Windows deploymentIntermediate23 min read

What Is AppLocker in Windows Administration?

Reviewed byJohnson Ajibi· Senior Network & Security Engineer · MSc IT Security
On This Page

Quick Definition

AppLocker is a tool built into Windows that lets system administrators create rules to block or allow specific programs from running. It helps prevent unauthorized software, like malware or unapproved games, from being installed or executed. You can think of it as a bouncer at a club who checks a list before letting anyone inside the computer system.

Commonly Confused With

AppLockervsWindows Defender Application Control (WDAC)

WDAC is a more modern and secure application control technology that works at the kernel level and can control kernel-mode drivers, while AppLocker works at the user mode and cannot control drivers. WDAC uses a policy file that is signed and cannot be easily changed by an administrator, offering higher tamper protection. AppLocker is easier to configure and is suitable for environments that do not require the highest security level.

If you need to block a driver that is loading during system startup, use WDAC. If you just need to block unauthorized executables on normal user workstations, AppLocker is sufficient.

AppLockervsSoftware Restriction Policies (SRP)

SRP is an older application control feature available in earlier versions of Windows. AppLocker is a replacement that provides more granular control, better logging, and support for UWP apps. SRP is still available for legacy compatibility but is not recommended for new deployments. AppLocker rules are easier to manage and test.

If you are deploying new Windows 10 computers, use AppLocker. If you have legacy Windows XP computers, you may need to rely on SRP.

AppLockervsUser Account Control (UAC)

UAC prompts users for permission before allowing an application to make system-level changes. It does not block the application from running based on a policy; it only asks for consent. AppLocker blocks or allows applications automatically based on rules without prompting the user. UAC and AppLocker serve different purposes and complement each other.

UAC will ask you if you want to allow an installer to make changes. AppLocker will block the installer entirely if it is not approved, so you never even get the UAC prompt.

Must Know for Exams

For the MD-102 (Microsoft Endpoint Administrator) exam, AppLocker is a significant topic. It falls under the domain 'Deploy and manage applications' and specifically within the objective 'Implement application control policies.' The exam expects you to understand how to configure, deploy, and troubleshoot AppLocker policies using both Group Policy and Microsoft Intune.

You will need to know the difference between AppLocker and other application control tools like Windows Defender Application Control (WDAC). The exam may test your ability to choose the right tool based on a scenario. AppLocker is typically used for smaller environments or legacy applications, while WDAC is recommended for modern, high-security deployments.

Questions often present a scenario where a company wants to block unauthorized software on Windows 10/11 devices that are managed by Intune. You must decide whether to configure AppLocker via a custom profile using the AppLocker CSP or to use a different method like Windows Defender Application Control. The exam also tests your understanding of rule conditions: publisher, path, and file hash. You may be asked which condition is most appropriate when you want to allow all software from a trusted vendor (answer: publisher condition).

Another common question type involves troubleshooting. A user reports that a legitimate application is being blocked. You need to identify why: perhaps the application is installed in a non-standard path, or the rule was configured incorrectly. The exam might ask you to view the AppLocker event logs (Event ID 8003 for allow, 8004 for deny) to determine the cause.

You should also know the enforcement modes: Audit Only, Enforce, and Not Configured. The exam may ask which mode to use when you are testing a new policy without affecting end users. The answer is Audit Only.

Finally, the MD-102 will test your knowledge of how AppLocker integrates with Group Policy. You may be asked how to deploy AppLocker rules to multiple computers. The correct approach is to create a Group Policy Object, configure AppLocker settings under Computer Configuration/Windows Settings/Security Settings/Application Control Policies/AppLocker, link the GPO to the appropriate OU, and then run gpupdate on the target machines.

Simple Meaning

Imagine your computer is like a private building with many doors. Without any security, anyone could walk in and bring anything they want. AppLocker acts like a security guard at the main entrance who checks every person and package against a strict list. If a person or item is not on the approved list, the guard stops them at the door.

