--- title: AppLocker CSP description: Learn more about the AppLocker CSP. ms.date: 01/18/2024 --- # AppLocker CSP The AppLocker configuration service provider is used to specify which applications are allowed or disallowed. There's no user interface shown for apps that are blocked. The following list shows the AppLocker configuration service provider nodes: - ./Vendor/MSFT/AppLocker - [ApplicationLaunchRestrictions](#applicationlaunchrestrictions) - [{Grouping}](#applicationlaunchrestrictionsgrouping) - [CodeIntegrity](#applicationlaunchrestrictionsgroupingcodeintegrity) - [Policy](#applicationlaunchrestrictionsgroupingcodeintegritypolicy) - [DLL](#applicationlaunchrestrictionsgroupingdll) - [EnforcementMode](#applicationlaunchrestrictionsgroupingdllenforcementmode) - [NonInteractiveProcessEnforcement](#applicationlaunchrestrictionsgroupingdllnoninteractiveprocessenforcement) - [Policy](#applicationlaunchrestrictionsgroupingdllpolicy) - [EXE](#applicationlaunchrestrictionsgroupingexe) - [EnforcementMode](#applicationlaunchrestrictionsgroupingexeenforcementmode) - [NonInteractiveProcessEnforcement](#applicationlaunchrestrictionsgroupingexenoninteractiveprocessenforcement) - [Policy](#applicationlaunchrestrictionsgroupingexepolicy) - [MSI](#applicationlaunchrestrictionsgroupingmsi) - [EnforcementMode](#applicationlaunchrestrictionsgroupingmsienforcementmode) - [Policy](#applicationlaunchrestrictionsgroupingmsipolicy) - [Script](#applicationlaunchrestrictionsgroupingscript) - [EnforcementMode](#applicationlaunchrestrictionsgroupingscriptenforcementmode) - [Policy](#applicationlaunchrestrictionsgroupingscriptpolicy) - [StoreApps](#applicationlaunchrestrictionsgroupingstoreapps) - [EnforcementMode](#applicationlaunchrestrictionsgroupingstoreappsenforcementmode) - [Policy](#applicationlaunchrestrictionsgroupingstoreappspolicy) - [EnterpriseDataProtection](#enterprisedataprotection) - [{Grouping}](#enterprisedataprotectiongrouping) - [EXE](#enterprisedataprotectiongroupingexe) - [Policy](#enterprisedataprotectiongroupingexepolicy) - [StoreApps](#enterprisedataprotectiongroupingstoreapps) - [Policy](#enterprisedataprotectiongroupingstoreappspolicy) - [FamilySafety](#familysafety) - [{Grouping}](#familysafetygrouping) - [EXE](#familysafetygroupingexe) - [EnforcementMode](#familysafetygroupingexeenforcementmode) - [Policy](#familysafetygroupingexepolicy) - [StoreApps](#familysafetygroupingstoreapps) - [EnforcementMode](#familysafetygroupingstoreappsenforcementmode) - [Policy](#familysafetygroupingstoreappspolicy) - [LaunchControl](#launchcontrol) - [{Grouping}](#launchcontrolgrouping) - [EXE](#launchcontrolgroupingexe) - [EnforcementMode](#launchcontrolgroupingexeenforcementmode) - [Policy](#launchcontrolgroupingexepolicy) - [StoreApps](#launchcontrolgroupingstoreapps) - [EnforcementMode](#launchcontrolgroupingstoreappsenforcementmode) - [Policy](#launchcontrolgroupingstoreappspolicy) ## ApplicationLaunchRestrictions | Scope | Editions | Applicable OS | |:--|:--|:--| | ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1511 [10.0.10586] and later | ```Device ./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions ``` Defines restrictions for applications. > [!NOTE] > When you create a list of allowed apps, all [inbox apps](#inbox-apps-and-components) are also blocked, and you must include them in your list of allowed apps. Don't forget to add the inbox apps for Phone, Messaging, Settings, Start, Email and accounts, Work and school, and other apps that you need. > > Delete/unenrollment is not properly supported unless Grouping values are unique across enrollments. If multiple enrollments use the same Grouping value, then unenrollment will not work as expected since there are duplicate URIs that get deleted by the resource manager. To prevent this problem, the Grouping value should include some randomness. The best practice is to use a randomly generated GUID. However, there's no requirement on the exact value of the node. > [!NOTE] > The AppLocker CSP will schedule a reboot when a policy is applied or when a deletion occurs using the `AppLocker/ApplicationLaunchRestrictions/{Grouping}/CodeIntegrity/Policy` URI. **Description framework properties**: | Property name | Property value | |:--|:--| | Format | `node` | | Access Type | Get | ### ApplicationLaunchRestrictions/{Grouping} | Scope | Editions | Applicable OS | |:--|:--|:--| | ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1511 [10.0.10586] and later | ```Device ./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/{Grouping} ``` Grouping nodes are dynamic nodes, and there may be any number of them for a given enrollment (or a given context). The actual identifiers are selected by the management endpoint, whose job it's to determine what their purpose is, and to not conflict with other identifiers that they define. Different enrollments and contexts may use the same Authority identifier, even if many such identifiers are active at the same time. **Description framework properties**: | Property name | Property value | |:--|:--| | Format | `node` | | Access Type | Add, Delete, Get, Replace | | Dynamic Node Naming | ServerGeneratedUniqueIdentifier | #### ApplicationLaunchRestrictions/{Grouping}/CodeIntegrity | Scope | Editions | Applicable OS | |:--|:--|:--| | ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1511 [10.0.10586] and later | ```Device ./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/{Grouping}/CodeIntegrity ``` **Description framework properties**: | Property name | Property value | |:--|:--| | Format | `node` | | Access Type | Add, Delete, Get, Replace | ##### ApplicationLaunchRestrictions/{Grouping}/CodeIntegrity/Policy | Scope | Editions | Applicable OS | |:--|:--|:--| | ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1511 [10.0.10586] and later | ```Device ./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/{Grouping}/CodeIntegrity/Policy ``` Policy nodes define the policy for launching executables, Windows Installer files, scripts, store apps, and DLL files. The contents of a given Policy node is precisely the XML format for a RuleCollection node in the corresponding AppLocker XML policy. This will need to be Base64 encoded. > [!NOTE] > To use Code Integrity Policy, you first need to convert the policies to binary format using the `ConvertFrom-CIPolicy` cmdlet. Then a Base64-encoded blob of the binary policy representation should be created (for example, using the [certutil -encode](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc732443(v=ws.11)) command line tool) and added to the Applocker CSP. **Description framework properties**: | Property name | Property value | |:--|:--| | Format | `b64` | | Access Type | Add, Delete, Get, Replace | | Reboot Behavior | Automatic | #### ApplicationLaunchRestrictions/{Grouping}/DLL | Scope | Editions | Applicable OS | |:--|:--|:--| | ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1511 [10.0.10586] and later | ```Device ./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/{Grouping}/DLL ``` Defines restrictions for processing DLL files. **Description framework properties**: | Property name | Property value | |:--|:--| | Format | `node` | | Access Type | Add, Delete, Get, Replace | ##### ApplicationLaunchRestrictions/{Grouping}/DLL/EnforcementMode | Scope | Editions | Applicable OS | |:--|:--|:--| | ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1511 [10.0.10586] and later | ```Device ./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/{Grouping}/DLL/EnforcementMode ``` The EnforcementMode node for Windows Information Protection (formerly known as Enterprise Data Protection) doesn't affect the behavior of EnterpriseDataProtection. The EDPEnforcementLevel from Policy CSP should be used to enable and disable Windows Information Protection (formerly known as Enterprise Data Protection). **Description framework properties**: | Property name | Property value | |:--|:--| | Format | `chr` (string) | | Access Type | Add, Delete, Get, Replace | ##### ApplicationLaunchRestrictions/{Grouping}/DLL/NonInteractiveProcessEnforcement | Scope | Editions | Applicable OS | |:--|:--|:--| | ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1511 [10.0.10586] and later | ```Device ./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/{Grouping}/DLL/NonInteractiveProcessEnforcement ``` **Description framework properties**: | Property name | Property value | |:--|:--| | Format | `chr` (string) | | Access Type | Add, Delete, Get, Replace | ##### ApplicationLaunchRestrictions/{Grouping}/DLL/Policy | Scope | Editions | Applicable OS | |:--|:--|:--| | ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1511 [10.0.10586] and later | ```Device ./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/{Grouping}/DLL/Policy ``` Policy nodes define the policy for launching executables, Windows Installer files, scripts, store apps, and DLL files. The contents of a given Policy node is precisely the XML format for a RuleCollection node in the corresponding AppLocker XML policy. **Description framework properties**: | Property name | Property value | |:--|:--| | Format | `chr` (string) | | Access Type | Add, Delete, Get, Replace | | Reboot Behavior | Automatic | | Allowed Values | See [Policy XSD Schema](#policy-xsd-schema) | #### ApplicationLaunchRestrictions/{Grouping}/EXE | Scope | Editions | Applicable OS | |:--|:--|:--| | ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1511 [10.0.10586] and later | ```Device ./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/{Grouping}/EXE ``` Defines restrictions for launching executable applications. **Description framework properties**: | Property name | Property value | |:--|:--| | Format | `node` | | Access Type | Add, Delete, Get, Replace | ##### ApplicationLaunchRestrictions/{Grouping}/EXE/EnforcementMode | Scope | Editions | Applicable OS | |:--|:--|:--| | ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1511 [10.0.10586] and later | ```Device ./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/{Grouping}/EXE/EnforcementMode ``` The EnforcementMode node for Windows Information Protection (formerly known as Enterprise Data Protection) doesn't affect the behavior of EnterpriseDataProtection. The EDPEnforcementLevel from Policy CSP should be used to enable and disable Windows Information Protection (formerly known as Enterprise Data Protection). **Description framework properties**: | Property name | Property value | |:--|:--| | Format | `chr` (string) | | Access Type | Add, Delete, Get, Replace | ##### ApplicationLaunchRestrictions/{Grouping}/EXE/NonInteractiveProcessEnforcement | Scope | Editions | Applicable OS | |:--|:--|:--| | ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1511 [10.0.10586] and later | ```Device ./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/{Grouping}/EXE/NonInteractiveProcessEnforcement ``` **Description framework properties**: | Property name | Property value | |:--|:--| | Format | `chr` (string) | | Access Type | Add, Delete, Get, Replace | ##### ApplicationLaunchRestrictions/{Grouping}/EXE/Policy | Scope | Editions | Applicable OS | |:--|:--|:--| | ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1511 [10.0.10586] and later | ```Device ./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/{Grouping}/EXE/Policy ``` Policy nodes