“This program is blocked by group policy. For more information, contact your system administrator.” Sometimes it can be really difficult to figure out which group policy prevents you from making system changes, since most group policies available in Local Group Policy Editor are not applied by default. Sometimes things would get a bit sticky if you are failed to launch or install software and application, you may get a message “ This Program is Blocked by Group Policy ” error on Windows 10. No worries, this error may be caused by Group policy restriction. You can walk through three simple ways below to fix it. Fix This Program Is Blocked by Group Policy After understanding the problem and reason behind the issue lets perform bellow steps to get rid of This Program Is Blocked by Group Policy error on windows 10/8.1 and 7 computers. Create A system restore point is best to exercise before Apply bellow solutions. Run CCleaner and Malwarebytes. Main cause of Windows 10 Apps and Software Installation Blocked Error: This problem is primarily due to the SmartScreen feature of Windows 10. Windows 10 is very strict in terms of security. If Windows 10 seems to have an unauthorized App or Software on the system and that cannot be trusted.

Applies to

• Windows 10
• Windows Server

Install Group Policy Windows 10

This topic for IT professionals describes AppLocker rule types and how to work with them for your application control policies.

In this section

The three AppLocker enforcement modes are described in the following table. The enforcement mode setting defined here can be overwritten by the setting derived from a linked Group Policy Object (GPO) with a higher precedence.

When AppLocker policies from various GPOs are merged, the rules from all the GPOs are merged and the enforcement mode setting of the winning GPO is applied.

Rule collections

The AppLocker console is organized into rule collections, which are executable files, scripts, Windows Installer files, packaged apps and packaged app installers, and DLL files. These collections give you an easy way to differentiate the rules for different types of apps. The following table lists the file formats that are included in each rule collection.

Important: If you use DLL rules, you need to create an allow rule for each DLL that is used by all of the allowed apps.

When DLL rules are used, AppLocker must check each DLL that an application loads. Therefore, users may experience a reduction in performance if DLL rules are used.

The DLL rule collection is not enabled by default. To learn how to enable the DLL rule collection, see DLL rule collections.

EXE rules apply to portable executable (PE) files. AppLocker checks whether a file is a valid PE file, rather than just applying rules based on file extension, which attackers can easily change. Regardless of the file extension, the AppLocker EXE rule collection will work on a file as long as it is a valid PE file.

Rule conditions

Rule conditions are criteria that help AppLocker identify the apps to which the rule applies. The three primary rule conditions are publisher, path, and file hash.

• Publisher: Identifies an app based on its digital signature
• Path: Identifies an app by its location in the file system of the computer or on the network
• File hash: Represents the system computed cryptographic hash of the identified file

Publisher

This condition identifies an app based on its digital signature and extended attributes when available. The digital signature contains info about the company that created the app (the publisher). Executable files, dlls, Windows installers, packaged apps and packaged app installers also have extended attributes, which are obtained from the binary resource. In case of executable files, dlls and Windows installers, these attributes contain the name of the product that the file is a part of, the original name of the file as supplied by the publisher, and the version number of the file. In case of packaged apps and packaged app installers, these extended attributes contain the name and the version of the app package.

Note: Rules created in the packaged apps and packaged app installers rule collection can only have publisher conditions since Windows does not support unsigned packaged apps and packaged app installers.

Note: Use a publisher rule condition when possible because they can survive app updates as well as a change in the location of files.

When you select a reference file for a publisher condition, the wizard creates a rule that specifies the publisher, product, file name, and version number. You can make the rule more generic by moving the slider up or by using a wildcard character (*) in the product, file name, or version number fields.

Note: To enter custom values for any of the fields of a publisher rule condition in the Create Rules Wizard, you must select the Use custom values check box. When this check box is selected, you cannot use the slider.

The File version and Package version control whether a user can run a specific version, earlier versions, or later versions of the app. You can choose a version number and then configure the following options:

• Exactly. The rule applies only to this version of the app
• And above. The rule applies to this version and all later versions.
• And below. The rule applies to this version and all earlier versions.

The following table describes how a publisher condition is applied.

Path

This rule condition identifies an application by its location in the file system of the computer or on the network.

AppLocker uses custom path variables for well-known paths, such as Program Files and Windows.

The following table details these path variables.

Important: Because a path rule condition can be configured to include a large number of folders and files, path conditions should be carefully planned. For example, if an allow rule with a path condition includes a folder location that non-administrators are allowed to write data into, a user can copy unapproved files into that location and run the files. For this reason, it is a best practice to not create path conditions for standard user writable locations, such as a user profile.

