Q: I’m setting an AppLocker policy to block an application—how can I stop administrators from being able to run the program in an elevated command prompt?

A. The ability for administrators to run the blocked application in an elevated command prompt is by design but can be changed. Blocked applications may be needed by administrators, so a rule allowing administrators to run all applications from all paths is added by default (see Figure 1 below).

Figure 1: AppLocker

The way AppLocker works is any application not allowed by a rule is blocked implicitly, but this Allow rule for administrators is what facilitates administrators running any application. Note that an explicit Deny rule of an application still applies to administrators, because an explicit Deny takes precedence over an explicit Allow.

If you want to stop administrators from being able to run any application, you can either delete the rule for administrators or modify it. Open the Group Policy Object that defines the AppLocker rules, and navigate to Computer Configuration, Policies, Windows Settings, Security Settings, Application Control Policies, AppLocker, Executable Rules. Then double-click the BUILTINAdministrators rule and change as needed.