Skip to content

How to Create an App Control Deny Policy

Application Control is based on whitelisting strategy, that means everything that is not allowed in the policy is automatically denied. However, there are times when you might need to only prevent a certain app or file from running, while allowing everything else. This is where the App Control Deny Policy comes in.

Use the Create Deny Policy page in the AppControl Manager to create a new App Control Deny Policy based on different criteria.


Create an App Control Deny Policy by Scanning Files and Folders

In the Create Deny Policy page, select the Files and Folders section to expand it.


Deny policy Files and Folders section



  • Browse for files and/or folders that you want to be scanned and included in the Deny policy.

  • Select an appropriate name for the Deny policy that will help you recognize it after deployment.

  • The scalability is set to 2 by default but you can increase it if the number of files/folders are too many. The higher this number, the faster the scan will be completed and the more system resources will be consumed during the scan phase.


Files and Folders deny policy section



Having selected all of the required details, you can now press the Create Deny Policy button and wait for the scan to finish.

All of the files and folders that you selected will be recursively scanned and any App Control compatible files that are found in them will be added to View detected file details page at the bottom of the section to show you the exact files that will be included in the deny policy.


Files and Folders deny policy section scan results



If you toggle the Deploy after Creation button the Deny policy will also be deployed on the system after creation.


Files and folders section Deploy button focus



Create a Deny Policy for Packaged Apps

Packaged apps are modern, they use MSIX packages and are easy to manage and block/deny in App Control policies because all of the files in a packaged app share the same signing certificate and Package Family Name.

Use the AppControl Manager to create deny policies for packaged apps. The policy that you create will not need any changes when the apps are updated since the denial is based on the PackageFamilyName aka PFN.

In order to create this type of deny policy, navigate to the Create Deny Policy page in the AppControl Manager and expand the Package Family Name section.


PFN section selecting apps after search



The apps list will be automatically preloaded for you upon expanding the section. You can use the search bar to search for one or more app(s) and then select them.

Next, enter a suitable name for the Deny policy and finally press the Create Deny Policy button.

The deny policy will be created and if you toggled the Deploy after Creation button, it will also be deployed on the system.

In the screenshots above, we searched for the Photos app, selected it and after deploying that policy, the Photos app will no longer be able to run on the system when we try to launch it.


PFN blocked Photos app notice in Windows