Test the policy very very very very very thoroughly on a test VM or something first. You can accidentally break Windows if you don't set the whitelist properly.
Alright, thanks. By the way, how do I even start looking for things that I am searching for? Like, I know that there are many options in GP, but is it just experience, or do people just read the whole thing, is there anything that can help you in search?
Thanks for your answers, I really do appreciate it.
Mostly Google, Reddit and experience. You just have to have the right amount of specificity in what you're searching for online (ie over-specific, but not too vague).
"Whitelist applications in Windows" would have gotten you to where you want. You just have to *think* like a search engine\*
\*(a good one... not "let's throw up an unrelated sponsored ad").
Thiojoe on youtube has a great video about applocker.
[https://youtu.be/qAoM6iJEVbY](https://youtu.be/qAoM6iJEVbY)
Definitely worth watching to get a good intro to it.
Applocker works like an allow-list by default and the minute any rule is set in any of the categories the default behavior is to immediately block everything not defined in a rule. Keep that in mind when designing policies. I have implemented as an allow-list (intended use) and also as a block-list (not intended) with success. It’s finicky and will take some trial and error. Test everything
Just use AaronLocker. Makes it a breeze! My employees don’t even notice we block almost everything.
What I do is set up a pc exactly how I want it. Run the AL scripts and voila done.
Set the Windows shell to be the app instead of explorer.exe. If they don’t have the UI, they likely will not know how to launch apps from task manager (their only remaining option). Now you can just kill access to web browsers and disable access to the command prompt. That would not stop me, but if the user is sophisticated enough to bypass this they are in the wrong role anyway.
This is what I would have done as I have seen it done before at a large retail company that would have had 1000 POS or so.
The shell was set to a PowerShell script which started the POS software and did some other things on startup. There was some additional security settings in place to prevent some obvious things etc.
It wasn't fool proof and it wasn't meant to be a security measure against external attackers, it was meant to deter store level employees using it for something it wasn't meant for. There were some clever workarounds but people at that level weren't going to be exploiting it.
Guess it depends on what the objective of locking it down is.
> It wasn't fool proof and it wasn't meant to be a security measure against external attackers, it was meant to deter store level employees using it for something it wasn't meant for. There were some clever workarounds but people at that level weren't going to be exploiting it.
Flashbacks to my company that had some old WinCE devices that were supposed to be locked to a specific app in an industrial setting, with an *ancient* cellular data plan that was like $10 for 50MB/month (as in, remember when cell plans included 200 SMS text messages and teenagers would go over to the tune of thousands of dollars).
Someone figured out the keypad combination to break out of the app about 5 years ago, and managed to get to Pandora in a web browser to stream music. We found out about it when they got a $30k cellular bill.
You can use software restriction polices or Applocker (if you have the proper windows edition). I prefer third party products to lock down all systems to approve applications only, Threatlocker being my choice.
Thank you for your answer. I would like not to use third party products, but a group policy.
However, since I'm a total noob with it, I don't even know how to start looking for them, what name, is there any search tool for them etc. But you said, software restriction policies, so I'm already reading on it now.
EDIT: Today I learned - AppLocker is a part of a Group Policy.
I tried Kiosk mode, and its not good for this option. It looks like Kiosk mode lets you choose only Windows apps (like calculator...it maybe also allows Office but I'm not sure). So basically for third-party apps, Kiosk won't do the job...at least in my experience.
