Catch-all Deny

A catch-all deny policy is the last policy executed following the execution of a group of allow list policies. This enables you to configure your allow list to allow approved applications, like the Windows directory or other installed applications, and then to deny everything else, like applications downloaded from the internet or a thumb drive.

To create a catch-all deny policy, follow these steps:

  1. Under your Computer Group select Application Policies and click Create Policy.

  2. Select Skip the wizard, take me to a blank policy to create a blank policy.

  3. Enter a name and description, change the default priority value to a higher number, for example 99 and click Create.

  4. Under Conditions, click Add Exclusions.

  5. Search for and Add the LocalSystem and Service applications filter.

  6. Click Update.

  7. On the bottom of the policy page, click Show Advanced.

  8. Under Policy Enforcement, ensure only Stage 2 processing is set to active.

    catch-all

  9. Click Save Changes.

  10. Set the Inactive switch to Active.

If you are creating a new catch-all policy to be used in conjunction with allow list policies, please verify that the allow list is catching all system applications and that the new deny policy is the last policy executed. For additional safety you can define the exclude any parameter to exclude system and service applications.