Requirements to use AppLocker

Applies to

This topic for the IT professional lists software requirements to use AppLocker on the supported Windows operating systems.

General requirements

To use AppLocker, you need:

• A device running a supported operating system to create the rules. The computer can be a domain controller.
• For Group Policy deployment, at least one device with the Group Policy Management Console (GPMC) or Remote Server Administration Tools (RSAT) installed to host the AppLocker rules.
• Devices running a supported operating system to enforce the AppLocker rules that you create.

Note:В В You can use Software Restriction Policies with AppLocker, but with some limitations. For more info, see Use AppLocker and Software Restriction Policies in the same domain.

Operating system requirements

The following table show the on which operating systems AppLocker features are supported.

Version	Can be configured	Can be enforced	Available rules	Notes
WindowsВ 10	Yes	Yes	PackagedВ apps Executable Windows Installer Script DLL	You can use the AppLocker CSP to configure AppLocker policies on any edition of WindowsВ 10 supported by Mobile Device Management (MDM). You can only manage AppLocker with Group Policy on devices running WindowsВ 10 Enterprise, Windows 10 Education, and Windows ServerВ 2016.
Windows Server 2019 Windows ServerВ 2016 Windows Server 2012 R2 Windows Server 2012	Yes	Yes	PackagedВ apps Executable Windows Installer Script DLL
Windows 8.1 Pro	Yes	No	N/A
Windows 8.1 Enterprise	Yes	Yes	PackagedВ apps Executable Windows Installer Script DLL
Windows RT 8.1	No	No	N/A
Windows 8 Pro	Yes	No	N/A
Windows 8 Enterprise	Yes	Yes	PackagedВ apps Executable Windows Installer Script DLL
Windows RT	No	No	N/A
Windows ServerВ 2008В R2 Standard	Yes	Yes	Executable Windows Installer Script DLL	Packaged app rules will not be enforced.
Windows ServerВ 2008В R2 Enterprise	Yes	Yes	Executable Windows Installer Script DLL	Packaged app rules will not be enforced.
Windows ServerВ 2008В R2 Datacenter	Yes	Yes	Executable Windows Installer Script DLL	Packaged app rules will not be enforced.
Windows ServerВ 2008В R2 for Itanium-Based Systems	Yes	Yes	Executable Windows Installer Script DLL	Packaged app rules will not be enforced.
WindowsВ 7 Ultimate	Yes	Yes	Executable Windows Installer Script DLL	Packaged app rules will not be enforced.
WindowsВ 7 Enterprise	Yes	Yes	Executable Windows Installer Script DLL	Packaged app rules will not be enforced.
WindowsВ 7 Professional	Yes	No	Executable Windows Installer Script DLL	No AppLocker rules are enforced.

AppLocker is not supported on versions of the Windows operating system not listed above. Software Restriction Policies can be used with those versions. However, the SRP Basic User feature is not supported on the above operating systems.

Руководство по развертыванию AppLocker AppLocker deployment guide

Область применения Applies to

• Windows 10. Windows 10
• Windows Server Windows Server

В этой статье, предназначенной для ИТ-специалистов, представлены концепции и описаны действия, необходимые для развертывания политик AppLocker. This topic for IT professionals introduces the concepts and describes the steps required to deploy AppLocker policies.

В этом руководстве приводится по шагам, основанным на проекте и планировании исследования развертывания политик управления приложениями с помощью AppLocker. This guide provides steps based on your design and planning investigation for deploying application control policies by using AppLocker. Он предназначен для архитекторов безопасности, администраторов безопасности и системных администраторов. It is intended for security architects, security administrators, and system administrators. В процессе последовательного и итеративного развертывания можно создавать политики управления приложениями, тестировать и настраивать политики, а также внедрять метод обслуживания этих политик по мере изменения потребностей организации. Through a sequential and iterative deployment process, you can create application control policies, test and adjust the policies, and implement a method for maintaining those policies as the needs in your organization change.

В этом руководстве описывается использование политик ограничения программного обеспечения (SRP) в сочетании с политиками AppLocker для управления использованием приложений. This guide covers the use of Software Restriction Policies (SRP) in conjunction with AppLocker policies to control application usage. Сравнение SRP и AppLocker см. в этом руководстве по использованию политик ограничения программного обеспечения и политик AppLocker. For a comparison of SRP and AppLocker, see Using Software Restriction Policies and AppLocker policies in this guide. Чтобы понять, является ли AppLocker правильным решением для управления приложениями, см. решения по проектированию политик AppLocker. To understand if AppLocker is the correct application control solution for you, see Understand AppLocker policy design decisions.