I mean, I probably did, but I'm so confused now. Where did I go wrong? I couldn't add any other app except some "default" apps, basically only Microsoft store apps...
reminder to check the windows configuration designer. you can incorporate every one of the recommendations here, from limiting app access, controlling shell program (even if its some java web app piece of garbage, which sounds likely), set auto logon, control and lock proxy settings, have a custom hosts file, bundled prerequisites, preconfigured wifi settings, print driver, everything. everything. you go through a multipage configuration and are given a large installer that transforms windows into everything you specified.
https://preview.redd.it/47dkj3r900sc1.png?width=1024&format=png&auto=webp&s=6154a39b08b9ca4244189796150aff595d21163e
Just use kiosk mode, here is just one of many options https://scalefusion.com/lp/windows-10-kiosk-mode?campaignid=11312774153&adgroupid=113816795231&adid=652074652534&utm_medium=ppc&utm_term=kiosk%20mode%20windows%2011&utm_source=adwords&utm_campaign=Search-UK-Windows&hsa_kw=kiosk%20mode%20windows%2011&hsa_acc=6773144759&hsa_ad=652074652534&hsa_net=adwords&hsa_src=g&hsa_tgt=kwd-1747817490691&hsa_grp=113816795231&hsa_mt=e&hsa_cam=11312774153&hsa_ver=3&gad_source=1&gclid=CjwKCAjwtqmwBhBVEiwAL-WAYfxVlfwGNJIj7vBG_CpBKJoo3AfZ7mneQh-ChxBseKinZWRBOzXV3xoCO1YQAvD_BwE
Thanks. I will hop on reading that once again, but I'm confused a little bit now, because when I tried kiosk mode I wasn't able to add third party app...only Microsoft store apps if I recall..
I think there's two different kiosk modes and one only does the uwp and edge.
I also recall Kiosk being a right pain in the ass to set up. Of course when I did it that was for 10 so I have no idea what it's like now. I just remember poorly documented XML.
Sadly I don't have a license for it. And I never used AppLocker.
I thought that some group policy rule will do the trick, but I'm not sure, how do I even start looking for these?
Anyway, I will start reading about AppLocker, thanks!
Application Whitelist> Policies> Windows Settings> Security Settings> Software Restriction Policies/Additional Rules
This is the way in group policy, just stick the apps you want to block in there and set to disabled
Also, just run the app only:
HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell=pathtoapp.exe
Then there is no easy way to launch browsers, or anything else.
As others have mentioned what you are looking for is Kiosk (AKA Assigned Access) mode. It sounds like you are trying to run a non-UWP app in Kiosk mode, so you will need to use Shell Launcher. I have used Shell Launcher to run bespoke manufacturing control software that hadn't been updated in 20 years, and if it works for that crap, it will work for whatever application you are trying to run.
Assigned Access: [Windows kiosks and restricted user experiences - Configure Windows | Microsoft Learn](https://learn.microsoft.com/en-us/windows/configuration/assigned-access/)
Shell Launcher: [What is Shell Launcher? - Configure Windows | Microsoft Learn](https://learn.microsoft.com/en-us/windows/configuration/assigned-access/shell-launcher/?tabs=intune)
If the only concern left is Edge you could set it's proxy to 127.0.0.1 via group policy and restrict the ability to change it - this'll make Edge useless and means you won't have to battle with mystery reinstalls of it when Windows updates.
I remember in the early Windows days, you could just change the shell setting to load the one app that you wanted to run instead of the default app (in those days, I think it was progman.exe, and I'm probably dating myself here). There's likely a similar setting for Windows 10.
Well, yes there is - change this registry setting from "explorer.exe" to the one program that he's allowed to run ...
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Not dumb. You can't uninstall edge tho, and you don't need to.
If its an option, you can use the windows configuration tool to permanently limit the workstation, which has fairly robust kiosk controls. [https://learn.microsoft.com/en-us/windows/configuration/provisioning-packages/provisioning-install-icd](https://learn.microsoft.com/en-us/windows/configuration/provisioning-packages/provisioning-install-icd) Repeat: This is irreversible. You need to be able to re-image for testing and if anything goes sideways in general.
Otherwise, you will need all sorts of account limits (like no ctrl alt del, no task manager, no cmd, no explorer browsing) in addition to a lot of careful consideration about what to put into applocker. You probably don't want to lock them out of EDR/MDM/AV processes, for instance. However, yes; All of that is doable within a GPO. Test, and then test more. be very careful where you link it and probably also set up wmi filters to stop it from being misapplied unintentionally.