In the digital world, AppLocker inspects every program, script, installer, and even dynamic link library (DLL) that tries to run on a Windows computer. It uses rules that you define based on file attributes like the file name, the file path, the publisher, or a file hash (a unique fingerprint). If a program matches a rule in the allowed list, it runs normally. If it matches a denied rule or does not match any allowed rule, the program is blocked and the user sees an error message saying the app has been blocked by your system administrator.

This is important for schools, hospitals, banks, and any organization that needs to keep their computers safe and running only the software that IT has approved. For example, a school might block all games and social media apps on student computers. A bank might allow only approved banking software and block everything else to prevent malware or data theft.

AppLocker works on different editions of Windows, like Windows 10 Enterprise, Windows 11 Enterprise, and Windows Server. It is a more modern and flexible upgrade from an older feature called Software Restriction Policies. Unlike some other security tools, AppLocker does not rely on a central server to check every request; instead, the rules are cached on each computer so it works even if the computer is offline.

One key point is that AppLocker is not the same as antivirus software. Antivirus looks for known bad programs, while AppLocker enforces a policy about which programs are allowed to run at all. This makes it a powerful tool for preventing both known and unknown threats, because even if a new virus appears, it will be blocked if it is not on the approved list.

Full Technical Definition

AppLocker is a Group Policy and local security policy feature introduced in Windows 7 and Windows Server 2008 R2, designed to provide granular application control. It is part of Microsoft's broader security stack and is used primarily in enterprise environments to enforce a whitelist or blacklist of executable files, scripts, Windows Installer files, packaged apps, and DLLs.

AppLocker rules are built using file attributes: publisher (digital signature from the software vendor), path (file system location), and file hash (SHA2 cryptographic hash). Rules can be configured for five rule collections: Executable Rules, Windows Installer Rules, Script Rules, Packaged app Rules, and DLL Rules. Each collection enforces controls on a specific type of executable content.

Enforcement can be set to Audit Only, Enforce rules, or Not Configured. Audit mode logs events without blocking, which is useful for testing new policies before full deployment. Enforce mode actively blocks or allows applications based on the rules. AppLocker generates event IDs 8000 to 8029 in the Event Viewer, which administrators can review to see blocked or allowed applications.

AppLocker integrates with Active Directory through Group Policy. An administrator can create rules in a Group Policy Object (GPO) and link it to organizational units (OUs). Client computers download the policy during a Group Policy refresh (typically every 90 minutes) and apply the rules locally. AppLocker also supports the AppLocker CSP (Configuration Service Provider) for mobile device management (MDM) with Microsoft Intune, making it relevant for modern hybrid and cloud-managed environments.

A key technical detail is that AppLocker applies only to the user who is currently logged on. It evaluates rules in order: first explicit deny rules, then explicit allow rules. If no rule matches, the default action is to deny. However, if the rule collection is set to allow by default, only explicitly denied files are blocked. The default action is configurable per rule collection.

For executable rules, the publisher condition uses the digital signature of the file. This allows an administrator to allow all software published by Microsoft, for example, without having to specify every single file. The path condition can use environment variables like %ProgramFiles% to cover standard installation locations. The file hash condition is the most specific, applying to a single file version, which is ideal for blocking a particular malicious file.

On Windows 10 and Windows 11, AppLocker can also control Universal Windows Platform (UWP) apps and packaged desktop apps. This extends control beyond traditional Win32 executables. AppLocker does not manage user rights or permissions beyond execution; it does not replace User Account Control (UAC) or antivirus. It also does not block administrative tools like PowerShell or Task Manager unless specifically configured.

Performance impact is minimal because rules are evaluated at process creation time. Once a process is running, AppLocker does not re-evaluate. This makes it suitable for high-security environments like point-of-sale systems, healthcare workstations, and government systems where the list of approved applications is static.

