Windows 10 MDT Build- App Locker



To remove/block default applications that can't be removed at build time applocker can be used on windows 10 enterprise machines.

First step is to create a new policy called:-


Navigate to Computer Configuration -> Policies -> Windows Settings -> Application Control Policies -> Packaged app Rules

Create a default rule so that everyone can access packaged application by default (we can then deny access to certain packaged apps)


You will now see the following "Allow" rule created in the GPO

If you right click you can see the rule properties and description

Once the default rule has been created you can now start to block packages that you don't require:-
Select the Deny option so that the package gets blocked.

Next

Select use an installed packaged app as a reference


Select the package you would like to block

A deny rule will then be created

Confirmed Deny Rules

Microsoft.Windows.Cortana Package Deny rule - Cortana was removed from start menu
Microsoft.MicrosoftEdge Package Deny rule – Edge was removed from start menu
Microsoft.Messaging Package Deny – Messaging still visible in Start Menu but Disabled
Windows.ContactSupport Deny – Contact Support was removed from Start Menu
microsoft.windowscommunicationsapps Deny – Mail and Calendar was Visable but disabled

Potential Issues

If you don't put in the Allow rule then the Start Menu will not function. i.e when you click on the start menu button nothing will happen.
If you push out the policy and the user has already logged in then the application may show a deny message.

Comments

Post a Comment

Popular posts from this blog

Sccm Deploying Problem Driver

Image
Sometimes drivers will not install using sccm's standard driver import so you may have to get a little crazy and create a package that will do the job instead. In this example the problem driver was for AMDA00 Interface device but should work for many other nasty drivers.  Steps to follow to solve the wee issue:- 1. Download driver from windows catalogue if possible, if not what you have will be fine. 2. Import driver manually through compmgmt.msc and selecting to point to driver file manually. 3. Grab driver folder from driverstore in Windows\System32\Driverstore (this will be the new folder by date) 4. Copy driver folder from driverstore to a safe place and delete the driver folder from the driver store. 5. Uninstall driver for problem device so you can test uninstalling and re-installing the driver. 6. Use the following command to install the driver again from the folder you put in a safe place. Pnpuntil.exe /a /i path to .inf file If this works ...
Read more

Dell Latitude 7040 - Enable PXE Boot

Enable PXE Boot In order to get the machine to PXE boot it is necessary to do the following:-              1. Navigate to Settings – Secure Boot – Secure Boot Enabled     Disable Secure Boot         2. Navigate to Settings - General – Advanced Boot Options     Enable Attempt Legacy Boot         3. Navigate to Settings – System Configuration – Integrated NIC                 Select - Enable w/PXE                 Check the – Enable UEFI Network Stack           4. Navigate to Settings - General – Advanced Boot Options                        Boot List Options should be UEFI Start PXE Boot Press F12 on boot and then navigate to the IP4 network boot. Errors If you see the error:- P...
Read more

DWG Trueview 2012

Image
In order to deploy AutoDesk Trueview 2012 for windows 7 you will need to download the source from http://usa.autodesk.com/adsk/servlet/pc/index?siteID=123112&id=9078813. Once you have downloaded the setup files then extract them to your SCCM server using 7 zip.Should look something like below minus the Autodesk.Bat.  Once you have done this make sure you have all the required components on your machine to make it possible to install Trueview 2012. If you dont then download the components you need, in my case I required .Net 4.0. I downloaded the dotNetFx40_Full_x86_x64.exe file and added to my Trueview package under the folder "3rdParty\NET\4\wcu\dotNetFramework\dotNetFx40_Full_x86_x64" You now have all the components you need to complete the install, all that is left to do is create a .bat file to run the .Net 4.0 component then the actual Trueview 2012 install. Below is the command i used within my AutoDesk.Bat:- "3rdParty\NET\4\wcu\dotNetFramework\dotNetF...
Read more