AppLocker GPO: Create Executable Rules


  • To ALLOW a group of users and DENY everyone else from PowerShell & PowerShell ISE, both x64 & x86.

    > There is an existing Executable Rule that ALLOW 'NT Authority/Authenticated users' to Path: %Windir%\*.

    If I add into this existing Executable Rule with Publisher Exceptions to

    1. %WINDIR%\System32\WindowsPowerShell\*; & 2. %windir%\sysWOW64\WindowsPowerShell\*

    question: Does the above DENY everyone from PowerShell?

    Then, I create two Executable Rules to ALLOW a security group of user for PowerShell:

    rule 1: Path: %system32%\WindowsPowerShell\* &

    rule 2: Path: %syswow64%\WindowsPowerShell\*

    By implementing above, will I achieve DENY everyone from PowerShell and ALLOW only group of user to both PowerShell & PowerShell ISE (both x64 & x86-bit)?

    Thank you

    Best Regards,

    Thursday, May 19, 2016 1:55 AM


  • Hi BlueBerries,

    Thanks for your post.

    You need create a ALLOW rule for the group which you want allow them to use PowerShell.exe and add the PowerShell.exe to Exceptions of other ACLs, which action=ALLOW and user=everyone. If you do not want Administrator to run PowerShell.exe, you need add the PowerShell.exe to Exceptions of the ACL, which action=ALLOW and user=administrator.

    If you want to set the same action for PowerShell ISE (both x64 and x86), you need repeat the action above to achieve your goal.

    Best Regards,


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact

    Thursday, May 19, 2016 7:49 AM