AppLocker
AppLocker policies control which applications users are allowed to run on Windows devices. Define rules that allow or deny executables, scripts, installers, and packaged apps based on publisher, path, or file hash.
Note: AppLocker requires Windows 10/11 Enterprise or Education editions.
Rule Types
Executable Rules
Control .exe and .com files: by Publisher, Path, or File Hash.
Windows Installer Rules
Control .msi and .msp files. Prevent unapproved software installation.
Script Rules
Control PowerShell (.ps1), batch (.bat, .cmd), VBScript (.vbs), and JScript (.js) files.
Packaged App Rules
Control Store and packaged apps (.appx, .msix).
Creating an AppLocker Policy
- Define default rules that allow Windows system files
- Add allow rules for approved applications
- Add deny rules for blocked applications
- Set enforcement mode (Audit Only or Enforce)
- Assign to device groups
Enforcement Modes
Audit Only
Rules are evaluated but not enforced. Events logged for testing.
Enforce Rules
Rules actively enforced. Non-matching apps are blocked.
AppLocker vs WDAC
| Feature | AppLocker | WDAC |
|---|---|---|
| Edition Required | Enterprise/Education | All editions |
| Policy Scope | Per-user or per-machine | Kernel-level |
| Tamper Resistance | Moderate | High |
| Best For | User-level control | High-security environments |
Best Practices
- Start in Audit mode for at least two weeks
- Use publisher rules (survive app updates)
- Always include default rules
- Test with all business-critical applications
- Monitor event logs for blocked apps
API Reference
GET /api/devices/applocker/policies— List policiesPOST /api/devices/applocker/policies— Create policyGET /api/devices/applocker/policies/:id/status— Get statusGET /api/devices/applocker/events— Get audit events
Last updated on