define the policy for launching executables, Windows Installer files, scripts, store apps, and DLL files. The contents of a given Policy node is precisely the XML format for a RuleCollection node in the corresponding AppLocker XML policy. **Description framework properties**: | Property name | Property value | |:--|:--| | Format | `chr` (string) | | Access Type | Add, Delete, Get, Replace | | Reboot Behavior | Automatic | | Allowed Values | See [Policy XSD Schema](#policy-xsd-schema) | #### ApplicationLaunchRestrictions/{Grouping}/MSI | Scope | Editions | Applicable OS | |:--|:--|:--| | ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1511 [10.0.10586] and later | ```Device ./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/{Grouping}/MSI ``` Defines restrictions for executing Windows Installer files. **Description framework properties**: | Property name | Property value | |:--|:--| | Format | `node` | | Access Type | Add, Delete, Get, Replace | ##### ApplicationLaunchRestrictions/{Grouping}/MSI/EnforcementMode | Scope | Editions | Applicable OS | |:--|:--|:--| | ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1511 [10.0.10586] and later | ```Device ./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/{Grouping}/MSI/EnforcementMode ``` The EnforcementMode node for Windows Information Protection (formerly known as Enterprise Data Protection) doesn't affect the behavior of EnterpriseDataProtection. The EDPEnforcementLevel from Policy CSP should be used to enable and disable Windows Information Protection (formerly known as Enterprise Data Protection). **Description framework properties**: | Property name | Property value | |:--|:--| | Format | `chr` (string) | | Access Type | Add, Delete, Get, Replace | ##### ApplicationLaunchRestrictions/{Grouping}/MSI/Policy | Scope | Editions | Applicable OS | |:--|:--|:--| | ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1511 [10.0.10586] and later | ```Device ./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/{Grouping}/MSI/Policy ``` Policy nodes define the policy for launching executables, Windows Installer files, scripts, store apps, and DLL files. The contents of a given Policy node is precisely the XML format for a RuleCollection node in the corresponding AppLocker XML policy. **Description framework properties**: | Property name | Property value | |:--|:--| | Format | `chr` (string) | | Access Type | Add, Delete, Get, Replace | | Reboot Behavior | Automatic | | Allowed Values | See [Policy XSD Schema](#policy-xsd-schema) | #### ApplicationLaunchRestrictions/{Grouping}/Script | Scope | Editions | Applicable OS | |:--|:--|:--| | ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1511 [10.0.10586] and later | ```Device ./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/{Grouping}/Script ``` Defines restrictions for running scripts. **Description framework properties**: | Property name | Property value | |:--|:--| | Format | `node` | | Access Type | Add, Delete, Get, Replace | ##### ApplicationLaunchRestrictions/{Grouping}/Script/EnforcementMode | Scope | Editions | Applicable OS | |:--|:--|:--| | ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1511 [10.0.10586] and later | ```Device ./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/{Grouping}/Script/EnforcementMode ``` The EnforcementMode node for Windows Information Protection (formerly known as Enterprise Data Protection) doesn't affect the behavior of EnterpriseDataProtection. The EDPEnforcementLevel from Policy CSP should be used to enable and disable Windows Information Protection (formerly known as Enterprise Data Protection). **Description framework properties**: | Property name | Property value | |:--|:--| | Format | `chr` (string) | | Access Type | Add, Delete, Get, Replace | ##### ApplicationLaunchRestrictions/{Grouping}/Script/Policy | Scope | Editions | Applicable OS | |:--|:--|:--| | ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1511 [10.0.10586] and later | ```Device ./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/{Grouping}/Script/Policy ``` Policy nodes define the policy for launching executables, Windows Installer files, scripts, store apps, and DLL files. The contents of a given Policy node is precisely the XML format for a RuleCollection node in the corresponding AppLocker XML policy. **Description framework properties**: | Property name | Property value | |:--|:--| | Format | `chr` (string) | | Access Type | Add, Delete, Get, Replace | | Reboot Behavior | Automatic | | Allowed Values | See [Policy XSD Schema](#policy-xsd-schema) | #### ApplicationLaunchRestrictions/{Grouping}/StoreApps | Scope | Editions | Applicable OS | |:--|:--|:--| | ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1511 [10.0.10586] and later | ```Device ./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/{Grouping}/StoreApps ``` Defines restrictions for running apps from the Microsoft Store. **Description framework properties**: | Property name | Property value | |:--|:--| | Format | `node` | | Access Type | Add, Delete, Get, Replace | ##### ApplicationLaunchRestrictions/{Grouping}/StoreApps/EnforcementMode | Scope | Editions | Applicable OS | |:--|:--|:--| | ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1511 [10.0.10586] and later | ```Device ./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/{Grouping}/StoreApps/EnforcementMode ``` The EnforcementMode node for Windows Information Protection (formerly known as Enterprise Data Protection) doesn't affect the behavior of EnterpriseDataProtection. The EDPEnforcementLevel from Policy CSP should be used to enable and disable Windows Information Protection (formerly known as