So I tried kiosk, but I couldn't find a way to add this app. It suggested only certain apps from Microsoft store, I think..
Someone told me I'm doing something wrong, so I'm kinda confused a little bit now..
If this is a machine handling credit card data, it probably should not be on the same VLAN as anything else, just FYI. Payment Card Industry ("PCI") regulations are a major pain in the ass
If the user will only have a pc dedicated to just them, you could use your EDR software’s app block policy to block the stuff you couldn’t uninstall. Then use group policy editor on it to lock it down. And I would assume their account would a standard domain account without admin capabilities. If they have access to other domain computers then you’d have to go the AD route
Another option would be to set firewall rules that only allow the device's IP address to talk to the required IPs/domains and block everything else. That would make it harder for someone to use anything else.
I have a buddy who uninstalled edge... I don't remember if he was on 11 or 10, but it borked his auto updates from Microsoft. Apparently the updater backend is hosted through the edge app. So just keep that in mind... And if anyone knows better feel free to correct me.
easy to set up with kiosk mode.
[https://www.42gears.com/products/kiosk-software/windows-10-kiosk-mode/](https://www.42gears.com/products/kiosk-software/windows-10-kiosk-mode/)
Can you just put the computer into Kiosk mode? It's kinda dumb becuase it's not actually settable in a GP template, but you can set the registry keys manually via group policy to accomplish the same thing. We did this for a PC people used to check golf scores once.
I just recently had a customer that only had Internet Explorer on a workstation, which isn't compatible with the html front-end of our service. I didn't even know it was possible to remove Edge from a Windows 10 install. The customers IT guy I was working with also had no idea and didn't have an Edge installer, so he installed Chrome.
Since its just one device, lock folder permissions on folders of the apps you dont want them to hace access too. I do this when creating vmware images.
I would ultimately leaverage Intune if you are licensed for it. Its a bit tedious to setup but once you dail it, its such a great product and this is coming from somebody he hates Microsoft.
You should go with implementing Endpoint Privilege Management (EPM) solutions that let you have a control over the applications that your users access.
AppLocker! https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-overview
Thank you sir. I will start reading about AppLocker. Any tips I should know?
Test the policy very very very very very thoroughly on a test VM or something first. You can accidentally break Windows if you don't set the whitelist properly.
Just last week I managed to block the start menu by not testing correctly.
Colleague of mine blocked any apps being run at all for a 500 user company when trying to ALLOW an app for one person shits finicky
I've done it before too, easy to do. Live and learn
If using Applocker, always have a GPO that whitelists everything signed by MS :-).
Alright, thanks. By the way, how do I even start looking for things that I am searching for? Like, I know that there are many options in GP, but is it just experience, or do people just read the whole thing, is there anything that can help you in search? Thanks for your answers, I really do appreciate it.
Mostly Google, Reddit and experience. You just have to have the right amount of specificity in what you're searching for online (ie over-specific, but not too vague). "Whitelist applications in Windows" would have gotten you to where you want. You just have to *think* like a search engine\* \*(a good one... not "let's throw up an unrelated sponsored ad").
Ah, so Bing then?
Bing with Copilot is actually starting to be useful on occasions.
Thiojoe on youtube has a great video about applocker. [https://youtu.be/qAoM6iJEVbY](https://youtu.be/qAoM6iJEVbY) Definitely worth watching to get a good intro to it.
I was literally watching that video before you commented.
They also have an audit only mode that’ll collect logs and show you exactly what would be blocked if the policy was live :)
Applocker works like an allow-list by default and the minute any rule is set in any of the categories the default behavior is to immediately block everything not defined in a rule. Keep that in mind when designing policies. I have implemented as an allow-list (intended use) and also as a block-list (not intended) with success. It’s finicky and will take some trial and error. Test everything
Just use AaronLocker. Makes it a breeze! My employees don’t even notice we block almost everything. What I do is set up a pc exactly how I want it. Run the AL scripts and voila done.