Real-Life Example

Think of AppLocker like the security checkpoint at an airport. When you fly, you can only bring items that are allowed by the airline and government rules. You cannot bring a water bottle larger than 100ml, sharp objects, or flammable liquids. The security officer checks your bag against a list of banned items. If something is on the banned list, it is confiscated. If something is not on the allowed list but also not banned, it is usually allowed unless the officer decides it is suspicious.

In the IT world, AppLocker works similarly but with a different philosophy. Instead of banning only known bad items (like water bottles), many organizations set AppLocker to allow only the specific items that are approved (like a clear, sealed bag with only permitted items). This is called whitelisting. In this mode, any program that is not on the approved list is automatically blocked, even if it is not malicious.

For example, a school district might configure AppLocker to allow only Microsoft Office, Google Chrome, and the school’s learning management system (like Canvas). Students cannot install or run any other programs, including games, file-sharing apps, or even other browsers. If a student tries to run Fortnite, AppLocker immediately blocks it because Fortnite’s executable file does not match any allow rule.

In audit mode, AppLocker acts like a hidden camera at the airport. It watches everything and records what was allowed or denied, but it does not stop anything. This is useful for testing: if you plan to block all games, you first run audit mode for a week to see which games are actually being used. Then you can make rules based on real data without accidentally blocking a needed program.

Just like airport security updates its rules based on threats, IT administrators update AppLocker rules when new software is approved or when security threats emerge. For instance, if a new ransomware variant spreads through a specific type of script, administrators can create a new rule to block that script type globally.

Why This Term Matters

For IT professionals, AppLocker is a vital layer of defense against unauthorized software and malware. In a typical enterprise, end users have a tendency to download and install freeware, browser extensions, and other programs that may contain adware, spyware, or ransomware. AppLocker puts a stop to this by enforcing a strict policy of which applications are allowed to run. This drastically reduces the attack surface of the organization.

AppLocker is especially important in environments that handle sensitive data, such as healthcare (HIPAA compliance), finance (PCI DSS), and government (FedRAMP). Many compliance frameworks require organizations to implement application whitelisting as a security control. AppLocker provides an out-of-the-box way to meet these requirements without purchasing third-party software.

Another reason AppLocker matters is its integration with modern management tools. With Microsoft Intune and Windows Autopilot, IT administrators can deploy AppLocker policies to cloud-managed devices. This means even remote workers and BYOD (bring your own device) scenarios can be secured with the same policies as on-premises computers.

AppLocker also simplifies troubleshooting. When a user reports that they cannot run a program, the administrator can check the Event Viewer for AppLocker event IDs to see exactly why the program was blocked. This targeted logging is more informative than a vague error message.

Without AppLocker, organizations rely heavily on antivirus and user training, which are both less effective. Antivirus only catches known malware signatures. User training often fails because users click without thinking. AppLocker provides a preventive control that stops the execution of unapproved software before it can cause harm.

Finally, AppLocker is cost-effective because it is included with Windows Enterprise and Education editions. Organizations already paying for these licenses get application control at no additional cost, making it a smart choice for budget-conscious IT departments.

How It Appears in Exam Questions

Exam questions about AppLocker on the MD-102 typically fall into three patterns: scenario-based decision, configuration steps, and troubleshooting.

Scenario-based decision questions present a business requirement and ask you to choose the best application control solution. For example: 'A company uses Windows 10 Enterprise devices managed by Intune. They need to block all executable files not signed by their trusted software vendor. Which solution should you recommend?' The correct answer could be AppLocker with a publisher rule, or Windows Defender Application Control depending on the scenario details. The exam will include clues like 'devices are not domain-joined' or 'need to support line-of-business apps' that guide the answer.

Configuration questions ask you to put steps in order or select the correct setting. For instance: 'You are configuring AppLocker to allow all software from Microsoft. Which rule condition should you use? A) Path, B) Publisher, C) File hash, D) None of the above.' The answer is Publisher because it uses the digital signature of the software to identify the publisher.