File hash

When you choose the file hash rule condition, the system computes a cryptographic hash of the identified file. The advantage of this rule condition is that because each file has a unique hash, a file hash rule condition applies to only one file. The disadvantage is that each time the file is updated (such as a security update or upgrade) the file's hash will change. As a result, you must manually update file hash rules.

AppLocker default rules

This Program Is Blocked By Group Policy Windows 10 Fix

AppLocker includes default rules, which are intended to help ensure that the files that are required for Windows to operate properly are allowed in an AppLocker rule collection. For background, see Understanding AppLocker default rules, and for steps, see Create AppLocker default rules.

Executable default rule types include:

• Allow members of the local Administrators group to run all apps.
• Allow members of the Everyone group to run apps that are located in the Windows folder.
• Allow members of the Everyone group to run apps that are located in the Program Files folder.

Script default rule types include:

• Allow members of the local Administrators group to run all scripts.
• Allow members of the Everyone group to run scripts that are located in the Program Files folder.
• Allow members of the Everyone group to run scripts that are located in the Windows folder.

Windows Installer default rule types include:

• Allow members of the local Administrators group to run all Windows Installer files.
• Allow members of the Everyone group to run all digitally signed Windows Installer files.
• Allow members of the Everyone group to run all Windows Installer files that are located in the WindowsInstaller folder.

DLL default rule types:

• Allow members of the local Administrators group to run all DLLs.
• Allow members of the Everyone group to run DLLs that are located in the Program Files folder.
• Allow members of the Everyone group to run DLLs that are located in the Windows folder.

Packaged apps default rule types:

• Allow members of the Everyone group to install and run all signed packaged apps and packaged app installers.

AppLocker rule behavior

If no AppLocker rules for a specific rule collection exist, all files with that file format are allowed to run. However, when an AppLocker rule for a specific rule collection is created, only the files explicitly allowed in a rule are permitted to run. For example, if you create an executable rule that allows .exe files in %SystemDrive%FilePath to run, only executable files located in that path are allowed to run.

A rule can be configured to use allow or deny actions:

• Allow. You can specify which files are allowed to run in your environment, and for which users or groups of users. You can also configure exceptions to identify files that are excluded from the rule.
• Deny. You can specify which files are not allowed to run in your environment, and for which users or groups of users. You can also configure exceptions to identify files that are excluded from the rule.

Important: For a best practice, use allow actions with exceptions. You can use a combination of allow and deny actions but understand that deny actions override allow actions in all cases, and can be circumvented.

Important: If you join a computer running at least Windows Server 2012 or Windows 8 to a domain that already enforces AppLocker rules for executable files, users will not be able to run any packaged apps unless you also create rules for packaged apps. If you want to allow any packaged apps in your environment while continuing to control executable files, you should create the default rules for packaged apps and set the enforcement mode to Audit-only for the packaged apps rule collection.

Rule exceptions

You can apply AppLocker rules to individual users or to a group of users. If you apply a rule to a group of users, all users in that group are affected by that rule. If you need to allow a subset of a user group to use an app, you can create a special rule for that subset. For example, the rule 'Allow everyone to run Windows except Registry Editor' allows everyone in the organization to run the Windows operating system, but it does not allow anyone to run Registry Editor.

The effect of this rule would prevent users such as Help Desk personnel from running a program that is necessary for their support tasks. To resolve this problem, create a second rule that applies to the Help Desk user group: 'Allow Help Desk to run Registry Editor.' If you create a deny rule that does not allow any users to run Registry Editor, the deny rule will override the second rule that allows the Help Desk user group to run Registry Editor.

DLL rule collection

Because the DLL rule collection is not enabled by default, you must perform the following procedure before you can create and enforce DLL rules.

Membership in the local Administrators group, or equivalent, is the minimum required to complete this procedure.

To enable the DLL rule collection

1. Click Start, type secpol.msc, and then press ENTER.

2. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Yes.

3. In the console tree, double-click Application Control Policies, right-click AppLocker, and then click Properties.

4. Click the Advanced tab, select the Enable the DLL rule collection check box, and then click OK.

   Important: Before you enforce DLL rules, make sure that there are allow rules for each DLL that is used by any of the allowed apps.

AppLocker wizards

You can create rules by using two AppLocker wizards:

1. The Create Rules Wizard enables you to create one rule at a time.
2. The Automatically Generate Rules Wizard allows you to create multiple rules at one time. You can either select a folder and let the wizard create rules for the relevant files within that folder or in case of packaged apps let the wizard create rules for all packaged apps installed on the computer. You can also specify the user or group to which to apply the rules. This wizard automatically generates allow rules only.