Enterprise Data Protection). **Description framework properties**: | Property name | Property value | |:--|:--| | Format | `chr` (string) | | Access Type | Add, Delete, Get, Replace | ##### ApplicationLaunchRestrictions/{Grouping}/StoreApps/Policy | Scope | Editions | Applicable OS | |:--|:--|:--| | ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1511 [10.0.10586] and later | ```Device ./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/{Grouping}/StoreApps/Policy ``` Policy nodes define the policy for launching executables, Windows Installer files, scripts, store apps, and DLL files. The contents of a given Policy node is precisely the XML format for a RuleCollection node in the corresponding AppLocker XML policy. **Description framework properties**: | Property name | Property value | |:--|:--| | Format | `chr` (string) | | Access Type | Add, Delete, Get, Replace | | Reboot Behavior | Automatic | | Allowed Values | See [Policy XSD Schema](#policy-xsd-schema) | ## EnterpriseDataProtection | Scope | Editions | Applicable OS | |:--|:--|:--| | ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1511 [10.0.10586] and later | ```Device ./Vendor/MSFT/AppLocker/EnterpriseDataProtection ``` Captures the list of apps that are allowed to handle enterprise data. Should be used in conjunction with the settings in ./Device/Vendor/MSFT/EnterpriseDataProtection in EnterpriseDataProtection CSP. In Windows 10, version 1607 the Windows Information Protection has a concept for allowed and exempt applications. Allowed applications can access enterprise data and the data handled by those applications are protected with encryption. Exempt applications can also access enterprise data, but the data handled by those applications aren't protected. This is because some critical enterprise applications may have compatibility problems with encrypted data. You can set the allowed list using the following URI: - ./Vendor/MSFT/AppLocker/EnterpriseDataProtection/_Grouping_/EXE/Policy - ./Vendor/MSFT/AppLocker/EnterpriseDataProtection/_Grouping_/StoreApps/Policy You can set the exempt list using the following URI. The _Grouping_ string must contain the keyword "EdpExempt" anywhere to help distinguish the exempt list from the allowed list. The "EdpExempt" keyword is also evaluated in a case-insensitive manner: - ./Vendor/MSFT/AppLocker/EnterpriseDataProtection/_Grouping includes "EdpExempt"_/EXE/Policy - ./Vendor/MSFT/AppLocker/EnterpriseDataProtection/_Grouping includes "EdpExempt"_/StoreApps/Policy Exempt examples: - ./Vendor/MSFT/AppLocker/EnterpriseDataProtection/ContosoEdpExempt/EXE/Policy - ./Vendor/MSFT/AppLocker/EnterpriseDataProtection/xxxxxEdpExemptxxxxx/EXE/Policy Additional information: - [Recommended blocklist for Windows Information Protection](#recommended-blocklist-for-windows-information-protection) - example for Windows 10, version 1607 that denies known unenlightened Microsoft apps from accessing enterprise data as an allowed app. This prevention ensures an administrator doesn't accidentally make these apps Windows Information Protection allowed, and avoid known compatibility issues related to automatic file encryption with these applications. **Description framework properties**: | Property name | Property value | |:--|:--| | Format | `node` | | Access Type | Get | ### EnterpriseDataProtection/{Grouping} | Scope | Editions | Applicable OS | |:--|:--|:--| | ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1511 [10.0.10586] and later | ```Device ./Vendor/MSFT/AppLocker/EnterpriseDataProtection/{Grouping} ``` Grouping nodes are dynamic nodes, and there may be any number of them for a given enrollment (or a given context). The actual identifiers are selected by the management endpoint, whose job it's to determine what their purpose is, and to not conflict with other identifiers that they define. Different enrollments and contexts may use the same Authority identifier, even if many such identifiers are active at the same time. **Description framework properties**: | Property name | Property value | |:--|:--| | Format | `node` | | Access Type | Add, Delete, Get, Replace | | Dynamic Node Naming | ServerGeneratedUniqueIdentifier | #### EnterpriseDataProtection/{Grouping}/EXE | Scope | Editions | Applicable OS | |:--|:--|:--| | ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1511 [10.0.10586] and later | ```Device ./Vendor/MSFT/AppLocker/EnterpriseDataProtection/{Grouping}/EXE ``` Defines restrictions for launching executable applications. **Description framework properties**: | Property name | Property value | |:--|:--| | Format | `node` | | Access Type | Add, Delete, Get, Replace | ##### EnterpriseDataProtection/{Grouping}/EXE/Policy | Scope | Editions | Applicable OS | |:--|:--|:--| | ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1511 [10.0.10586] and later | ```Device ./Vendor/MSFT/AppLocker/EnterpriseDataProtection/{Grouping}/EXE/Policy ``` Policy nodes define the policy for launching executables, Windows Installer files, scripts, store apps, and DLL files. The contents of a given Policy node is precisely the XML format for a RuleCollection node in the corresponding AppLocker XML policy. **Description framework properties**: | Property name | Property value | |:--|:--| | Format | `chr` (string) | | Access Type | Add, Delete, Get, Replace | | Reboot Behavior | Automatic | | Allowed Values | See [Policy XSD Schema](#policy-xsd-schema) | #### EnterpriseDataProtection/{Grouping}/StoreApps | Scope | Editions | Applicable OS | |:--|:--|:--| | ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1511 [10.0.10586] and later | ```Device ./Vendor/MSFT/AppLocker/EnterpriseDataProtection/{Grouping}/StoreApps ``` Defines restrictions for running apps from the Microsoft Store. **Description framework properties**: | Property name | Property value | |:--|:--| | Format | `node` | | Access Type | Add, Delete, Get, Replace | ##### EnterpriseDataProtection/{Grouping}/StoreApps/Policy | Scope | Editions | Applicable OS | |:--|:--|:--| | ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1511 [10.0.10586] and later | ```Device ./Vendor/MSFT/AppLocker/EnterpriseDataProtection/{Grouping}/StoreApps/Policy ``` Policy nodes define the policy for launching executables, Windows Installer files, scripts, store apps, and DLL files. The contents of a given Policy node is precisely the XML format for a RuleCollection node in the corresponding AppLocker XML policy. **Description framework properties**: | Property name | Property value | |:--|:--| | Format | `chr` (string) | | Access Type | Add, Delete, Get, Replace | | Reboot Behavior | Automatic | | Allowed Values | See [Policy XSD Schema](#policy-xsd-schema) | ## FamilySafety | Scope | Editions | Applicable OS | |:--|:--|:--| | ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1511 [10.0.10586] and later | ```Device ./Vendor/MSFT/AppLocker/FamilySafety ``` **Description framework properties**: | Property name | Property value | |:--|:--| | Format | `node` | | Access Type | Get | ### FamilySafety/{Grouping} | Scope | Editions | Applicable OS | |:--|:--|:--| | ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1511 [10.0.10586] and later | ```Device ./Vendor/MSFT/AppLocker/FamilySafety/{Grouping} ``` **Description framework properties**: | Property name | Property value | |:--|:--| | Format | `node` | | Access Type | Add, Delete, Get, Replace | | Dynamic Node Naming | ServerGeneratedUniqueIdentifier | #### FamilySafety/{Grouping}/EXE | Scope | Editions | Applicable OS | |:--|:--|:--| | ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1511 [10.0.10586] and later | ```Device ./Vendor/MSFT/AppLocker/FamilySafety/{Grouping}/EXE ``` **Description framework properties**: | Property name | Property value | |:--|:--| | Format | `node` | | Access Type | Add, Delete, Get, Replace | ##### FamilySafety/{Grouping}/EXE/EnforcementMode | Scope | Editions | Applicable OS | |:--|:--|:--| | ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1511 [10.0.10586] and later | ```Device ./Vendor/MSFT/AppLocker/FamilySafety/{Grouping}/EXE/EnforcementMode ``` The EnforcementMode node for Windows Information Protection (formerly known as Enterprise Data Protection) doesn't affect the behavior of EnterpriseDataProtection. The EDPEnforcementLevel from Policy CSP should be used to enable and disable Windows Information Protection (formerly known as Enterprise Data Protection). **Description framework properties**: | Property name | Property value | |:--|:--| | Format | `chr` (string) | | Access Type | Add, Delete, Get, Replace | ##### FamilySafety/{Grouping}/EXE/Policy | Scope | Editions | Applicable OS | |:--|:--|:--| | ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1511 [10.0.10586] and later | ```Device ./Vendor/MSFT/AppLocker/FamilySafety/{Grouping}/EXE/Policy ``` Policy nodes define the policy for launching executables, Windows Installer files, scripts, store apps, and DLL files. The contents of a given Policy node is precisely the XML format for a RuleCollection node in the corresponding AppLocker XML policy. **Description framework properties**: | Property name | Property value | |:--|:--| | Format | `chr` (string) | | Access Type | Add, Delete, Get, Replace | | Reboot Behavior | Automatic | | Allowed Values | See [Policy XSD Schema](#policy-xsd-schema) | #### FamilySafety/{Grouping}/StoreApps | Scope | Editions | Applicable OS | |:--|:--|:--| | ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1511 [10.0.10586] and later | ```Device ./Vendor/MSFT/AppLocker/FamilySafety/{Grouping}/StoreApps ``` **Description framework properties**: | Property name | Property value | |:--|:--| | Format | `node` | | Access Type | Add, Delete, Get, Replace | ##### FamilySafety/{Grouping}/StoreApps/EnforcementMode | Scope | Editions | Applicable OS | |:--|:--|:--| | ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1511 [10.0.10586] and later | ```Device ./Vendor/MSFT/AppLocker/FamilySafety/{Grouping}/StoreApps/EnforcementMode ``` The EnforcementMode node for Windows Information Protection (formerly known as Enterprise Data Protection) doesn't affect the behavior of EnterpriseDataProtection. The EDPEnforcementLevel from Policy CSP should be used to enable and disable Windows Information Protection (formerly known as Enterprise Data Protection). **Description framework properties**: | Property name | Property value | |:--|:--| | Format | `chr` (string) | | Access Type | Add, Delete, Get, Replace | ##### FamilySafety/{Grouping}/StoreApps/Policy | Scope | Editions | Applicable OS | |:--|:--|:--| | ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1511 [10.0.10586] and later | ```Device ./Vendor/MSFT/AppLocker/FamilySafety/{Grouping}/StoreApps/Policy ``` Policy nodes define the policy for launching executables, Windows Installer files, scripts, store apps, and DLL files. The contents of a given Policy node is precisely the XML format for a RuleCollection node in the corresponding AppLocker XML policy. **Description framework properties**: | Property name | Property value | |:--|:--| | Format | `chr` (string) | | Access Type | Add, Delete, Get, Replace | | Reboot Behavior | Automatic | | Allowed Values | See [Policy XSD Schema](#policy-xsd-schema) | ## LaunchControl | Scope | Editions | Applicable OS | |:--|:--|:--| | ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1511 [10.0.10586] and later | ```Device ./Vendor/MSFT/AppLocker/LaunchControl ``` **Description framework properties**: | Property name | Property value | |:--|:--| | Format | `node` | | Access Type | Get | ### LaunchControl/{Grouping} | Scope | Editions | Applicable OS | |:--|:--|:--| | ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1511 [10.0.10586] and later | ```Device ./Vendor/MSFT/AppLocker/LaunchControl/{Grouping} ``` **Description framework properties**: | Property name | Property value | |:--|:--| | Format | `node` | | Access Type | Add, Delete, Get, Replace | | Dynamic Node Naming | ServerGeneratedUniqueIdentifier | #### LaunchControl/{Grouping}/EXE | Scope | Editions | Applicable OS | |:--|:--|:--| | ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1511 [10.0.10586] and later | ```Device ./Vendor/MSFT/AppLocker/LaunchControl/{Grouping}/EXE ``` **Description framework properties**: | Property name | Property value | |:--|:--| | Format | `node` | | Access Type | Add, Delete, Get, Replace | ##### LaunchControl/{Grouping}/EXE/EnforcementMode | Scope | Editions | Applicable OS | |:--|:--|:--| | ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1511 [10.0.10586] and later | ```Device ./Vendor/MSFT/AppLocker/LaunchControl/{Grouping}/EXE/EnforcementMode ``` The EnforcementMode node for Windows Information Protection (formerly known as Enterprise Data Protection) doesn't affect the behavior of EnterpriseDataProtection. The EDPEnforcementLevel from Policy CSP should be used to enable and disable Windows Information Protection (formerly known as Enterprise Data Protection). **Description framework properties**: | Property name | Property value | |:--|:--| | Format | `chr` (string) | | Access Type | Get, Replace | ##### LaunchControl/{Grouping}/EXE/Policy | Scope | Editions | Applicable OS | |:--|:--|:--| | ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1511 [10.0.10586] and later | ```Device ./Vendor/MSFT/AppLocker/LaunchControl/{Grouping}/EXE/Policy ``` Policy nodes define the policy for launching executables, Windows Installer files, scripts, store apps, and DLL files. The contents of a given Policy node is precisely the XML format for a RuleCollection node in the corresponding AppLocker XML policy. **Description framework properties**: | Property name | Property value | |:--|:--| | Format | `chr` (string) | | Access Type | Get, Replace | | Reboot Behavior | Automatic | | Allowed Values | See [Policy XSD Schema](#policy-xsd-schema) | #### LaunchControl/{Grouping}/StoreApps | Scope | Editions | Applicable OS | |:--|:--|:--| | ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1511 [10.0.10586] and later | ```Device ./Vendor/MSFT/AppLocker/LaunchControl/{Grouping}/StoreApps ``` **Description framework properties**: | Property name | Property value | |:--|:--| | Format | `node` | | Access Type | Add, Delete, Get, Replace | ##### LaunchControl/{Grouping}/StoreApps/EnforcementMode | Scope | Editions | Applicable OS | |:--|:--|:--| | ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1511 [10.0.10586] and later | ```Device ./Vendor/MSFT/AppLocker/LaunchControl/{Grouping}/StoreApps/EnforcementMode ``` The EnforcementMode node for Windows Information Protection (formerly known as Enterprise Data Protection) doesn't affect the behavior of EnterpriseDataProtection. The EDPEnforcementLevel from Policy CSP should be used to enable and disable Windows Information Protection (formerly known as Enterprise Data Protection). **Description framework properties**: | Property name | Property value | |:--|:--| | Format | `chr` (string) | | Access Type | Get, Replace | ##### LaunchControl/{Grouping}/StoreApps/Policy | Scope | Editions | Applicable OS | |:--|:--|:--| | ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1511 [10.0.10586] and later | ```Device ./Vendor/MSFT/AppLocker/LaunchControl/{Grouping}/StoreApps/Policy ``` Policy nodes define the policy for launching executables, Windows Installer files, scripts, store apps, and DLL files. The contents of a given Policy node is precisely the XML format for a RuleCollection node in the corresponding AppLocker XML policy. **Description framework properties**: | Property name | Property value | |:--|:--| | Format | `chr` (string) | | Access Type | Get, Replace | | Reboot Behavior | Automatic | | Allowed Values | See [Policy XSD Schema](#policy-xsd-schema) | ## Policy XSD Schema ```xml ``` ## File Publisher Rules The following table shows the mapping of information to the AppLocker publisher rule field. |Device portal data|AppLocker publisher rule field| |--- |--- | |PackageFullName|ProductName: The product name is first part of the PackageFullName followed by the version number. In the Windows Camera example, the ProductName is Microsoft.WindowsCamera.| |Publisher|Publisher| |Version|Version

The version can be used either in the HighSection or LowSection of the BinaryVersionRange.

