Most companies require only a few applications on the computer to be used. An admin can restrict the access of a Windows application from employees. They can set a policy to allow only specific applications and restrict everything else on a computer. It is also a good idea when you are letting someone else use your personal computer for work. This limits the computer to only those few applications and nothing else. You can also limit a user account for only specific programs. In this article, you will learn how to allow users to run only specific Windows applications.

How to Allow Users to Run Specified Windows Programs Only? - 1

Allowing to run only specific programs on Windows

Note : Make sure you are making the below changes in the User Standard account and not in an administrator account. If you are making changes in the administrator account, then make sure to allow the administrator tools like Group Policy Editor, Registry Editor, and so on. This will help you in reversing any of the changes that will be made through this article.

Run Only Specified Windows Applications

The methods in this article will require the executable names of the applications. It will only allow those applications that you list in the below methods. Executable files will have an extension of .exe and you can find them easily in the folders of those applications. However, if you want to add .msc extensions in the list of allowed applications, then you need to add “ mmc.exe ” (Microsoft Management Console). That is because .msc files are just text files containing XML. Whenever a user opens an MSC file, Windows will execute mmc.exe, passing in the .msc file as an argument.

Method 1: Using the Local Group Policy Editor

The Local Group Policy Editor is a tool that is used to configure settings for the operating system. There are different policy settings in the Group Policy Editor. The one we will be using in this method can be found under the User Configuration category. There is also one other setting that only restricts applications that you will add to the list in the setting rather than only allowing the few that you list.

Skip this method if you are using the Windows Home operating system. That is because the Group Policy Editor isn’t available in the Windows Home Editions.

  1. Open Run dialog by pressing Windows + R key combination on the keyboard. Then, type “ gpedit.msc ” in it and press the Enter key to open the Local Group Policy Editor . Opening Local Group Policy Editor
  2. In the User Configuration category of Group Policy, navigate to the following path: User Configuration\Administrative Templates\System\ Navigating to the setting
  3. Double-click on the setting named “ Run only specified Windows applications ” and it will open up in another window. Now change the toggle option to Enabled and click on the Show button. Enabling the setting
  4. Now add the executable names of the applications to be allowed. The names can be written as shown in the screenshot. Adding program names to allow for the user Note : Make sure you add the applications like Explorer, Group Policy Editor, Registry Editor, and so on. Adding administrator tools (like GPO) will allow you to reverse this setting.
  5. Click on the Apply/Ok button for this setting to save the change. This will disable all the Windows applications on your system and only allow the ones you added to the list.
  6. To enable all Windows applications back again, change the toggle option in step 3 to Not Configured or Disabled .

Method 2: Using the Registry Editor

The Registry Editor is a tool that allows users to view and manage low-level settings of the Windows operating system. However, unlike the Group Policy Editor method, this will require some technical steps from users. You will need to create the missing keys and values for the setting to work. Also, just to be safe, you can always create a backup of the registry. Follow the below steps to allow only specific applications for the standard user.

  1. Press the Windows + R key combination to open a Run dialog and type “ regedit ” in it. Press the Enter key to open the Registry Editor and if prompted by UAC (User Account Control), then select the Yes option. Opening the Registry Editor
  2. In the Current User Hive, navigate to the following key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
  3. Create a new value in the Explorer key by right-clicking and choosing New > DWORD (32-bit) Value . Name this newly created value as “ RestrictRun “. Creating a new value
  4. Double-click on the RestrictRun value and set the value data to 1 . Enabling the value
  5. Next is to create another key under the Explorer key by right-clicking on the key and choosing the New > Key option. This value should be named “ RestrictRun “. Creating the new key
  6. In this key, create a new value by right-clicking on the right pane and choosing the New > String Value option. The name of the value can exactly be the executable as shown in the screenshot: Creating string value for each program name
  7. Open the value and add the string value as the executable name of the application. Note : Some tools will have an extension of ‘ .msc ‘, so add the “ mmc.exe ” executable for all those tools. Adding the executable name of programs as value data
  8. After all the configurations, you will need to restart your computer to apply the changes made.
  9. To enable all the programs again on your system, you need to remove the executable names in value data or delete the values from the Registry.

