Document Group Policy Structure and AppLocker Rule Enforcement


Updated: June 21, 2012

Applies To: Windows 7, Windows 8.1, Windows Server 2008 R2, Windows Server 2012 R2, Windows Server 2012, Windows 8

This planning topic describes what you need to investigate, determine, and record in your application control policies plan when you use AppLocker.

To complete this AppLocker planning document, you should first complete the following steps:

  1. Determine Your Application Control Objectives

  2. Create List of Applications Deployed to Each Business Group

  3. Select Types of Rules to Create

  4. Determine Group Policy Structure and Rule Enforcement

After you determine how to structure your Group Policy Objects (GPOs) so that you can apply AppLocker policies, you should record your findings. You can use the following table to determine how many GPOs to create (or edit) and which objects they are linked to. If you decided to create custom rules to allow system files to run, note the high-level rule configuration in the Use default rule or define new rule condition column.

The following table includes the sample data that was collected when you determined your enforcement settings and the GPO structure for your AppLocker policies.

Business group

Organizational unit

Implement AppLocker?


Installation path

Use default rule or define new rule condition

Allow or deny

GPO name

Bank Tellers

Teller-East and Teller-West


Teller Software

C:\Program Files\Woodgrove\Teller.exe

File is signed; create a publisher condition



Windows files


Create a path exception to the default rule to exclude \Windows\Temp


Human Resources



Check Payout

C:\Program Files\Woodgrove\HR\Checkcut.exe

File is signed; create a publisher condition



Time Sheet Organizer

C:\Program Files\Woodgrove\HR\Timesheet.exe

File is not signed; create a file hash condition


Internet Explorer 7

C:\Program Files\Internet Explorer\

File is signed; create a publisher condition


Windows files


Use a default rule for the Windows path



Excluding Windows Server 2008 R2 and Windows 7, AppLocker can manage Windows Store apps. For information about how to add rules for these apps to your existing GPO, see Add Rules for Packaged Apps to Existing AppLocker Rule-set.

After you have determined the Group Policy structure and rule enforcement strategy for each business group's applications, the following tasks remain: