What Is AppLocker?

Applies To: Windows 7, Windows 8, Windows Server 2008 R2, Windows Server 2012

This topic describes what AppLocker is and how its features differ from Software Restriction Policies.

AppLocker is a new feature in Windows Server 2008 R2 and Windows 7 that advances the features and functionality of Software Restriction Policies. AppLocker contains new capabilities and extensions that allow you to create rules to allow or deny applications from running based on unique identities of files and to specify which users or groups can run those applications.

Using AppLocker, you can:

  • Control the following types of applications: executable files (.exe and .com), scripts (.js, .ps1, .vbs, .cmd, and .bat), Windows Installer files (.msi and .msp), and DLL files (.dll and .ocx).

  • Define rules based on file attributes derived from the digital signature, including the publisher, product name, file name, and file version. For example, you can create rules based on the publisher attribute that is persistent through updates, or you can create rules for a specific version of a file.

  • Assign a rule to a security group or an individual user.

  • Create exceptions to rules. For example, you can create a rule that allows all Windows processes to run except Registry Editor (Regedit.exe).

  • Use audit-only mode to deploy the policy and understand its impact before enforcing it.

  • Import and export rules. The import and export affects the entire policy. For example, if you export a policy, all of the rules from all of the rule collections are exported, including the enforcement settings for the rule collections. If you import a policy, all criteria in the existing policy are overwritten.

  • Streamline creating and managing AppLocker rules by using Windows PowerShell cmdlets.

AppLocker helps reduce administrative overhead and helps reduce the organization's cost of managing computing resources by decreasing the number of help desk calls that result from users running unapproved applications.

For information about the application control scenarios that AppLocker addresses, see AppLocker Policy Use Scenarios.

What features have changed from Software Restriction Policies?

The following table compares AppLocker to Software Restriction Policies.

Feature Software Restriction Policies AppLocker

Rule scope

All users

Specific user or group

Rule conditions provided

File hash, path, certificate, registry path, and Internet zone

File hash, path, and publisher

Rule types provided

Defined by the security levels:

  • Disallowed

  • Basic User

  • Unrestricted

Allow and deny

Default rule action

Unrestricted

Implicit deny

Audit-only mode

No

Yes

Wizard to create multiple rules at one time

No

Yes

Policy import or export

No

Yes

Rule collection

No

Yes

Windows PowerShell support

No

Yes

Custom error messages

No

Yes