HighSection defines the highest version number and LowSection defines the lowest version number that should be trusted. You can use a wildcard for both versions to make a version- independent rule. Using a wildcard for one of the values will provide higher than or lower than a specific version semantics.| Here's an example AppLocker publisher rule: ```xml ``` You can get the publisher name and product name of apps using either `Get-AppxPackage` PowerShell cmdlet or [Windows Device Portal](/windows/uwp/debug-test-perf/device-portal-desktop). ## Settings apps that rely on splash apps These apps are blocked unless they're explicitly added to the list of allowed apps. The following table shows the subset of Settings apps that rely on splash apps. The product name is first part of the PackageFullName followed by the version number. | Settings app name | PackageFullName or Product name | ProductID | |------------------------------------|-------------------------------------------------------------------------|--------------------------------------| | Work or school account | Microsoft.AAD.BrokerPlugin | e5f8b2c4-75ae-45ee-9be8-212e34f77747 | | Email and accounts | Microsoft.AccountsControl | 39cf127b-8c67-c149-539a-c02271d07060 | | SettingsPageKeyboard | 5b04b775-356b-4aa0-aaf8-6491ffea5608\_1.1.0.0\_neutral\_\_cw8ffb7c56vgc | 5b04b775-356b-4aa0-aaf8-6491ffea5608 | | SettingsPageTimeRegion | 5b04b775-356b-4aa0-aaf8-6491ffea560c\_1.0.0.0\_neutral\_\_gqhq4qhgje4fw | 5b04b775-356b-4aa0-aaf8-6491ffea560c | | SettingsPagePCSystemBluetooth | 5b04b775-356b-4aa0-aaf8-6491ffea5620\_1.0.0.0\_neutral\_\_nvaj48k0z8te8 | 5b04b775-356b-4aa0-aaf8-6491ffea5620 | | SettingsPageNetworkAirplaneMode | 5b04b775-356b-4aa0-aaf8-6491ffea5621\_1.0.0.0\_neutral\_\_f73kmnfsk0aj2 | 5b04b775-356b-4aa0-aaf8-6491ffea5621 | | SettingsPageNetworkWiFi | 5b04b775-356b-4aa0-aaf8-6491ffea5623\_1.0.0.0\_neutral\_\_a3jhh70a240gm | 5b04b775-356b-4aa0-aaf8-6491ffea5623 | | SettingsPageNetworkInternetSharing | 5b04b775-356b-4aa0-aaf8-6491ffea5629\_1.0.0.0\_neutral\_\_yqcw9dmx6t3pe | 5b04b775-356b-4aa0-aaf8-6491ffea5629 | | SettingsPageAccountsWorkplace | 5b04b775-356b-4aa0-aaf8-6491ffea562a\_1.0.0.0\_neutral\_\_q1wjbr14bc3d0 | 5b04b775-356b-4aa0-aaf8-6491ffea562a | | SettingsPageRestoreUpdate | 5b04b775-356b-4aa0-aaf8-6491ffea5640\_1.0.0.0\_neutral\_\_j77gbj5kz730y | 5b04b775-356b-4aa0-aaf8-6491ffea5640 | | SettingsPageKidsCorner | 5b04b775-356b-4aa0-aaf8-6491ffea5802\_1.0.0.0\_neutral\_\_1wmss2z3sft8c | 5b04b775-356b-4aa0-aaf8-6491ffea5802 | | SettingsPageDrivingMode | 5b04b775-356b-4aa0-aaf8-6491ffea5804\_1.0.0.0\_neutral\_\_t553967svy34g | 5b04b775-356b-4aa0-aaf8-6491ffea5804 | | SettingsPageTimeLanguage | 5b04b775-356b-4aa0-aaf8-6491ffea5808\_1.0.0.0\_neutral\_\_ecxasj38g8ynw | 5b04b775-356b-4aa0-aaf8-6491ffea5808 | | SettingsPageAppsCorner | 5b04b775-356b-4aa0-aaf8-6491ffea580a\_1.0.0.0\_neutral\_\_4vefaa8deck74 | 5b04b775-356b-4aa0-aaf8-6491ffea580a | | SettingsPagePhoneNfc | b0894dfd-4671-4bb9-bc17-a8b39947ffb6\_1.0.0.0\_neutral\_\_1prqnbg33c1tj | b0894dfd-4671-4bb9-bc17-a8b39947ffb6 | ## Inbox apps and components The following list shows the apps that may be included in the inbox. > [!NOTE] > This list identifies system apps that ship as part of Windows that you can add to your AppLocker policy to ensure proper functioning of the operating system. If you decide to block some of these apps, we recommend a thorough testing before deploying to your production environment. Failure to do so may result in unexpected failures and can significantly degrade the user experience. |App|Product ID|Product name| |--- |--- |--- | |3D Viewer|f41647c9-d567-4378-b2ab-7924e5a152f3|Microsoft.Microsoft3DViewer (Added in Windows 10, version 1703)| |Advanced info|b6e3e590-9fa5-40c0-86ac-ef475de98e88|b6e3e590-9fa5-40c0-86ac-ef475de98e88| |Age out worker|09296e27-c9f3-4ab9-aa76-ecc4497d94bb|| |Alarms and clock|44f7d2b4-553d-4bec-a8b7-634ce897ed5f|Microsoft.WindowsAlarms| |App downloads|20bf77a0-19c7-4daa-8db5-bc3dfdfa44ac|| |Assigned access lock app|b84f4722-313e-4f85-8f41-cf5417c9c5cb|| |Bing lock images|5f28c179-2780-41df-b966-27807b8de02c|| |Block and filter|59553c14-5701-49a2-9909-264d034deb3d|| |Broker plug-in (same as Work or school account)||Microsoft.AAD.BrokerPlugin| |Calculator|b58171c6-c70c-4266-a2e8-8f9c994f4456|Microsoft.WindowsCalculator| |Camera|f0d8fefd-31cd-43a1-a45a-d0276db069f1|Microsoft.WindowsCamera| |CertInstaller|4c4ad968-7100-49de-8cd1-402e198d869e|| |Color profile|b08997ca-60ab-4dce-b088-f92e9c7994f3|| |Connect|af7d2801-56c0-4eb1-824b-dd91cdf7ece5|Microsoft.DevicesFlow| |Contact Support|0db5fcff-4544-458a-b320-e352dfd9ca2b|Windows.ContactSupport| |Cortana|fd68dcf4-166f-4c55-a4ca-348020f71b94|Microsoft.Windows.Cortana| |Cortana Listen UI||CortanaListenUI| |Credentials Dialog Host||Microsoft.CredDialogHost| |Device Portal PIN UX||holopairingapp| |Email and accounts|39cf127b-8c67-c149-539a-c02271d07060|Microsoft.AccountsControl| |Enterprise installs app|da52fa01-ac0f-479d-957f-bfe4595941cb|| |Equalizer|373cb76e-7f6c-45aa-8633-b00e85c73261|| |Excel|ead3e7c0-fae6-4603-8699-6a448138f4dc|Microsoft.Office.Excel| |Facebook|82a23635-5bd9-df11-a844-00237de2db9e|Microsoft.MSFacebook| |Field Medic|73c58570-d5a7-46f8-b1b2-2a90024fc29c|| |File Explorer|c5e2524a-ea46-4f67-841f-6a9465d9d515|c5e2524a-ea46-4f67-841f-6a9465d9d515| |FM Radio|f725010e-455d-4c09-ac48-bcdef0d4b626|f725010e-455d-4c09-ac48-bcdef0d4b626| |Get Started|b3726308-3d74-4a14-a84c-867c8c735c3c|Microsoft.Getstarted| |Glance|106e0a97-8b19-42cf-8879-a8ed2598fcbb|| |Groove Music|d2b6a184-da39-4c9a-9e0a-8b589b03dec0|Microsoft.ZuneMusic| |Hands-Free Activation|df6c9621-e873-4e86-bb56-93e9f21b1d6f|| |Hands-Free Activation|72803bd5-4f36-41a4-a349-e83e027c4722|| |HAP update background worker|73c73cdd-4dea-462c-bd83-fa983056a4ef|| |Holographic Shell||HoloShell| |Lumia motion data|8fc25fd2-4e2e-4873-be44-20e57f6ec52b|| |Maps|ed27a07e-af57-416b-bc0c-2596b622ef7d|Microsoft.WindowsMaps| |Messaging|27e26f40-e031-48a6-b130-d1f20388991a|Microsoft.Messaging| |Microsoft account|3a4fae89-7b7e-44b4-867b-f7e2772b8253|Microsoft.CloudExperienceHost| |Microsoft Edge|395589fb-5884-4709-b9df-f7d558663ffd|Microsoft.MicrosoftEdge| |Microsoft Frameworks|ProductID = 00000000-0000-0000-0000-000000000000 PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US"|| |Migration UI||MigrationUIApp| |MiracastView|906beeda-b7e6-4ddc-ba8d-ad5031223ef9|906beeda-b7e6-4ddc-ba8d-ad5031223ef9| |Mixed