Frequently Asked Question
GPO to disable Edge in Server 2025 RDSH
How the “Don’t run specified Windows applications” policy works
The User Configuration → Administrative Templates → System → “Don’t run specified Windows applications” setting is a simple “black‑list” that tells Windows Explorer to refuse launching any executable whose file name appears in the list.
When the policy is enabled Windows will:
- Check the name of the program the user is trying to start.
- If the name matches an entry in the DisallowRun list, Explorer shows the standard “This program has been blocked by your system administrator” message and the process never starts.
The check is performed before the executable is loaded, so the programme never gets a chance to run any of its code – a useful way of preventing unwanted or risky software from being used.
Why you might want to use it
| Reason | What it achieves |
|---|---|
| Security hardening | Stops users from launching known vulnerable or unwanted binaries (e.g. legacy browsers, test tools, remote‑admin utilities). |
| Compliance | Guarantees that only approved software can be executed on corporate workstations, helping to meet ISO 27001, GDPR or internal policy requirements. |
| Resource control | Prevents background processes that waste CPU/ram (e.g. msedgewebview2.exe if you do not use WebView‑2 based apps). |
| User productivity | Blocks games, personal utilities or development tools that are not required for the user’s role. |
| Simplified rollout | A single GPO can cover many machines without needing to uninstall or modify the programmes themselves. |
How to configure it via Group Policy
- Open the Group Policy Management Console (GPMC).
- Right‑click the OU (or the domain) where the policy should apply → Create a GPO, give it a meaningful name (e.g. Block unwanted executables).
- Edit the GPO:
User Configuration → Administrative Templates → System → Don’t run specified Windows applications
- Set the policy to Enabled.
- Click the Show… button under List of disallowed applications and add each executable name, one per line, e.g.:
msedge.exe
msedgewebview2.exe
- Link the GPO to the appropriate OU(s).
- (Optional) Use Security Filtering or WMI Filtering to target only specific user groups or device types.
Tip: The policy only checks the file name, not the path. msedge.exe will be blocked wherever it lives on the system.
Setting the same restriction directly in the registry (no GP required)
If you prefer to push the setting with a script, SCCM, Intune, or a login script, you can write the required registry keys yourself.
| Registry hive | Path | Value name | Type | Description |
|---|---|---|---|---|
| HKCU (per‑user) or HKLM (machine‑wide) | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer |
DisallowRun |
DWORD | Set to 1 to enable the blacklist. |
| HKCU or HKLM | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun |
1, 2, 3 … |
REG_SZ | Each entry contains the executable name to block (e.g. msedge.exe). |
Example PowerShell script (per‑user)
# Enable the DisallowRun policy
Set-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer' `
-Name DisallowRun -Value 1 -Type DWord
# Create the sub‑key if it doesn't exist
New-Item -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun' -Force
# Add the executables to block
$apps = @('msedge.exe','msedgewebview2.exe')
for ($i = 0; $i -lt $apps.Count; $i++) {
$name = ($i+1).ToString()
Set-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun' `
-Name $name -Value $apps[$i] -Type String
}
Deploy the script via your favourite endpoint‑management tool, and the restriction will take effect the next time the user logs on (or after a gpupdate /force if you also have GP processing enabled).
When you might prefer the registry method
- Stateless or cloud‑based devices – where you push a baseline image and then apply customisations with scripts rather than maintaining many GPOs.
- Non‑domain‑joined machines – laptops or kiosks that are not members of Active Directory.
- Rapid testing – you can drop a
.regfile or run a one‑off PowerShell command to see the effect before committing to a full GPO.
Other scenarios that fit this approach
The same mechanism can be re‑used for many different purposes:
| Scenario | Example of executables to block | Why it helps |
|---|---|---|
| Prevent use of legacy browsers | iexplore.exe, firefox.exe |
Forces users onto the approved Edge/Chrome build, reducing patch‑management overhead. |
| Stop unapproved scripting tools | powershell.exe, pwsh.exe, cmd.exe |
Reduces the attack surface for privilege‑escalation attempts. |
| Block portable utilities | putty.exe, winscp.exe, teamviewer.exe |
Stops users from circumventing VPN or remote‑access policies. |
| Kiosk or shared‑PC mode | Any application not required for the kiosk purpose (e.g. calc.exe, notepad.exe) |
Guarantees the device only runs the intended kiosk software. |
| Limit background telemetry | GoogleUpdate.exe, AdobeUpdater.exe |
Reduces unwanted network traffic on corporate WAN. |
| Enforce software licences | Unlicensed copies of a tool (e.g. someapp_trial.exe) |
Prevents accidental use of trial versions after purchase of the full licence. |
Note: For more granular control (e.g. based on path, hash, publisher, or signed status) consider AppLocker (Windows 10/11 Enterprise) or Software Restriction Policies. Those solutions can allow/deny based on more than just the file name.
Best‑practice checklist before you roll it out
- Test in a lab – verify that the blocked executable truly prevents the unwanted behaviour and does not break a critical business app.
- Create an exception list – if a needed application shares the same name (rare, but possible), you may need to whitelist it via AppLocker instead.
- Communicate to users – let them know why the change is happening to avoid confusion when they see the “blocked by your system administrator” prompt.
- Document the list – keep a version‑controlled record of every entry and the reason for its inclusion.
- Monitor Event Logs – blocked attempts generate Event ID 3000 in the Application log (source: Microsoft-Windows-GroupPolicy/Operational). Use this to confirm the policy is working and to spot any attempts to bypass it.
- Review periodically – software inventories change; revisit the list every 3–6 months to add new unwanted binaries or remove obsolete ones.
Quick reference – one‑liner registry import
If you simply need to push the setting with a .reg file, the following will block msedge.exe and msedgewebview2.exe for the current user:
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"DisallowRun"=dword:00000001
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun]
"1"="msedge.exe"
"2"="msedgewebview2.exe"
Save as BlockEdgeApps.reg and double‑click on each workstation (or deploy via a script).
TL;DR
Enable the “Don’t run specified Windows applications” GPO (or the equivalent registry keys) to create a simple, name‑based blacklist of executables such as msedge.exe and msedgewebview2.exe. Use Group Policy for domain‑joined PCs, or write the same keys directly to the registry for non‑domain or script‑based deployments. This technique is ideal for blocking unwanted browsers, legacy tools, portable utilities, or any programme you wish to prevent from running for security, compliance or performance reasons. Test first, document the list, and monitor the Event Log to ensure the policy is having the intended effect.