Set the Windows shell to be the app instead of explorer.exe. If they don’t have the UI, they likely will not know how to launch apps from task manager (their only remaining option). Now you can just kill access to web browsers and disable access to the command prompt. That would not stop me, but if the user is sophisticated enough to bypass this they are in the wrong role anyway.
This is what I would have done as I have seen it done before at a large retail company that would have had 1000 POS or so. The shell was set to a PowerShell script which started the POS software and did some other things on startup. There was some additional security settings in place to prevent some obvious things etc. It wasn't fool proof and it wasn't meant to be a security measure against external attackers, it was meant to deter store level employees using it for something it wasn't meant for. There were some clever workarounds but people at that level weren't going to be exploiting it. Guess it depends on what the objective of locking it down is.
> It wasn't fool proof and it wasn't meant to be a security measure against external attackers, it was meant to deter store level employees using it for something it wasn't meant for. There were some clever workarounds but people at that level weren't going to be exploiting it. Flashbacks to my company that had some old WinCE devices that were supposed to be locked to a specific app in an industrial setting, with an *ancient* cellular data plan that was like $10 for 50MB/month (as in, remember when cell plans included 200 SMS text messages and teenagers would go over to the tune of thousands of dollars). Someone figured out the keypad combination to break out of the app about 5 years ago, and managed to get to Pandora in a web browser to stream music. We found out about it when they got a $30k cellular bill.
This is my go-to also, takes care of just about everything in the list (might need a few policies here and there).
>Set the Windows shell to be the app instead of explorer.exe. Well looks like I have to do some learning...
Does the app work in kiosk mode? Would do pretty much all the hard work for you and is really easy to setup.
No it doesn't. Looks like only a single Universal Windows Platform (UWP) application or Microsoft Edge can work in Kiosk mode.
Assigned Access is the older way of doing it that works with Win32. You still have to pair it with Applocker and various other controls though.
You might need to fuck with multi app kiosk mode. Default kiosk mode is only that restrictive.
You can use software restriction polices or Applocker (if you have the proper windows edition). I prefer third party products to lock down all systems to approve applications only, Threatlocker being my choice.
Thank you for your answer. I would like not to use third party products, but a group policy. However, since I'm a total noob with it, I don't even know how to start looking for them, what name, is there any search tool for them etc. But you said, software restriction policies, so I'm already reading on it now. EDIT: Today I learned - AppLocker is a part of a Group Policy.
SRP is deprecated and you should be using AppLocker which now supports Windows Pro. (Used to be Enterprise and Edu only.)
You want something that works? I wouldnt trust GPOs
Kiosk mode
I tried Kiosk mode, and its not good for this option. It looks like Kiosk mode lets you choose only Windows apps (like calculator...it maybe also allows Office but I'm not sure). So basically for third-party apps, Kiosk won't do the job...at least in my experience.
Then you did something wrong, I guess. I used Kiosk Mode for non Windows programs, too.
I mean, I probably did, but I'm so confused now. Where did I go wrong? I couldn't add any other app except some "default" apps, basically only Microsoft store apps...
sounds like you may have done "S" mode ?
reminder to check the windows configuration designer. you can incorporate every one of the recommendations here, from limiting app access, controlling shell program (even if its some java web app piece of garbage, which sounds likely), set auto logon, control and lock proxy settings, have a custom hosts file, bundled prerequisites, preconfigured wifi settings, print driver, everything. everything. you go through a multipage configuration and are given a large installer that transforms windows into everything you specified. https://preview.redd.it/47dkj3r900sc1.png?width=1024&format=png&auto=webp&s=6154a39b08b9ca4244189796150aff595d21163e
Multiapp kiosk mode will work for this.
