How to Control Windows Store Apps in Windows 8/8.1 With AppLocker

May 27


Rossy Guide

Rossy Guide

  • Share this article on Facebook
  • Share this article on Twitter
  • Share this article on Linkedin

AppLocker is only available in Windows 8+ Enterprise and Windows Server 2012+. AppLocker in Windows 8 gives IT complete control over which desktop and Windows Store apps users can run, and Windows Store apps are even easier to manage than desktop apps.


Using the Group Policy Management Console (GPMC) on a Windows 8+ management station,How to Control Windows Store Apps in Windows 8/8.1 With AppLocker Articles we’ll need to edit an existing Group Policy Object (GPO) for our AppLocker policies that applies to Computer objects. In the GPO, find your way to Computer Configuration > Policies > Windows Settings > Security Settings > Application Control Policies > AppLocker.

Under AppLocker, you’ll see the areas for Executable Rules, Windows Installer Rules, Script Rules, and the new Packaged app Rules.

Creating the default rule:

  • Right-click on Packaged app Rules and choose Create Default Rules. Now you’ll have a default rule that allows all users to run any packaged app on the system.

Creating additional rules:

  • After Creating New Rule, click Next to bypass the Before You Begin screen and go to the Permissions screen. Here, you can choose whether the packaged app will be whitelisted (Allow) or blacklisted (Deny) along with which users can run the app.
  • Click Next after choosing your options.
  • From the Publisher screen, click the Select button to see a list of packaged apps on the computer.
  • Now select the blocking application and then click OK. in the other areas of AppLocker, you can use the slider to choose publisher, package name, or package version.
  • Using the Publisher option is good if you want to allow/block apps from a specific vendor. Click Next when you’re finished with the publisher options to go to the Exceptions
  • Then click Next to advance to the Name screen. Set a name for the AppLocker rule and click Create.

Turning on AppLocker:

  • Right-click AppLocker in the same area we’ve been working in the GPO and choose Properties.
  • Click the Configured checkbox and set the pull-down to Enforce Click OK to save the settings.


If we run a quick gpupdate.exe on our test system, we can try running the OneDrive packaged app to see what happens.

Warnings about deny by default:

If you’re planning on denying all packaged apps by default and only allowing end users to run specific apps. So make sure you set an Allow rule for some of the default applications. Specifically, the PC settings app and the operating system needs the PC settings app, but other apps, such as Check Point VPN or F5 VPN, may be necessary in your environment as well. You may also need to remove packaged apps when you deploy Windows 8.x to computers so that end users don’t have tiles or shortcuts for apps they can’t use.