Document Your AppLocker Rules


Updated: June 21, 2012

Applies To: Windows 7, Windows 8.1, Windows Server 2008 R2, Windows Server 2012 R2, Windows Server 2012, Windows 8

This topic describes what rule conditions to associate with each file, how to associate the rule conditions with each file, the source of the rule, and whether the file should be included or excluded.

To complete this AppLocker planning document, you should first complete the following steps:

  1. Determine Your Application Control Objectives

  2. Create List of Applications Deployed to Each Business Group

  3. Select Types of Rules to Create

Document the following items for each business group or organizational unit:

  • Whether your organization will use the built-in default AppLocker rules to allow system files to run.

  • The types of rule conditions that you will use to create rules, stated in order of preference.

The following table details sample data for documenting rule type and rule condition findings. In addition, you should now consider whether to allow an application to run or deny permission for it to run. For information about these settings, see Understanding AppLocker Allow and Deny Actions on Rules.

Business group

Organizational unit

Implement AppLocker?


Installation path

Use default rule or define new rule condition

Allow or deny

Bank Tellers

Teller-East and Teller-West


Teller Software

C:\Program Files\Woodgrove\Teller.exe

File is signed; create a publisher condition

Windows files


Create a path exception to the default rule to exclude \Windows\Temp

Human Resources



Check Payout

C:\Program Files\Woodgrove\HR\Checkcut.exe

File is signed; create a publisher condition

Time Sheet Organizer

C:\Program Files\Woodgrove\HR\Timesheet.exe

File is not signed; create a file hash condition

Internet Explorer 7

C:\Program Files\Internet Explorer\

File is signed; create a publisher condition

Windows files


Use the default rule for the Windows path