When you use multiple types of application blocking, it is important to understand the order in which the blocking is evaluated.

You may need to configure different types of application blocking together to achieve your goals. For example, suppose you want to allow applications to launch only from C:\Program Files (the default behavior of application blocking), but you want to allow only a particular version of Excel. You can enable application blocking and then create a path-specific hash-based allow for your preferred version of Excel. If more than one version of Excel exists in the C:\Program Files folder, only the version you allowed will launch.

When you configure multiple types of application blocking, the configuration is evaluated as follows to determine whether an executable is allowed to launch.

Scenario

Result

There is matching hash-based block setting.

The launch is blocked.

By configuring one or more hashes, the launch of executables can be prevented regardless of their location, even if they are in a location that is allowed by the path-based logic.

There is a matching hash-based global (i.e. not path-specific) allow setting.

The launch is allowed.

By configuring one or more hashes, the launch of executables can be allowed regardless of their location, even if they are in a location that is blocked by the path-based logic.

There is a matching path-based allow setting for a fully qualified file name (the configured path includes the full path and file name of the executable).

The launch is allowed.

There is a matching path-based allow setting for the folder (the configured path includes the folder name only).

If there is a hash-based path-specific allow setting for the file name and the hash does not match, the launch is blocked.

Otherwise, the launch is allowed.

There is a publisher-based allow setting matching the executable's publisher.

The launch is allowed.

None of the above scenarios apply.

The launch is blocked.