Application blocking allows you to enable or block applications from launching.

By default, once you enable application blocking, only applications from the Windows folder, C:\Program Files, and C:\Program Files (x86) are allowed to run. To fine-tune application blocking, you can further specify applications to allow or block based on path, hash, or publisher.

You can configure the following types of application blocking:

  • Path-based. You can specify a path to a folder. Or, you can specify a fully qualified file name (the configured path includes the full path and file name of the executable).
  • Hash-based. You can specify to allow or block based on a hash that matches a particular executable.
  • Publisher-based. You can specify a publisher to allow, and executables associated with that publisher can launch. You cannot block applications by publisher.
    Note: If you configure multiple types of application blocking, it is important to understand the order in which they are evaluated. For more details, see Work with Multiple Types of Application Blocking.

Application blocking is not enabled on User Environment Manager endpoints that use the SyncTool.