- Packaged app Rules can be find and use in Windows 8 Enterprise edition only
- by default, if AppLocker Executable Rules enabled, Windows 8 will block all Packaged app
- after rules creation, the policy will not apply, it need to be set as enforced to get it run
- the default rules for executables Rules allows any executable under Program Files or Windows directory
- the default rules for Packaged app Rules allows any signed packaged app to run, normally any packaged apps from Windows Store, or company signed sideloading apps
Here is how to configure the policy,
- edit the local Group policy or create a new GPO from domain
- browse to Computer Configuration / Windows Settings / Security Settings / Application Control Policies / AppLocker
- from the Executable Rules, right click and select Create Default Rules
- from the Packaged app Rules, right click and select Create Default Rules
- browse to Computer Configuration / Windows Settings / Security Settings / Application Control Policies / AppLocker again
- select Configure rule enforcement, check the box Configured under Executable rules and Packaged app Rules, leave it with Enforce rules, click OK
- save the configuration by exit the policy editor
- reboot the client
Now, you should able to download and run any apps from Windows Store. You can configure the rules base on the requirement, for examples, limit the access to Windows Store by removing the default rule. Please note if removed the default rules, the following application need to be added to allow list for everyone or authenticated users, Windows Store and Control Panel. Without that, the user cannot launch Windows Store or the Windows Control Panel from Start UI.
Other limitation on AppLocker for packaged apps,
- cannot use local administrators or domain admin group to assign rules, this is related to the UAC in Windows. You can't run Windows Store with local administrators privilege...
- cannot block by category
- cannot use distribution group to define rules
No comments:
Post a Comment