How to restrict access to desktop apps on Windows 11

Windows 11 block apps
Windows 11 block apps (Image credit: Future)

On Windows 11, you can block virtually any traditional desktop application, and in this guide, you will learn two ways to complete this task.

Although users need access to applications, they only need access to some of them. For example, usually, they don't need access to tools like Command Prompt, PowerShell, or the Registry since they can be used for making unwanted system changes. 

If you are setting up a device that needs restrictions to certain apps, Windows 11 allows you to prevent users from accessing desktop applications from the Group Policy Editor and Security Policy.

This how-to guide will walk through the different ways to block users from accessing specific apps on Windows 11.

How to block access to Windows 11 apps from Group Policy

To prevent users from launching certain apps on Windows 10, use these steps:

  1. Open Start.
  2. Search for gpedit.exe and click the top result to open the Local Group Policy Editor.
  3. Open the following path: User Configuration > Administrative Templates > System
  4. Double-click the "Don't run specified Windows applications" policy from the right side.

(Image credit: Future)
  1. Select the Enabled option.
  2. Click the Show button.

(Image credit: Future)
  1. Confirm the programs' names to block. 

(Image credit: Future)
  1. Click the Apply. button 
  2. Click the OK button.
  3. Restart the computer.

After you complete the steps, the applications specified in the policy will be blocked for any account configured on Windows 11.

If you change your mind or no longer need the configuration, you can use the same instructions to undo the changes, but on step 5, choose the "Not configured" option.

How to block access to Windows 11 apps from Security Policy

To restrict access to specific apps through the Local Security Policy app, use these steps:

  1. Open Start.
  2. Search for Local Security Policy and click the top result to open the app.
  3. Open the "Software Restriction Policies" branch.
  4. Right-click the Additional Rules folder and choose the "New Hash Rule" option. 

(Image credit: Future)
  • Quick tip: Right-click the "Software Restriction Policies" branch and select the "New Software Restriction Policies" option if the folder is missing.
  1. Click the Browse button.

(Image credit: Future)
  1. Open the application folder and choose the executable (.exe) file – for example, cmd.exe.

(Image credit: Future)
  1. Click the Open button.
  2. Click the Apply button.
  3. Click the OK button.
  4. Restart the computer.

Once you complete the steps, Windows 11 will prevent users from launching the application you blocked in the settings. You may need to repeat the steps to block other apps.

You can always allow the apps again with the same instructions, but on step 4, right-click and choose the "Delete" option for the app's hash.

If you plan to block some specific apps because you want to prevent users from making unwanted system changes, then you may want to consider demoting the account to "Standard user," which will prevent anyone from modifying the system configuration. 

More resources

For more helpful articles, coverage, and answers to common questions about Windows 10 and Windows 11, visit the following resources:

Mauro Huculak

Mauro Huculak has been a Windows How-To Expert contributor for WindowsCentral.com for nearly a decade and has over 15 years of experience writing comprehensive guides. He also has an IT background and has achieved different professional certifications from Microsoft, Cisco, VMware, and CompTIA. He has been recognized as a Microsoft MVP for many years.