Chapter 13 – AppLocker (Application Control)

 Windows Server Group Policy (GPO) Master Handbook

Chapter 13 – AppLocker (Application Control)

Learning Objectives

Understand AppLocker architecture, rule collections, deployment through Group Policy, audit mode, enforcement mode, and enterprise application control.

1. What is AppLocker?

AppLocker is Microsoft's application control technology that allows administrators to define which applications, scripts, installers, packaged apps, and DLLs users can run. It helps prevent unauthorized software execution and reduces malware risk.

2. Group Policy Path

Computer Configuration → Windows Settings → Security Settings → Application Control Policies → AppLocker

3. Rule Collections

Executable Rules (.exe, .com), Windows Installer Rules (.msi, .msp, .mst), Script Rules (.ps1, .bat, .cmd, .vbs, .js), DLL Rules, and Packaged App Rules.

4. Rule Types

Publisher Rules (recommended for signed applications), Path Rules, and File Hash Rules.

5. Enforcement Modes

Audit Only logs events without blocking applications. Enforce Rules actively blocks applications that do not match an allow rule. Always begin with Audit mode before production deployment.

6. Default Rules

Create the default rules before adding custom rules to ensure Windows and administrative tools continue to function correctly.

7. Enterprise Deployment

Create AppLocker policies in a test OU, monitor audit events, refine allow rules, and deploy gradually to production departments.

8. PowerShell Commands

Get-AppLockerPolicy -Effective
Get-AppLockerFileInformation
Test-AppLockerPolicy
Set-AppLockerPolicy

9. Event Logs

Applications and Services Logs → Microsoft → Windows → AppLocker. Review EXE and DLL, MSI and Script, and Packaged App logs for audit and enforcement events.

10. Troubleshooting

Verify the Application Identity service is running, confirm the GPO is applied, check AppLocker event logs, test with Test-AppLockerPolicy, and review effective policy using Get-AppLockerPolicy.

11. Best Practices

Use Publisher rules whenever possible, avoid broad path rules, begin with Audit mode, review logs before enforcement, document exceptions, and regularly review policies.

12. Interview Questions

What is AppLocker? Difference between Path, Publisher, and Hash rules? What is Audit mode? Why is the Application Identity service required?

13. Practical Lab

Create default AppLocker rules, create a Publisher rule for Microsoft Office, enable Audit mode, review logs, then switch to Enforce mode after validation.

AppLocker Rule Reference

Rule Collection

Recommended

Purpose

Executable Rules

Enabled

Control EXE and COM files

Windows Installer Rules

Enabled

Control MSI/MSP/MST

Script Rules

Enabled

Control PowerShell and scripts

DLL Rules

Enable only after testing

Control dynamic libraries

Packaged App Rules

Enabled

Control Microsoft Store apps

Publisher Rules

Preferred

Easy maintenance

Path Rules

Use carefully

Folder-based control

Hash Rules

Use for unsigned apps

Specific file control

Microsoft Learn References

AppLocker Overview

Deploy AppLocker

AppLocker PowerShell

Application Identity Service

Comments

Popular posts from this blog

IIS Installation and Application configuration windows swerver

IIS Self Signed

Here’s a step-by-step guide on configuring WDS on Windows Server