none
GPO to block APPDATA directory .exes

    Question

  • This works for our Windows 7 workstations but for Win 8.1 and Win 10...it doesn't even show up in the list when you do gpresult /r  ?  Each OS representing a workstation has its own Computer OU..meaning all Win7 workstations in it's OU, Win 8 in it's own and Win 10 in its own.

    User is not a local administrator....is Win 8.1 and Win 10 have a different path to AppData ?

    Wednesday, June 01, 2016 7:55 PM

All replies

  • Hi Techy,

    Thanks for your post.

    Do you want to block all .exe file under appdata folder?

    If yes, I suggest you try to disallowed these paths below:

    %appdata%\*.exe

    %appdata%\*\*.exe

    Here is an article below may be helpful to you.

    Disable .exe’s from running inside any user %appdata% directory – GPO

    http://www.fatdex.net/php/2014/06/01/disable-exes-from-running-inside-any-user-appdata-directory-gpo/

    Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, June 02, 2016 1:45 PM
    Moderator
  • Hi,

    Just a suggestion, if you are looking to block any kind of malware and virus form APPdata folder, I would suggest, rather blocking, whitelist it.

    whitelisting will give more security than this.. in SRP - set the sec level to Disallowed and apply below kind of additional rules.


    Devaraj G | Technical solution architect


    • Edited by Devaraj G Thursday, June 02, 2016 5:14 PM
    Thursday, June 02, 2016 5:12 PM
  • Hey Jay....thanks for the reply...I do have as you can see the above picture insert of where I have the %appdata%\*.exe disallowed...my problem is ...this works for Windows 7 but I can't get it to even show up in gpresult for Win 8.1 and 10...it's like it simply doesn't even apply ?

    Friday, June 03, 2016 2:42 PM
  • Hey Devaraj..thanks for the reply....so if I use whitelisting...is that done through GPO ? And then will I have to maintain a list per say ? What should I start with ?   Office Apps, IE, Lync client, Outlook client ?

    Friday, June 03, 2016 3:00 PM