Migration and Deployment: A look at Windows 8 AppLocker (Part 19 of 19) by Matt Hester

One of the challenges faced by most IT Departments is the concept of control over a user’s desktop / computer. What I mean by this is how does the IT Department allow users to have flexibility in running applications and configuring their work computer while at the same time “locking” down access to applications that should not be run on a work machine. We all know that if a user is allowed full administrator access to their computer, they will install all kinds of “crap” and then ultimately they will call the Help Desk because “all of a sudden”, their computer just stopped working.

One of the technologies that Microsoft introduced with Windows 7 and is still available in Windows 8 is AppLocker. Rather than duplicate the article written by my teammate, Matt Hester, I will just reference his detailed article. Today, Matt Hester posted the final part (19) of the Migration and Deployment Blog Series for the month of February where he talks about Windows 8 AppLocker.

I am including a brief snippet from Matt’s post below. If you want to read the full article, please go directly to Matt’s post.

One of the Technologies we introduced with Windows 7 was AppLocker. AppLocker presented a great new way to control what applications could run on your desktop environments. Now if this sounds familiar to what Software Restriction Policies (SRP) do for your environments, it is important to understand the difference between the two. SRP are still supported and still helps to control applications in your environment. They approach the challenge differently. Fundamentally there are two ways of controlling applications:

  • Block/Deny List: With this approach your create a list of all the malicious applications in the world and create rules to block them. This approach is similar to antivirus programs. As an administrator your would create deny rules for all the unwanted software that they would like to block within your business. While effective, the challenge was keeping up with the malicious software and having to create a deny rule for each application. This is essentially how SRP (in XP and Server 2003) worked, although you had allow or deny rules, it was still all based on the list
  • Allow List: With this approach you create a list of all approved software that you need in your environment and create rules to allow only those applications and block the rest. In the allow listing mode you block all unwanted software by default and allow only those applications to run that have been explicitly allowed. While this method is effective, the main challenge is you have to create a portfolio of applications for your environment. AppLocker works in the allow listing mode.

AppLocker Overview

While SRP still can be used it did not provide a fine grained way to set up your lists, and maintain an effective SRP was very reactionary. With AppLocker you can create more fine grain policies that survive application updates. AppLocker introduced an audit mode where you can test policies before actually enforcing them. The types of rules and files that you can control with AppLocker are listed below:

Rule collection

Associated file formats

Executable files

.exe .com


.ps1 .bat .cmd .vbs .js

Windows Installer files

.msi .msp .mst

Packaged apps and Packaged app installers


DLL files

.dll .ocx

Harold Wong