How to Fix “Printer is in an error state” Issue?

The “ Cannot change fingerprint or PIN ” problem in Windows 11 happens when the options to change these settings are greyed out in Settings → Accounts → Sign-in options. Even if you are the administrator, you can’t update your Windows Hello credentials. You might also see a message like “ This option is temporarily unavailable. ”

How to Allow Users to Run Specified Windows Programs Only? - 2

Can’t disable PIN or Fingerprint on Windows 11

This usually happens because Windows Hello’s stored data (in the Ngc folder) is damaged or not in sync. Other reasons include security rules set by your workplace or school, connected work accounts, or restrictions set in the registry or group policy.

Now that you’re aware of the potential causes, let’s go through some steps that have helped other users fix or work around this problem:

1. Change the PIN or Fingerprint the Conventional Way

If your goal is to remove the fingerprint or PIN without setting up another sign-in method, please note that this is not possible on Windows 11.

Windows 11 requires you to have at least one Sign-in option enabled. The Remove button will remain grayed out if you only have one active sign-in method.

How to Allow Users to Run Specified Windows Programs Only? - 3

Can’t disable PIN or Fingerprint on Windows 11

For example, the Remove button for your PIN will stay unavailable until you add a different sign-in option (like Facial Recognition, Fingerprint, or a Security Key).

If you want to stop using your PIN or Fingerprint, you’ll need to set up an additional way to sign in.

Below are step-by-step instructions to set up a new sign-in option and then remove your current one:

  1. Press Windows key + I to open the Settings menu in Windows 11.
  2. Inside the Settings menu, click on Accounts from the vertical menu on the left. Accessing the Accounts menu Note: If the left menu is hidden by default, click the menu button (top-left corner) to reveal it.
  3. Once in the Accounts menu, move to the right-hand section of the screen and select Sign-in options. Accessing the Sign In Options menu
  4. Now, choose which sign-in method you’d like to set as a fallback. Sign-in Options Note: Your available options depend on your device. If your PC doesn’t support facial recognition or you don’t have a security key, you can switch between PIN and fingerprint.
  5. After you pick your new sign-in method, follow the on-screen instructions to set it up.
  6. Once your second sign-in option is set, you’ll be able to click the Remove button to get rid of your previous sign-in method. You can also choose Change PIN or Change Fingerprint to update, rather than remove, your sign-in credentials. Modify the current PIN or remove one of the configured sign-in options

2. Remove PIN or Fingerprint Requirement by Using a Local Account

If you want to completely remove all sign-in options like PIN or Fingerprint, you will have to switch to a local account .

We generally don’t recommend this unless you really need to, as it can limit the functionality of some built-in Windows features (like Windows Update and the Microsoft Store).

If you still want to remove your PIN or Fingerprint sign-in, you’ll need to set up a local account with a password instead. Keep in mind, this means you’ll need to stop using your Microsoft account on your PC.

Important: This method isn’t available if you’re enrolled in the Windows Insider program.

To change from a Microsoft account with PIN or fingerprint to a local password, follow these steps:

  1. Press Windows + I to open the Settings menu in Windows 11.
  2. In the Settings menu, click on Accounts from the menu on the left. Accessing the Accounts menu Note: If you don’t see the left menu, click the menu icon (top-left corner).
  3. Inside Accounts , click on Family & other users on the right-hand side. Accessing the Family and other users tab
  4. In the Family & other users tab, check for any accounts listed under Other users. If you find any, remove them before moving on.
  5. Next, return to the main Accounts menu and click on Your info on the right. Accessing the Your Info tab
  6. Scroll down to Account Settings and click on Sign in with a local account instead . Sign in with a local account instead
  7. On the next screen, click Next .
  8. When prompted, enter your current PIN or use your fingerprint as requested. Inserting the PIN
  9. Then, you’ll be asked to create a username and password for your new local account, along with a password hint in case you forget. Configure the local account
  10. Finally, click Sign out and finish to complete the switch.