Additional considerations

• By default, AppLocker rules do not allow users to open or run any files that are not specifically allowed. Administrators should maintain an up-to-date list of allowed applications.

• There are two types of AppLocker conditions that do not persist following an update of an app:

  • A file hash condition File hash rule conditions can be used with any app because a cryptographic hash value of the app is generated at the time the rule is created. However, the hash value is specific to that exact version of the app. If there are several versions of the application in use within the organization, you need to create file hash conditions for each version in use and for any new versions that are released.

  • A publisher condition with a specific product version set If you create a publisher rule condition that uses the Exactly version option, the rule cannot persist if a new version of the app is installed. A new publisher condition must be created, or the version must be edited in the rule to be made less specific.

• If an app is not digitally signed, you cannot use a publisher rule condition for that app.

• AppLocker rules cannot be used to manage computers running a Windows operating system earlier than Windows Server 2008 R2 or Windows 7. Software Restriction Policies must be used instead. If AppLocker rules are defined in a Group Policy Object (GPO), only those rules are applied. To ensure interoperability between Software Restriction Policies rules and AppLocker rules, define Software Restriction Policies rules and AppLocker rules in different GPOs.

• The packaged apps and packaged apps installer rule collection is available on devices running at least Windows Server 2012 and Windows 8.

• When the rules for the executable rule collection are enforced and the packaged apps and packaged app installers rule collection does not contain any rules, no packaged apps and packaged app installers are allowed to run. In order to allow any packaged apps and packaged app installers, you must create rules for the packaged apps and packaged app installers rule collection.

• When an AppLocker rule collection is set to Audit only, the rules are not enforced. When a user runs an application that is included in the rule, the app is opened and runs normally, and information about that app is added to the AppLocker event log.

• A custom configured URL can be included in the message that is displayed when an app is blocked.

• Expect an increase in the number of Help Desk calls initially because of blocked apps until users understand that they cannot run apps that are not allowed.

When you try to install a driver or application in Windows 10, you might get the following UAC error message:

Even through you run the application with administrative rights, you’ll get the exact same error. This problem happens when your application was digitally signed with a revoked or intrusted certificate. Here is a guide on how to bypass the issue 'This app has been blocked for your protection' in Windows 10.

How to Bypass 'This app has been blocked for your protection' in Elevated Command Prompt

To work around this problem, you can install or run the application from elevated Command Prompt.

Step 1: Get the Full Path of the app.

Open the location of the application (.exe) in question. Right-click on its shortcut and select Properties. When the Properties dialog box opens, note down the full path that you need later.

Step 2: Open an elevated Command Prompt window.

Press Windows logo + X keys, then hit A key on the keyboard.

Step 3: In the opening window, type the full path of the application that you want to install and press Enter.

For example: 'C:Program Files (x86)GoogleChromeApplicationchrome.exe'

When finished, close command prompt window.

Bypass 'This app has been blocked for your protection' in Local Group Policy

You can bypass the error 'This app has been blocked for your protection' by changing corresponding policy. Here's how:

Step 1: Open the Local Group Policy Editor.

Press Win+R to bring up the Run dialog, then type in gpedit.msc, hit Enter.

Step 2: In the left pane of Local Group Policy Editor, go to: Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options.

In the right pane, double-click on User Account Control: Run all administrators in Admin Approval Mode.

Step 3: Change the security setting to Disabled and click OK.

When finished, close Local Group Policy Editor and then restart your computer.

Note: Changing the policy above will also cause UAC to be turned off automatically. But if you just turn off UAC won't fix the error 'This app has been blocked for your protection'. If you like you can try to turn off Windows SmartScreen, this setting also is very helpful.

How to Bypass 'This app has been blocked for your protection' in the built-in Administrator account

You can fix the error 'This app has been blocked for your protection' by installing or run this app in a built-in administrator account. If you haven't already, enable the built-in elevated Administrator account.

Step 1: Switch user to sign in with built-in elevated Administrator account.

Step 2: Run or install the blocked app.

When successfully finished installing or running the app, sign out of the built-in elevated Administrator account.

Step 3: Sign back into your account.

After logging in, you can use the application without popping up with the error 'This app has been blocked for your protection'.

Related Articles

• How to Disable User Account Control in Windows 10
• How to Unblock App, Files, and Folders in Windows 10
• Top 6 Ways to Run an App as Administrator in Windows 10
• 3 Ways to Protect Files and Folders against Ransomware Attacks
• How to Force Quit Unresponsive Program in Windows 10