Troubleshooting questions describe a problem where an allowed application is being blocked. You may be presented with an AppLocker event log entry and asked what the issue is. Example: An application is installed in C:\MyApps\ but the path rule only allows C:\Program Files\*. The answer is that the application path does not match the allow rule. You may then be asked how to fix it: either move the application to the allowed path or update the rule to include the new path.

Another common troubleshooting scenario involves the default rule. AppLocker has default rules that allow all users to run files from Program Files, Windows, and other protected locations. If a user installs software to a custom folder, the default rules will not apply, and the application will be blocked unless a custom allow rule is created.

You may also see questions about the order of rule evaluation. AppLocker evaluates deny rules first, then allow rules. If no rule matches, the default action is deny (unless the collection is set to allow by default). This is a common exam trap: learners think that if an allow rule exists, the file will run regardless of deny rules. But deny rules take precedence.

Finally, questions about AppLocker and Intune may ask you to configure a profile using the AppLocker CSP. You need to know that the CSP is accessed via OMA-URI in Intune custom profiles. The uri is ./Vendor/MSFT/AppLocker. You configure the XML policy file and upload it. The exam may test the format of this XML or the steps to deploy it.

Study MD-102

Test your understanding with exam-style practice questions.

Practise

Example Scenario

Contoso Healthcare, a regional hospital network, manages 500 Windows 11 Enterprise workstations used by doctors, nurses, and administrative staff. The IT security team is concerned about recent ransomware attacks in the healthcare sector. They decide to implement AppLocker to prevent unauthorized software from running on any hospital computer.

Currently, staff can install any software they want because there is no application control. Some nurses have installed personal games and weather apps on their workstations. The security team wants to allow only the following applications: Microsoft Office 365, the hospital’s electronic health record (EHR) system, Google Chrome, and a few specialized medical imaging tools. All other executables, scripts, and installers should be blocked.

The IT team starts by configuring AppLocker in Audit Only mode on a test group of 20 computers. They enable this for the Executable Rules collection. They create a publisher rule that allows all software signed by Microsoft, a path rule to allow the EHR system installed at C:\EHR\, and a file hash rule for the specific version of the medical imaging tool. They also enable default rules to allow Windows components and Program Files.

After one week, they review the AppLocker event logs. They discover that three staff members are using a third-party PDF reader that is not approved. They also see that the medical imaging tool is being blocked because the file hash changed after an automatic update. The team updates the file hash rule and communicates to staff that only approved PDF readers will be allowed moving forward.

Once the testing phase is complete, the team switches to Enforce mode for the same rule collection. They use Group Policy to deploy the AppLocker policy to all 500 computers. They also create a help desk process: if a legitimate application is blocked, staff can submit a request for a new rule.

After implementation, the hospital sees a 90% reduction in software-related support tickets. No new malware infections occur because all unapproved executables are automatically blocked. The hospital also passes its annual HIPAA security audit because it now has application whitelisting in place.

Common Mistakes

Thinking AppLocker works like antivirus and scans for malware signatures

AppLocker does not check if a file is malicious; it only checks if the file matches an allow or deny rule based on publisher, path, or hash. A completely safe program will be blocked if no rule allows it, and a dangerous program will run if it matches an allow rule.

Understand that AppLocker is a whitelist/blacklist tool, not a malware scanner. Combine it with antivirus for full protection.

Configuring AppLocker rules without enabling the Application Identity service

The Application Identity service (AppIDSvc) must be running for AppLocker to enforce rules. If this service is disabled, AppLocker rules are not evaluated, and all programs run without restriction.

In Group Policy or locally, set the Application Identity service startup type to Automatic and start the service.

Assuming default rules automatically allow all applications in Program Files

The default rules allow only applications in specific subfolders like Program Files and Windows. If an application installs to a custom folder (e.g., C:\CustomApps\), the default rules will not cover it, and the application will be blocked unless a custom allow rule is created.

