Whitelisting Windows Store applications on Windows using secpol.msc

As part of PCI compliance, we are required to restrict the applications which users are able to access on our payment office PCs to those on a specific whitelist. One wrinkle we've run into as part of migrating from Windows 7 to Windows 10 is that our older GPO-based method of restricting applications does not apply to newer Windows Store/Modern apps, including Microsoft Edge and Skype. This wrinkle has, so far, kept our payment PCs on Windows 7 for PCI compliance reasons.

Luckily, I discovered that it is possible to use a different method to whitelist applications: secpol.msc.  This is the Local Security Policy editor, reminiscent of the Local Group Policy editor gpedit.msc, and it allows you to create a software restriction policy to control what applications can and cannot run on a PC.

To create a software restriction policy to create an application whitelist, including Windows Store/Modern apps, follow these steps:

1. Open secpol.msc.

2. Right-click on "Software Restriction Policy", then on "New Software Restriction Policies."

3. In the "Security Levels" folder on the left, right-click on the "Disallowed" setting, then on "Set as default." This sets Windows to disallow access to all applications by default, except for those specifically whitelisted in the "Additional Rules" section below.

4. Right-click in the empty space in the "Additional Rules" folder, then on "New Path Rule...".

5. Enter the path of the application or folder that you wish to control. In this example, I am adding a rule to disallow all applications and apps in the C:\Program Files\WindowsApps folder, which includes things like the Calculator and Notepad apps. Click OK.

6. Add more rules to cover all of the applications you wish to control. As you can see in the screenshot below, I have also added a rule to disallow C:\Windows\SystemApps\*Edge*, in order to block the Microsoft Edge web browser from running. 

Note: You most likely do not want to block C:\Windows\SystemApps as a whole, because Microsoft has app-ified various parts of the operating system, including the Start menu and File Explorer. If you disallow this folder, you will lose access to these parts of the operating system until the policy is relaxed.

That's pretty much it! As you can see in the screenshots above, there are two entries that are automatically created when you create the software restriction policy: one for %HKLM [...] ProgramFilesDir%, and one for %HKLM [...] SystemRoot%. 

%SystemRoot% includes vital parts of the operating system, so it is not advisable to disallow access to this folder on a blanket level. %ProgramFilesDir% covers everything in the Program Files directory, meaning that by default some applications will still be allowed to run, even with the default policy set to disallow - Microsoft Office is an example of this. If you want to block these applications, simply change that entry from unrestricted to disallow.

In order to whitelist an application, you would do the same thing: create a new additional rule, but instead of specifying that it should be a "disallow" rule, choose "unrestricted" instead.

To make your changes take effect, log out and back in.