go to Run

   2. Type gpedit.msc

   3. Click Group Policy

   4. Click on "Turn Off Local Group Policy Objects Processing" as shown below.

      

   5. Ensure that you have chosen "Not Configured" as shown in the below image.
      

      
      You have now enabled Local Group Policy on the target machine.

2. How to enable Local Group Policy on the target computer?

   You will have to perform the following steps manually on the target computer:

   1. Go to Run

   2. Type gpedit.msc

   3. Right Click on "Local Computer Policy", Choose Properties to ensure that "Disable Computer Configuration Settings" is not selected.
      
      
      You have now enabled Local Group Policy on the target computer.
3. How to set the Default security Policy as "Unrestricted"
   You will have to perform the following steps manually on the target computer:
   1. Go to Run

   2. Type gpedit.msc

   3. Click "Security Levels" and double click "Unrestricted" as shown below
      
   4. Ensure that the status is set as "Default" as mentioned in the image below.
   
   You have now enabled Local Group Policy on the target computer.
4. How to enable Local Group Policy for the Administrator?
   You will have to perform the following steps manually on the target computer:
   1. Go to Run

   2. Type gpedit.msc

   3. Click "Software Restriction Policy"

   4. Double click  "Enforcement" to ensure that "All Users" is selected as shown in the image below
      

      
      You have now enabled Local Group Policy for Administrators.

How do I block an exe file?

How do I block an exe file in Windows 10?

How do I block a program or run exe in Windows?

How do I block an application from accessing my computer?