Restrict Software on Windows Devices Using a Policy

Important: Software Restriction Policies were deprecated beginning with Windows 10 build 1803 as well as Windows Server 2019 and later. For more information, see Microsoft's documentation.

For Windows devices, you can add a Software Restrictions Policy to specify locations where applications can run. A policy can protect a device from potential threats, and you can control access to it by identifying which applications should be allowed access or which should be blocked. For general information on how JumpCloud policies using allow and deny lists work, see Manage Software Restrictions Using Policies.  

You can add file types, applications, and locations to an allow list or deny list in the following ways:

  • A list of file types identified by their extension that are allowed or blocked if they are in any of the paths you list. For example, to block all Microsoft Access Project files in the C:\Projects directory, you specify ADP as the file extension and add the directory path in the Directories and/or Paths field. Make sure you don’t include the period before the file extension or the policy won’t work. On Windows devices the following sample list allows or block Microsoft Access Project files, BASIC files, batch files, and JavaScript files:ADP, BAS, BAT, JS
  • A fully-qualified path that ends with a file name to allow or restrict the running of that one file. For example, on Windows devices where a deny policy is applied with the following restriction, user’s can’t run the StringFinder application from the Custom Utilities folder:C:\Program Files\Custom Utilities\StringFinder.exe
  • A directory to allow or restrict all executable files in that location from running. For example, on Windows devices where a deny policy is applied with the following restriction, user’s can’t run any applications in the apilibrary folder :C:\Projects\apilibrary
  • The % character to represent variables expanded by the OS. For example, adding the path %userprofile% to they deny list blocks applications from launching in a user’s specific file or folder.

You can use the following examples to understand how to construct environment variables to specify paths. Environment variables are dynamic objects containing an editable value which can be used by software programs. For example, you can use the %USERPROFILE% variable to find the directory structure owned by the user running the process.

  Environment Variable  Path
  %AppData%  C:\Users\{username}\AppData\Roaming\
  %LocalAppData%  C:\Users\{username}\AppData\Local\
  %Temp%  C:\Users\{Username}\AppData\Local\Temp\

The following environment variables and paths are common locations you can add to your allow or deny lists:

  • %appdata%\Microsoft\Internet Explorer\UserData\
  • %localappdata%\Microsoft\Windows\Temporary Internet Files\Content.Outlook\
  • %LocalAppData%\Google\Chrome\User Data\Default\Extensions\ %LocalAppData%\slack\*
  • %LocalAppData%\Microsoft\Windows\Temporary Internet Files\
  • %ProgramFiles%\Google\Desktop\
  • %userprofile%\Downloads\
  • C:\Windows\Temp\

Considerations

You need to use the fully-qualified path to a file or directory to add it to an allow or deny list. You can also use a variable that resolves to one as described in the section above. For an application file, if all three of the following components are present, the path is fully-qualified or absolute. For a directory, if the first two of the following components are present, the path is fully-qualified or absolute:

  • A volume or drive letter – Must be followed by the volume separator (:).
  • A directory name – The directory separator character separates subdirectories in the nested directory hierarchy.
  • An optional filename – The directory separator character separates the file path and the filename.

Determine the absolute path of any location in Windows:

  1. Open Windows Explorer and locate the file or folder.
  2. Right-click the file or folder, then click Properties.
  3. For the absolute path to the folder, use the path in Location. For example, c:\folder1\subfolder2.
  4. For the absolute path to a file, use the path in Location, then add a backslash and the file name to the end of the path. For example, c:\folder1\subfolder2\app.exe.

Create a Software Restrictions policy for Windows:

  1. Log in to the JumpCloud Admin Portal: https://console.jumpcloud.com/login.
  2. Go to DEVICES > Policy Management.
  3. In the All tab, click (+).
  4. Select the Windows tab.
  5. Select the Software Restrictions policy, then click configure.
  6. (Optional) In the Policy Name field, enter a new name for the policy or keep the default. Policy names must be unique.
  7. (Optional) In the Policy Notes field, enter details like when you created the policy, where you tested it, and where you deployed it.
  8. Under Settings, click Mode and choose Deny list or Allow list.
  9. To bypass Allow list or Deny list restrictions on a local device, select Exclude Local Administrators.
  10. Under Directories and/or Paths, click add filepath to add another directory or path. Enter either the fully-qualified path to the executable file or the entire application directory you want to list. 
  11. Under Included File Extensions, click add file extension to add another extension. This action lets you add files types to the allow or deny list by entering the file extension. Don’t include the period before the file extension. 
  12. To remove directories, paths and extensions from your list, click the trash can icon next to the item.
  13. (Optional) To apply this policy to device groups, select the Device Groups tab. Select one or more device groups that will use this policy. For device groups with multiple OS member types, the policy is applied only to the supported OS.
  14. (Optional) To apply this policy to devices, select the Devices tab. Select one or more devices that will use this policy.
  15. Click save.
  16. Restart all devices where you applied this policy for this policy to take effect.

Warning:

If you remove a JumpCloud Software Restriction policy, native Microsoft Software Restriction Policies (SRP) need to be manually reset. To do this, completely delete your native Microsoft SRPs and then re-administer them. For complete steps on how to work with SRPs, refer to the Microsoft documentation: Administer Software Restriction Policies.

Delete the software restriction policies that are applied to a Group Policy Editor (GPO)

  1. Open Group Policy Editor.
  2. In the console tree, right-click Software Restriction Policies.
  3. Click Delete Software Restriction Policies.

Note:

When you delete software restriction policies for a GPO, you also delete all software restriction policies rules for that GPO.

After you delete software restriction policies, you can create new software restriction policies for that GPO.

Create new software restriction policies:

  1. In Group Policy Editor, open Software Restriction Policies.
  2. On the Action menu, click New Software Restriction Policies.
  3. Optionally add any Designated File Types.
  4. (Optional) Configure Enforcement settings.
  5. (Optional) Configure Security Levels.
  6. (Optional) Apply policies to DLLs.
Back to Top

List IconIn this Article

Still Have Questions?

If you cannot find an answer to your question in our FAQ, you can always contact us.

Submit a Case