There are times when you need to prevent certain users from opening applications, files, or folders. AppLocker is a security feature in Windows that helps you do this. AppLocker is a part of Windows Professional and Enterprise editions .

How to Stop User Accounts from Opening Certain Applications, Files and Folders in Windows? - 1

In this article, I will show you how to enable AppLocker and use it in your organization.

In order to use AppLocker and create deny rules, we will utilize the Local Group Policy Editor for local computers or the Group Policy Editor for domain-joined machines.

  1. Hold the Windows logo key and press R .
  2. Type ‘ gpedit.msc ‘ and press ‘ Enter ‘ to open the Local Group Policy Editor .
  3. Expand Computer Configuration > Windows Settings > Security Settings > Application Control Policies .
  4. Expand Application Control Policies > AppLocker .
  5. Right-click on “ Executable Rules ” and select “ Create New Rule… “.
  6. Under Before Your Begin click Next .
  7. Under Permissions , click Deny , and then click on Select to choose the account that will be denied access to certain apps.
  8. Select the type of primary condition that you would like to create, and then click ‘Next’. You can choose one of the three conditions: Publisher, Path, or File hash. So, what is the difference?
  • Publisher – related to applications signed by the publisher.
  • Path – related to a file or folder path.
  • File hash – related to applications that are not signed by the publisher.
  1. Under the “ Publisher ,” click “ Browse ” to select the reference file you want to deny access to.
  2. In my example, I selected DaVinci Resolve software, which is used for video editing . You can also use the slider to select the properties that define the rule. As you move down, the rule becomes more specific. When the slider is in any publisher position, the rule is applied to all signed files.
How to Stop User Accounts from Opening Certain Applications, Files and Folders in Windows? - 2

I keep the default settings for the slider. Once done, click Next .

  1. You can also add exceptions. Exceptions are optional and allow you to exclude files that would normally be included in the rule. To continue configuring this rule without adding an exception, click ‘ Next ‘.
  2. Enter a name to identify this rule and click Create .
  3. Under ‘ Do you want to create the default rules now ?’, click ‘ Yes ‘. The default rules are not currently in the rule list for this rule collection. When creating rules, it is recommended to also create the default rules to ensure that important system files will be allowed to run.
  4. You have successfully denied the application of your choice. As you can see, it is listed under Executable Rules.
  5. Close the Local Group Policy Editor .
  6. Now, when you try to open the app, it will be blocked.

Wrap Up

There are moments when you need to deny certain local or domain users from opening specific applications, files, or folders. By using AppLocker, which is integrated into Windows 11, you can create policies and disable targets by the publisher, path, and file hash.

This article covers step-by-step instructions on how to do it.

How to Fix “Printer is in an error state” Issue?

The “ Cannot change fingerprint or PIN ” problem in Windows 11 happens when the options to change these settings are greyed out in Settings → Accounts → Sign-in options. Even if you are the administrator, you can’t update your Windows Hello credentials. You might also see a message like “ This option is temporarily unavailable. ”

How to Stop User Accounts from Opening Certain Applications, Files and Folders in Windows? - 3

Can’t disable PIN or Fingerprint on Windows 11

This usually happens because Windows Hello’s stored data (in the Ngc folder) is damaged or not in sync. Other reasons include security rules set by your workplace or school, connected work accounts, or restrictions set in the registry or group policy.

Now that you’re aware of the potential causes, let’s go through some steps that have helped other users fix or work around this problem:

1. Change the PIN or Fingerprint the Conventional Way

If your goal is to remove the fingerprint or PIN without setting up another sign-in method, please note that this is not possible on Windows 11.

Windows 11 requires you to have at least one Sign-in option enabled. The Remove button will remain grayed out if you only have one active sign-in method.

How to Stop User Accounts from Opening Certain Applications, Files and Folders in Windows? - 4

Can’t disable PIN or Fingerprint on Windows 11

For example, the Remove button for your PIN will stay unavailable until you add a different sign-in option (like Facial Recognition, Fingerprint, or a Security Key).

If you want to stop using your PIN or Fingerprint, you’ll need to set up an additional way to sign in.

Below are step-by-step instructions to set up a new sign-in option and then remove your current one:

  1. Press Windows key + I to open the Settings menu in Windows 11.
  2. Inside the Settings menu, click on Accounts from the vertical menu on the left. Accessing the Accounts menu Note: If the left menu is hidden by default, click the menu button (top-left corner) to reveal it.
  3. Once in the Accounts menu, move to the right-hand section of the screen and select Sign-in options. Accessing the Sign In Options menu
  4. Now, choose which sign-in method you’d like to set as a fallback. Sign-in Options Note: Your available options depend on your device. If your PC doesn’t support facial recognition or you don’t have a security key, you can switch between PIN and fingerprint.
  5. After you pick your new sign-in method, follow the on-screen instructions to set it up.
  6. Once your second sign-in option is set, you’ll be able to click the Remove button to get rid of your previous sign-in method. You can also choose Change PIN or Change Fingerprint to update, rather than remove, your sign-in credentials. Modify the current PIN or remove one of the configured sign-in options

2. Remove PIN or Fingerprint Requirement by Using a Local Account

If you want to completely remove all sign-in options like PIN or Fingerprint, you will have to switch to a local account .

We generally don’t recommend this unless you really need to, as it can limit the functionality of some built-in Windows features (like Windows Update and the Microsoft Store).

If you still want to remove your PIN or Fingerprint sign-in, you’ll need to set up a local account with a password instead. Keep in mind, this means you’ll need to stop using your Microsoft account on your PC.

Important: This method isn’t available if you’re enrolled in the Windows Insider program.

To change from a Microsoft account with PIN or fingerprint to a local password, follow these steps:

  1. Press Windows + I to open the Settings menu in Windows 11.
  2. In the Settings menu, click on Accounts from the menu on the left. Accessing the Accounts menu Note: If you don’t see the left menu, click the menu icon (top-left corner).
  3. Inside Accounts , click on Family & other users on the right-hand side. Accessing the Family and other users tab
  4. In the Family & other users tab, check for any accounts listed under Other users. If you find any, remove them before moving on.
  5. Next, return to the main Accounts menu and click on Your info on the right. Accessing the Your Info tab
  6. Scroll down to Account Settings and click on Sign in with a local account instead . Sign in with a local account instead
  7. On the next screen, click Next .
  8. When prompted, enter your current PIN or use your fingerprint as requested. Inserting the PIN
  9. Then, you’ll be asked to create a username and password for your new local account, along with a password hint in case you forget. Configure the local account
  10. Finally, click Sign out and finish to complete the switch.