AppLocker Policy Use Scenarios
Updated: December 4, 2013
Applies To: Windows 7, Windows 8.1, Windows Server 2008 R2, Windows Server 2012 R2, Windows Server 2012, Windows 8
This topic for the IT professional lists the various application control scenarios in which AppLocker policies can be effectively implemented.
AppLocker can help you improve the management of application control and the maintenance of application control policies. Application control scenarios addressed by AppLocker can be categorized as follows:
AppLocker has the ability to enforce its policy in an audit-only mode where all application access activity is collected in event logs for further analysis. Windows PowerShell cmdlets are also available to help you understand application usage and access.
Protection against unwanted software
AppLocker has the ability to deny applications from running simply by excluding them from the list of allowed applications per business group or user. If an application is not specifically identified by its publisher, installation path, or file hash, the attempt to run the application fails.
AppLocker can provide an inventory of software usage within your organization, so you can identify the software that corresponds to your software licensing agreements and restrict application usage based on licensing agreements.
AppLocker policies can be configured to allow only supported or approved applications to run on computers within a business group. This permits a more uniform application deployment.
AppLocker policies can be modified and deployed through your existing Group Policy infrastructure and can work in conjunction with policies created by using Software Restriction Policies. As you manage ongoing change in your support of a business group's applications, you can modify policies and use the AppLocker cmdlets to test the policies for the expected results. You can also design application control policies for situations in which users share computers.
The following are examples of scenarios in which AppLocker can be used:
Your organization implements a policy to standardize the applications used within each business group, so you need to determine the expected usage compared to the actual usage.
The security policy for application usage has changed, and you need to evaluate where and when those deployed applications are being accessed.
Your organization's security policy dictates the use of only licensed software, so you need to determine which applications are not licensed or prevent unauthorized users from running licensed software.
An application is no longer supported by your organization, so you need to prevent it from being used by everyone.
Your organization needs to restrict the use of Windows Store apps to just those your organization approves of or develops.
The potential that unwanted software can be introduced in your environment is high, so you need to reduce this threat.
The license to an application has been revoked or is expired in your organization, so you need to prevent it from being used by everyone.
A new application or a new version of an application is deployed, and you need to allow certain groups to use it.
Specific software tools are not allowed within the organization, or only specific users have access to those tools.
A single user or small group of users needs to use a specific application that is denied for all others.
Some computers in your organization are shared by people who have different software usage needs.
In addition to other measures, you need to control the access to sensitive data through application usage.