Always test new applications after deploying AppLocker. If an app is blocked, create a custom path or publisher rule to allow it.

Setting the enforcement mode to 'Not Configured' and expecting AppLocker to block anything

When a rule collection is set to 'Not Configured', AppLocker does not enforce any rules. It effectively disables control for that collection. To block or allow, you must set enforcement to 'Enforce rules'.

For each rule collection you want to control, set the enforcement mode to 'Enforce rules'. Use 'Audit Only' for testing.

Believing AppLocker can block kernel-mode drivers or control administrative tasks like system restore

AppLocker only controls user-mode applications, scripts, installers, and DLLs. It cannot block kernel-mode drivers or prevent an administrator from using Task Manager or Command Prompt. Some powerful system tools will run regardless.

Use Windows Defender Application Control (WDAC) for kernel-level control. AppLocker is not meant for every scenario; know its limits.

Exam Trap — Don't Get Fooled

{"trap":"The exam might present a scenario where a user is a member of the local Administrators group and ask if AppLocker rules still apply to that user.","why_learners_choose_it":"Many learners think that because administrators have full control over the system, AppLocker rules do not apply to them. They choose answers that say 'administrators are exempt from AppLocker rules'."

,"how_to_avoid_it":"Remember that AppLocker rules apply to all users, including administrators, unless the rules are specifically configured to create an exception for a user or group. By default, an administrator cannot run blocked applications. The correct answer is that AppLocker applies equally to all users, and the administrator would also be blocked."

Step-by-Step Breakdown

1

Plan the application control policy

Before configuring AppLocker, decide which applications are allowed and which are blocked. Consider the organization's security requirements, compliance standards, and line-of-business applications. Document the list of allowed publishers, paths, and file hashes. This planning phase prevents disruption later.

2

Enable and start the Application Identity service

The Application Identity service must be running for AppLocker to enforce rules. This service identifies and evaluates applications. Without it, AppLocker cannot block or allow anything. Set the startup type to Automatic and start the service on every target computer.

3

Create rules for each rule collection

AppLocker supports five rule collections: Executable, Windows Installer, Script, Packaged App, and DLL. For each collection, create rules using publisher, path, or file hash conditions. Start with default rules that allow Windows and Program Files, then add custom rules for your organization's applications.

4

Choose enforcement mode

For each rule collection, set the enforcement mode to 'Audit Only', 'Enforce rules', or 'Not Configured'. Use Audit Only for initial testing to see what would be blocked without affecting users. After testing, switch to Enforce rules to begin blocking unauthorized applications.

5

Deploy the policy via Group Policy or Intune

In Group Policy, navigate to Computer Configuration/Windows Settings/Security Settings/Application Control Policies/AppLocker. Configure rules and enforcement, then link the GPO to the target organizational unit. For Intune-managed devices, use a custom profile with the AppLocker CSP to deploy the XML policy. Ensure devices receive the policy by checking gpupdate or Intune sync.

6

Test and monitor with event logs

After deployment, monitor the Event Viewer under Applications and Services Logs/Microsoft/Windows/AppLocker for events. Event ID 8003 indicates allowed executables, 8004 indicates denied executables. Use this data to verify that approved applications are running and that unauthorized ones are being blocked. Adjust rules as needed.

7

Create a process for rule exceptions

Define a standard procedure for users to request new allowed applications. When a legitimate application is blocked, evaluate it, update the AppLocker policy with a new rule, and redeploy. This prevents users from circumventing security and keeps the policy manageable.

Practical Mini-Lesson

AppLocker is a powerful tool, but its success depends on careful planning and ongoing management. When you first deploy AppLocker, the most common mistake is to enable enforcement mode immediately without testing. This almost always results in legitimate applications being blocked, causing user frustration and emergency help desk calls. Always start with Audit Only mode for at least a week. During this period, review the audit logs to see what applications are actually running in your environment. You may discover shadow IT software that you did not know about.

