How to Use AppLocker to Allow or Block Windows Installer Files from Running in Windows 10


AppLocker helps you control which apps and files users can run. These include executable files, scripts, Windows Installer files, dynamic-link libraries (DLLs), packaged apps (aka: Microsoft Store apps), and packaged app installers.

AppLocker defines Windows Installer rules to include only the .msi, .msp, and .mst file formats.

The purpose of this rule collection is to allow you to control the installation of files on client computers and servers through Group Policy or the Local Security Policy snap-in. The following table lists the default rules that are available for the Windows Installer rule collection.

Any Windows Installer file not allowed by the default rules below will automatically be blocked by default unless you create a new rule to allow it for a user or group.

If you want to block a Windows Installer file allowed by the default rules below, you will need to create a new rule to block (deny) it for a user or group.

Purpose Name User Rule condition type
Allow members of the local Administrators group to run all Windows Installer files (Default Rule) All Windows Installer files BUILTIN\Administrators Path: *
Allow all users to run Windows Installer files that are digitally signed (Default Rule) All digitally signed Windows Installer files Everyone Publisher: * (all signed files)
Allow all users to run Windows Installer files that are located in the Windows Installer folder (Default Rule) All Windows Installer files in %systemdrive%\Windows\Installer Everyone Path: %windir%\Installer*

See also:

This tutorial will show you how to use AppLocker to allow or block specified Windows Installer (.msi, .msp, and .mst) files to run for all or specific users and groups in Windows 10 Enterprise and Windows 10 Education.

You must be signed in as an administrator to use AppLocker.


EXAMPLE: "This system administrator has set policies to prevent this installation" message when any user opens a blocked Windows Installer (.msi, .msp, and .mst) file
Name:  The_system_administator_has_set_policies_to_prevent_this_installation.png
Views: 104
Size:  10.9 KB



Here's How:

1. Open an elevated command prompt.

2. Copy and paste the command below into the elevated command prompt, press Enter, and close the elevated command prompt when it has finished. (see screenshot below)

This command is to make sure the Application Identity service is enabled, set to Automatic, and running. AppLocker cannot enforce rules if this service is not running.

sc config "AppIDSvc" start=auto & net start "AppIDSvc"

Name:  Block_Windows_Installer_in_AppLocker-1.png
Views: 102
Size:  13.1 KB

3. Open Local Security Policy (secpol.msc).

4. Expand open Application Control Policies in the left pane of the Local Security Policy window, click/tap on AppLocker, and click/tap on the Configure rule enforcement link on the right side. (see screenshot below)

Name:  Block_Windows_Installer_in_AppLocker-2.jpg
Views: 123
Size:  84.9 KB

5. Check the Configured box under Windows Installer rules, and click/tap on OK. (see screenshot below)

Name:  Block_Windows_Installer_in_AppLocker-3.png
Views: 103
Size:  25.1 KB

6. Expand open AppLocker in the left pane of the Local Security Policy window, right click or press and hold on Windows Installer Rules, and click/tap on Create Default Rules. (see screenshots below)

If this step is not done, AppLocker will block all Windows Installer files from running by default unless allowed by a created rule.

Name:  Block_Windows_Installer_in_AppLocker-4.jpg
Views: 108
Size:  58.4 KB Name:  Block_Windows_Installer_in_AppLocker-5.jpg
Views: 105
Size:  43.3 KB

7. Right click or press and hold on Windows Installer Rules, and click/tap on Create New Rule. (see screenshot below)

Name:  Block_Windows_Installer_in_AppLocker-6.jpg
Views: 109
Size:  49.6 KB

8. Click/tap on Next. (see screenshot below)

Name:  Block_Windows_Installer_in_AppLocker-7.jpg
Views: 106
Size:  56.9 KB

9. If you would like to specify a user or group to enforce this rule on, click/tap on Select. (see screenshot below)

The default setting is Everyone for all users and groups.