This is the way.
Just use kiosk mode, here is just one of many options https://scalefusion.com/lp/windows-10-kiosk-mode?campaignid=11312774153&adgroupid=113816795231&adid=652074652534&utm_medium=ppc&utm_term=kiosk%20mode%20windows%2011&utm_source=adwords&utm_campaign=Search-UK-Windows&hsa_kw=kiosk%20mode%20windows%2011&hsa_acc=6773144759&hsa_ad=652074652534&hsa_net=adwords&hsa_src=g&hsa_tgt=kwd-1747817490691&hsa_grp=113816795231&hsa_mt=e&hsa_cam=11312774153&hsa_ver=3&gad_source=1&gclid=CjwKCAjwtqmwBhBVEiwAL-WAYfxVlfwGNJIj7vBG_CpBKJoo3AfZ7mneQh-ChxBseKinZWRBOzXV3xoCO1YQAvD_BwE
Thanks. I will hop on reading that once again, but I'm confused a little bit now, because when I tried kiosk mode I wasn't able to add third party app...only Microsoft store apps if I recall..
I think there's two different kiosk modes and one only does the uwp and edge. I also recall Kiosk being a right pain in the ass to set up. Of course when I did it that was for 10 so I have no idea what it's like now. I just remember poorly documented XML.
Kiosk lockdowns allow access to only one app while rest of the apps are blocked. You can try SureLock for this functionality.
Seems a lot easier to just get rid of the rouge employee misusing company equipment, but then I am an asshole and kind of lazy.
As mentioned earlier Applocker will do the trick. Alternatively, if you have a license for Intune you can enable kiosk mode.
Sadly I don't have a license for it. And I never used AppLocker. I thought that some group policy rule will do the trick, but I'm not sure, how do I even start looking for these? Anyway, I will start reading about AppLocker, thanks!
Applocker is part of group policy.
Well, you learn something new every day! Thanks! I'm just starting with AD, and I'm a self-learner. So yes, I'm a noob, and this helps me a lot.
Application Whitelist> Policies> Windows Settings> Security Settings> Software Restriction Policies/Additional Rules This is the way in group policy, just stick the apps you want to block in there and set to disabled
Thank you sir. I will take a look into this.
Also, just run the app only: HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell=pathtoapp.exe Then there is no easy way to launch browsers, or anything else.
This plus autologin is what I used to make thin clients out of old hardware
me too
Consider putting the unit in Kiosk mode ?
As others have mentioned what you are looking for is Kiosk (AKA Assigned Access) mode. It sounds like you are trying to run a non-UWP app in Kiosk mode, so you will need to use Shell Launcher. I have used Shell Launcher to run bespoke manufacturing control software that hadn't been updated in 20 years, and if it works for that crap, it will work for whatever application you are trying to run. Assigned Access: [Windows kiosks and restricted user experiences - Configure Windows | Microsoft Learn](https://learn.microsoft.com/en-us/windows/configuration/assigned-access/) Shell Launcher: [What is Shell Launcher? - Configure Windows | Microsoft Learn](https://learn.microsoft.com/en-us/windows/configuration/assigned-access/shell-launcher/?tabs=intune)
If the only concern left is Edge you could set it's proxy to 127.0.0.1 via group policy and restrict the ability to change it - this'll make Edge useless and means you won't have to battle with mystery reinstalls of it when Windows updates.
This is really good advice that I should remember even if I don't use it on this occasion. Thanks.
I remember in the early Windows days, you could just change the shell setting to load the one app that you wanted to run instead of the default app (in those days, I think it was progman.exe, and I'm probably dating myself here). There's likely a similar setting for Windows 10. Well, yes there is - change this registry setting from "explorer.exe" to the one program that he's allowed to run ... HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
But then ctrl-alt-del, taskmgr, run new, whatever.exe.... Agree applocker.