Another practical consideration is the default rules. AppLocker includes default rules that allow all users to run files from the Windows folder, Program Files, and other protected locations. These default rules are useful because they allow Windows itself and most standard software installations to work without extra configuration. However, if you want to block all unapproved software, you must be careful: the default rules allow any executable in those folders. If a user installs a game to Program Files, that game will run if the default rules are present. To prevent this, you can remove the default rules and create more restrictive custom rules, but then you must ensure that every necessary Windows component is also allowed.

For IT professionals, one of the most practical tips is to use the exporter tool in Windows. You can run Get-AppLockerPolicy to export the current policy as an XML file. This XML file can be imported to other machines or used as a baseline. You can also use Set-AppLockerPolicy to import a policy from a file. This makes it easy to copy a tested configuration across many machines.

When troubleshooting AppLocker issues, always check three things: Is the Application Identity service running? Is the enforcement mode set correctly? And do the rules cover the full path or publisher of the blocked application? Many issues are resolved by verifying these three factors.

Finally, remember that AppLocker does not protect against all threats. A user could still run a script from a USB drive if the script matches an allow rule. Also, some advanced malware can bypass AppLocker by injecting code into an allowed process. For this reason, AppLocker should be part of a defense-in-depth strategy that includes antivirus, firewall, patching, and user education.

Memory Tip

A-P-P = Always check the Path, Publisher, and Permission (service running) before troubleshooting AppLocker blocks.

Covered in These Exams

Current Exam Context

Current exam versions that test this topic — use these objectives when studying.

Related Glossary Terms

Frequently Asked Questions

Can I use AppLocker on Windows 10 Home or Pro?

AppLocker is available only on Windows Enterprise, Education, and Server editions. Windows 10/11 Pro does not include AppLocker. If you use Pro, consider using Windows Defender Application Control or third-party tools.

How do I allow a specific software vendor's applications using AppLocker?

Use the publisher rule condition. When configuring the rule, choose the reference file from that vendor, set the scope to 'Publisher' (recommended), and select the vendor name. This will allow all files signed by that publisher's certificate.

What happens if I have both an allow rule and a deny rule for the same application?

AppLocker evaluates deny rules before allow rules. The deny rule takes precedence, and the application will be blocked. To avoid confusion, do not create conflicting rules.

Does AppLocker block scripts like PowerShell or VBScript?

Yes, AppLocker can control scripts if you configure the Script Rules collection. By default, script execution is not controlled, but you can create rules to allow or deny PowerShell scripts, VBScript, JS, and other script types.

Can I use AppLocker to block USB drives from running executables?

Yes. You can create a path rule that denies all files from removable media paths (e.g., E:\*.exe). This prevents users from running unauthorized software from USB drives.

How do I view which applications AppLocker is blocking in real time?

Use the Event Viewer. Navigate to Applications and Services Logs/Microsoft/Windows/AppLocker/EXE and DLL. Look for Event ID 8004 (blocked) and Event ID 8003 (allowed). You can also use PowerShell cmdlets like Get-WinEvent to filter AppLocker logs.

Summary

AppLocker is a mature and reliable application control feature in Windows Enterprise editions that allows IT administrators to create rules for which executables, scripts, installers, and DLLs can run on a computer. It operates by using publisher, path, or file hash conditions, and can be deployed via Group Policy or Intune. Its primary benefit is preventing unauthorized software, which reduces malware infections and helps meet compliance requirements.

For the MD-102 exam, you need to understand AppLocker’s rule types, enforcement modes, and how it integrates with Group Policy and Intune. You should also know its limitations compared to Windows Defender Application Control. The exam will test your ability to choose the right tool for a scenario and troubleshoot common misconfigurations.

In practice, always start with Audit Only mode, rely on publisher rules when possible, and ensure the Application Identity service is running. AppLocker is not a complete security solution, but it is a critical layer in a defense-in-depth strategy. For IT certification learners, mastering AppLocker demonstrates a solid understanding of Windows endpoint management and security.