Category filter
Script to block apps on Windows
As an organization’s IT administrator, you might have several reasons to block access to applications on company devices. Some common reasons include improving employee productivity, preventing malicious apps, restricting unwanted content and so on.
Using Hexnode’s Execute Custom Script action, you can remotely run the PowerShell script to block unwanted applications on your Windows endpoints without any manual intervention.
The sample scripts provided below are adapted from third-party open-source sites.
PowerShell Script to Block Apps
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 |
#specify the apps that needs to be blocked (comma separated). $blockListedApps = @("app1.exe", "app2.exe", "app3.exe") Write-Host "List of apps that will get blocked:--->" Write-Host $blockListedApps -Separator "," try{ $status = New-PSDrive -PSProvider Registry -Name HKU -Root HKEY_USERS Function BlockApps($sid) { $policyPath = "HKU:\${sid}\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies" if(Test-Path $policyPath) { $ExplorerPath = $policyPath + "\Explorer" if(-not(Test-Path $ExplorerPath)) { New-Item -Path $ExplorerPath -Force | Out-Null } New-ItemProperty -Path $ExplorerPath -Name "DisallowRun" -Value 1 -PropertyType DWord -Force | Out-Null $DisallowRunPath = $ExplorerPath + "\DisallowRun" if(-not(Test-Path $DisallowRunPath)) { New-Item -Path $DisallowRunPath -Force | Out-Null } $count = 1 Foreach($app in $blockListedApps) { New-ItemProperty -Path $DisallowRunPath -Name $count -Value $app -PropertyType STRING -Force | Out-Null $count++ } } else { Write-Host "Unable to locate policies path, please check manually" } } $userDetails=Get-wmiobject win32_useraccount | where-object{$_.status -eq 'ok'} $loggedInUserCount = 0 foreach($user in $userDetails){ $sid=$user.SID $username = $user.Name if(Test-Path "HKU:\${sid}") { Write-Host $username,"is signed-in to the device." Write-Host "blocking apps for the user:",$username BlockApps($sid) $loggedInUserCount++ } } if($loggedInUserCount -eq 0) { Write-Host "Policy hasn't applied to any user, this policy can only be applied when the user is logged in to the device" } else { Write-Host "Restart the device to review the changes." } } catch { Write-Host "Error occured while running script -> ",$_.Exception.Message } |
Specify the executable file names of the applications you want to block within double quotes and separated by commas, corresponding to the $blockListedApps variable in the PowerShell script. The specified apps will be blocked for all the user accounts signed into the device at the time of script execution.
When the user tries to launch a blocked app on the device, they will see a popup that informs them of the restriction.
To remove the application restrictions on the device, you can execute the PowerShell script below:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 |
try{ $status = New-PSDrive -PSProvider Registry -Name HKU -Root HKEY_USERS Function BlockApps($sid) { $policyPath = "HKU:\${sid}\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies" if(Test-Path $policyPath) { $ExplorerPath = $policyPath + "\Explorer" if(Test-Path $ExplorerPath) { Remove-ItemProperty -Path $ExplorerPath -Name "DisallowRun" -Force | Out-Null } $DisallowRunPath = $ExplorerPath + "\DisallowRun" if(Test-Path $DisallowRunPath) { Remove-Item -Path $DisallowRunPath -Force | Out-Null } } else { Write-Host "Unable to locate policies path, please check manually" } } $userDetails=Get-wmiobject win32_useraccount | where-object{$_.status -eq 'ok'} $loggedInUserCount = 0 foreach($user in $userDetails){ $sid=$user.SID $username = $user.Name if(Test-Path "HKU:\${sid}") { Write-Host $username,"is signed-in to the device." Write-Host "removing blocklisted apps from user:",$username BlockApps($sid) $loggedInUserCount++ } } if($loggedInUserCount -eq 0) { Write-Host "Policy hasn't applied to any user, this policy can only be applied when the user is logged in to the device" } else { Write-Host "Restart the device to review the changes." } } catch { Write-Host "Error occured while running script -> ",$_.Exception.Message } |
- A device restart is required for the changes to take effect.
- It is recommended to manually validate the script execution on a system before executing the action in bulk.
- Hexnode will not be responsible for any damage/loss to the system on the behavior of the script.