Reality Portal||Microsoft.Windows.HolographicFirstRun| |Money|1e0440f1-7abf-4b9a-863d-177970eefb5e|Microsoft.BingFinance| |Movies and TV|6affe59e-0467-4701-851f-7ac026e21665|Microsoft.ZuneVideo| |Music downloads|3da8a0c1-f7e5-47c0-a680-be8fd013f747|| |Navigation bar|2cd23676-8f68-4d07-8dd2-e693d4b01279|| |Network services|62f172d1-f552-4749-871c-2afd1c95c245|| |News|9c3e8cad-6702-4842-8f61-b8b33cc9caf1|Microsoft.BingNews| |OneDrive|ad543082-80ec-45bb-aa02-ffe7f4182ba8|Microsoft.MicrosoftSkydrive| |OneNote|ca05b3ab-f157-450c-8c49-a1f127f5e71d|Microsoft.Office.OneNote| |Outlook Calendar and Mail|a558feba-85d7-4665-b5d8-a2ff9c19799b|Microsoft.WindowsCommunicationsApps| |People|60be1fb8-3291-4b21-bd39-2221ab166481|Microsoft.People| |Phone|5b04b775-356b-4aa0-aaf8-6491ffea5611|5b04b775-356b-4aa0-aaf8-6491ffea5611| |Phone (dialer)|f41b5d0e-ee94-4f47-9cfe-3d3934c5a2c7|Microsoft.CommsPhone| |Phone reset dialog|2864278d-09b5-46f7-b502-1c24139ecbdd|| |Photos|fca55e1b-b9a4-4289-882f-084ef4145005|Microsoft.Windows.Photos| |Podcasts|c3215724-b279-4206-8c3e-61d1a9d63ed3|Microsoft.MSPodcast| |Podcast downloads|063773e7-f26f-4a92-81f0-aa71a1161e30|| |PowerPoint|b50483c4-8046-4e1b-81ba-590b24935798|Microsoft.Office.PowerPoint| |PrintDialog|0d32eeb1-32f0-40da-8558-cea6fcbec4a4|Microsoft.PrintDialog| |Purchase dialog|c60e79ca-063b-4e5d-9177-1309357b2c3f|| |Rate your device|aec3bfad-e38c-4994-9c32-50bd030730ec|| |RingtoneApp.WindowsPhone|3e962450-486b-406b-abb5-d38b4ee7e6fe|Microsoft.Tonepicker| |Save ringtone|d8cf8ec7-ec6d-4892-aab9-1e3a4b5fa24b|| |Settings|2a4e62d8-8809-4787-89f8-69d0f01654fb|2a4e62d8-8809-4787-89f8-69d0f01654fb| |Settings||SystemSettings| |Setup wizard|07d87655-e4f0-474b-895a-773790ad4a32|| |Sharing|b0894dfd-4671-4bb9-bc17-a8b39947ffb6|| |Sign in for Windows 10 Holographic||WebAuthBridgeInternetSso, WebAuthBridgeInternet, WebAuthBridgeIntranetSso, WebAuthBrokerInternetSso, WebAuthBrokerInternetSso, WebAuthBrokerInternetSso, WebAuthBrokerInternet, WebAuthBrokerIntranetSso, SignIn| |Skype|c3f8e570-68b3-4d6a-bdbb-c0a3f4360a51|Microsoft.SkypeApp| |Skype Video|27e26f40-e031-48a6-b130-d1f20388991a|Microsoft.Messaging| |Sports|0f4c8c7e-7114-4e1e-a84c-50664db13b17|Microsoft.BingSports| |SSMHost|e232aa77-2b6d-442c-b0c3-f3bb9788af2a|| |Start|5b04b775-356b-4aa0-aaf8-6491ffea5602|5b04b775-356b-4aa0-aaf8-6491ffea5602| |Storage|5b04b775-356b-4aa0-aaf8-6491ffea564d|5b04b775-356b-4aa0-aaf8-6491ffea564d| |Store|7d47d89a-7900-47c5-93f2-46eb6d94c159|Microsoft.WindowsStore| |Touch (gestures and touch)|bbc57c87-46af-4c2c-824e-ac8104cceb38|| |Voice recorder|7311b9c5-a4e9-4c74-bc3c-55b06ba95ad0|Microsoft.WindowsSoundRecorder| |Wallet|587a4577-7868-4745-a29e-f996203f1462|Microsoft.MicrosoftWallet| |Wallet|12ae577e-f8d1-4197-a207-4d24c309ff8f|Microsoft.Wallet| |Weather|63c2a117-8604-44e7-8cef-df10be3a57c8|Microsoft.BingWeather| |Windows default lock screen|cdd63e31-9307-4ccb-ab62-1ffa5721b503|| |Windows Feedback|7604089d-d13f-4a2d-9998-33fc02b63ce3|Microsoft.WindowsFeedback| |Word|258f115c-48f4-4adb-9a68-1387e634459b|Microsoft.Office.Word| |Work or school account|e5f8b2c4-75ae-45ee-9be8-212e34f77747|Microsoft.AAD.BrokerPlugin| |Xbox|b806836f-eebe-41c9-8669-19e243b81b83|Microsoft.XboxApp| |Xbox identity provider|ba88225b-059a-45a2-a8eb-d3580283e49d|Microsoft.XboxIdentityProvider| ## Allowlist examples The following example disables the calendar application. ```xml $CmdID$ ./Vendor/MSFT/PolicyManager/My/ApplicationManagement/ApplicationRestrictions chr text/plain ``` The following example blocks the usage of the map application. ```xml $CmdID$ ./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/AppLockerPhoneGroup0/StoreApps/Policy chr ``` The following example disables the Mixed Reality Portal. In the example, the **Id** can be any generated GUID and the **Name** can be any name you choose. `BinaryName="*"` allows you to block any app executable in the Mixed Reality Portal package. **Binary/VersionRange**, as shown in the example, will block all versions of the Mixed Reality Portal app. ```xml $CmdID$ ./Vendor/MSFT/PolicyManager/My/ApplicationManagement/ApplicationRestrictions chr text/plain > ``` In this example, **MobileGroup0** is the node name. We recommend using a GUID for this node. ```xml 1 ./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/MobileGroup0 2 ./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/MobileGroup0/StoreApps 3 ./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/MobileGroup0/StoreApps/Policy chr ``` ## Example for Windows 10 Holographic for Business The following example for Windows 10 Holographic for Business denies all apps and allows the minimum set of [inbox apps](#inbox-apps-and-components) to enable a working device, and Settings. ```xml ``` ## Recommended blocklist for Windows Information Protection The following example for Windows 10, version 1607 denies known unenlightened Microsoft apps from accessing enterprise data as an allowed app. (An administrator might still use an exempt rule, instead.) This prevention ensures an administrator doesn't accidentally make these apps Windows Information Protection allowed, and avoid known compatibility issues related to automatic file encryption with these applications. In this example, Contoso is the node name. We recommend using a GUID for this node. ```xml 1 ./Vendor/MSFT/AppLocker/EnterpriseDataProtection/Contoso 2 ./Vendor/MSFT/AppLocker/EnterpriseDataProtection/Contoso/EXE 3 ./Vendor/MSFT/AppLocker/EnterpriseDataProtection/Contoso/EXE/Policy chr ``` ## Related articles [Configuration service provider reference](configuration-service-provider-reference.md)