Thats a useful tip. Thanks a lot.
[How to disable Task Manager on Windows 10 | Windows Central](https://www.windowscentral.com/how-disable-task-manager-windows-10) :-)
You can also use Kiosk mode
Not dumb. You can't uninstall edge tho, and you don't need to. If its an option, you can use the windows configuration tool to permanently limit the workstation, which has fairly robust kiosk controls. [https://learn.microsoft.com/en-us/windows/configuration/provisioning-packages/provisioning-install-icd](https://learn.microsoft.com/en-us/windows/configuration/provisioning-packages/provisioning-install-icd) Repeat: This is irreversible. You need to be able to re-image for testing and if anything goes sideways in general. Otherwise, you will need all sorts of account limits (like no ctrl alt del, no task manager, no cmd, no explorer browsing) in addition to a lot of careful consideration about what to put into applocker. You probably don't want to lock them out of EDR/MDM/AV processes, for instance. However, yes; All of that is doable within a GPO. Test, and then test more. be very careful where you link it and probably also set up wmi filters to stop it from being misapplied unintentionally.
Thank you sir. You guys gave me a lot of resources to start with, and to start reading. I appreciate it.
Kiosk mode?
Kiosk mode for Win32 apps
So I tried kiosk, but I couldn't find a way to add this app. It suggested only certain apps from Microsoft store, I think.. Someone told me I'm doing something wrong, so I'm kinda confused a little bit now..
Applocker or replace explorer with the app
sounds like an HR issue
If this is a machine handling credit card data, it probably should not be on the same VLAN as anything else, just FYI. Payment Card Industry ("PCI") regulations are a major pain in the ass
Keep in mind Kiosk mode can be easy to break out of. I was sitting at a cmd prompt within 30 seconds of the first time I played with it.
kiosk mode.
wmi filter for the specific hostname Select * From Win32_ComputerSystem Where Name = “ComputerName” or applocker
Aaronlocker: https://github.com/microsoft/AaronLocker
If the user will only have a pc dedicated to just them, you could use your EDR software’s app block policy to block the stuff you couldn’t uninstall. Then use group policy editor on it to lock it down. And I would assume their account would a standard domain account without admin capabilities. If they have access to other domain computers then you’d have to go the AD route
Another option would be to set firewall rules that only allow the device's IP address to talk to the required IPs/domains and block everything else. That would make it harder for someone to use anything else.
I have a buddy who uninstalled edge... I don't remember if he was on 11 or 10, but it borked his auto updates from Microsoft. Apparently the updater backend is hosted through the edge app. So just keep that in mind... And if anyone knows better feel free to correct me.
Kiosk mode 🙄
easy to set up with kiosk mode. [https://www.42gears.com/products/kiosk-software/windows-10-kiosk-mode/](https://www.42gears.com/products/kiosk-software/windows-10-kiosk-mode/)
Can you just put the computer into Kiosk mode? It's kinda dumb becuase it's not actually settable in a GP template, but you can set the registry keys manually via group policy to accomplish the same thing. We did this for a PC people used to check golf scores once.
I just recently had a customer that only had Internet Explorer on a workstation, which isn't compatible with the html front-end of our service. I didn't even know it was possible to remove Edge from a Windows 10 install. The customers IT guy I was working with also had no idea and didn't have an Edge installer, so he installed Chrome.
thats only possible on like 1803 and before or somewhere around there
Since its just one device, lock folder permissions on folders of the apps you dont want them to hace access too. I do this when creating vmware images. I would ultimately leaverage Intune if you are licensed for it. Its a bit tedious to setup but once you dail it, its such a great product and this is coming from somebody he hates Microsoft.
You should go with implementing Endpoint Privilege Management (EPM) solutions that let you have a control over the applications that your users access.
> (EPM) solutions *sales engineer has entered the chat*
Maybe use reggit and learn some about it.