With path-based application blocking, you can control the folders from which applications can be started. If a user attempts to run an application from a blocked folder, the application does not start.

You can use hash-based application blocking if path-based application blocking is enabled at a global level. The following scenarios are supported with hash-based application blocking.

Scenario

Description

Globally block the launch of an executable with a particular hash

By configuring one or more hashes, the launch of executables can be prevented regardless of their location, even if they are in a location that is allowed by the path-based logic.

Globally allow the launch of an executable with a particular hash

By configuring one or more hashes, the launch of executables can be allowed regardless of their location, even if they are in a location that is blocked by the path-based logic.

Allow only certain versions of executables to be launched from a location that is allowed by the path-based logic

By configuring a filename, without a path and one or more hashes, you can control which particular instance of an executable with a particular hash can be launched from a location that is allowed by the path-based logic. This way, for example, you can only run a specific version of winword.exe or only one of two specific versions of excel.exe.