Name:  Block_Windows_Installer_in_AppLocker-8a.jpg
Views: 107
Size:  49.9 KB

A) Click/tap on the Advanced button. (see screenshot below)

Name:  Block_Windows_Installer_in_AppLocker-8b.png
Views: 101
Size:  17.5 KB

B) Click/tap on the Find Now button. (see screenshot below)

Name:  Block_Windows_Installer_in_AppLocker-8c.png
Views: 103
Size:  26.8 KB

C) Select a user or group you want, and click/tap on OK. (see screenshot below)

Name:  Block_Windows_Installer_in_AppLocker-8d.jpg
Views: 109
Size:  78.1 KB

D) Click/tap on OK. (see screenshot below)

Name:  Block_Windows_Installer_in_AppLocker-8e.png
Views: 102
Size:  19.3 KB

10. Select (dot) Allow or Deny for what you want, and click/tap on Next. (see screenshot below)

Name:  Block_Windows_Installer_in_AppLocker-9.jpg
Views: 110
Size:  52.6 KB

11. Select (dot) Path, and click/tap on Next. (see screenshot below)

Name:  Block_Windows_Installer_in_AppLocker-10.jpg
Views: 108
Size:  59.0 KB

12. Do step 13 (file) or step 14 (folder/drive) below for the file or folder path you want to specify to allow or block.


 13. To Specify a Windows Installer File Path to Allow or Block

A) Click/tap on the Browse Files button. (see screenshot below)

Name:  Block_Windows_Installer_in_AppLocker-11a.jpg
Views: 107
Size:  48.0 KB

B) Select if you want to allow or block a .msi, .msp,or .mst file in the drop menu at the bottom right corner. (see screenshots below)

C) Navigate to and select the .msi, .msp,or .mst file you want to allow or block.

D) Click/tap on Open, and go to step 15 below.

Name:  Block_Windows_Installer_in_AppLocker-11b.jpg
Views: 107
Size:  55.5 KB Name:  Block_Windows_Installer_in_AppLocker-11c.jpg
Views: 104
Size:  69.2 KB


 14. To Specify a Folder or Drive Path to Allow or Block All Windows Installer Files in the Folder or Drive

A) Click/tap on the Browse Folders button. (see screenshot below)

Name:  Block_Windows_Installer_in_AppLocker-12a.jpg
Views: 104
Size:  48.0 KB

B) Navigate to and select a folder or drive you want to allow or block all Windows Installer (.msi, .msp, and .mst) files in.

C) Click/tap on OK, and go to step 15 below.

Name:  Block_Windows_Installer_in_AppLocker-12b.png
Views: 101
Size:  24.7 KB

15. Click/tap on Next. (see screenshots below)

Name:  Block_Windows_Installer_in_AppLocker-11d.jpg
Views: 88
Size:  50.6 KB Name:  Block_Windows_Installer_in_AppLocker-12c.jpg
Views: 103
Size:  49.8 KB

16. Click/tap on Next. (see screenshots below)

Name:  Block_Windows_Installer_in_AppLocker-11e.jpg
Views: 103
Size:  58.4 KB Name:  Block_Windows_Installer_in_AppLocker-12d.jpg
Views: 105
Size:  57.2 KB

17. Click/tap on Create. (see screenshots below)

Name:  Block_Windows_Installer_in_AppLocker-11f.jpg
Views: 104
Size:  44.2 KB Name:  Block_Windows_Installer_in_AppLocker-12e.jpg
Views: 104
Size:  43.7 KB

18. Your new rule for "Windows Installer Rules" will now be created. (see screenshot below)

Name:  Block_Windows_Installer_in_AppLocker-13.jpg
Views: 106
Size:  46.9 KB

19. Repeat steps 7 to 18 if you would like to create another new rule to allow or block another Windows Installer file for a user or group.

20. When finished, you can close the Local Security Policy window.


That's it,
Shawn