Необходимые условия для развертывания политик AppLocker Prerequisites to deploying AppLocker policies

Ниже следующую следующую следующую рекомендацию или предварительные рекомендации по развертыванию политик: The following are prerequisites or recommendations to deploying policies:

Содержимое этого руководства Contents of this guide

В этом руководстве перечислены действия, основанные на проекте и планировании исследования развертывания политик управления приложениями, созданных и поддерживаемых AppLocker, для компьютеров с любой из поддерживаемых версий Windows, перечисленных в «Требованиях» для использования AppLocker. This guide provides steps based on your design and planning investigation for deploying application control policies created and maintained by AppLocker for computers running any of the supported versions of Windows listed in Requirements to use AppLocker.

Michael Firsov

In this article I’d like to show how we can use Windows AppLocker in Windows 10 Enterprise to allow only a small subset of programs to run in an enterprise environment. As you already may know AppLocker rules function as an “allow” list meaning that you’re allowed to run only those applications which have the corresponding allow rules in the AppLocker policy.

Suppose our goal is to restrict users to run only a single third-party application installed by an administrator, for example 7Zip. Theoretically we must use a sample PC with the needed applications installed for creating an Applocker policy locally and then exporting it to Active Directory GPO, but for the sake of this test I will create my Applocker policy using 7Zip installed on my DC.

To start with, let’s take a look at my client computer – Win10Ent (Applocker policies may be applied only to enterprise OS versions!):

As we see there’re two recently installed programs – 7Zip and MS Excel Viewer – I’ve installed them under the TestCompany\ExAdmin account. Now I want any other non-administrative users to run only one of these programs – 7Zip and NOT MS Excel Viewer. As I’d like to have the same policy for all of my clients I’ll create a GPO in AD and deploy it for the CLIENTS OU:

The first default rule that allows everyone to run programs located in the Program Files folder must be deleted – otherwise MS Excel Viewer will be implicitly allowed to run for all users.

Now we must enforce the rules:

As for AppLocker policy to be enforces on a computer the Application Identity service must be running, let’s add to the Applocker GPO the enabelment of the Application Identity service in the …\Preferences\Control Panel\Service section:

After restarting my client Win10Ent (or running gpupdate /force ) – up to two times as group policy might just be read after the first restart/gpupdate and only after the second be applied – the policy must be applied and Application Identity service must be running:

Now it’s time to test the policy: I will try to do the following under I) Domain\Admin (TestCompany\ExAdmin) account II) Domain\User1 (TestCompany\User1) account:

a) run allowed 7Zip
b) run MS Excel which was installed by the administrator and

* c) run built-in Calculator

I-a) and I-b)

Both 7Z and MS Excel Viewer open successfully because there’s the AppLockaer rule stating “(Default rule) Built-in\Administrators – All folders.” – exactly what I expected to see.

II-a) User1 can run 7Zip:

II-b) …but can not run MS Excel Viewer:

Again, all works as expected. But let’s try to run the built-in Calculator as Admin and User1 and look at the results:

II-c) User starts the built-in Calc:

or by double-clicking the binary itself:

– there’s the default rule allowing everyone to run any files located in the Windows folder so why User1 has not succeeded in running Calc.exe? If you take a closer look at the Calc item in the Windows\System32 folder you will definitely notice that Calculator in Windows 10 is a Metro-style app which will eventually be run from the Program Files\WinApps folder (for example you can run it by typing CALCULATOR:// into the Run box), the Calc.exe in the System32 folder is just a wrapper that refers to the Program Files\WinApps\Microsoft.WindowsCalculator_… subfolder.
Given that there’s no AppLocker rule that would allow TestCompany\Domain Users to run programs from WinApps folder this behaviour is by design.

We can make sure this is the case by running Notepad which is the old classic application from the same Windows\System32 folder:

I-c) Administrator starts the built-in Calculator:

..or from Windows\System32:

Although there’s the explicit allow rule for Built-in\Administrators for all folders (including Program Files\WinApps) this administrator (TestCompany\ExAdmin) could not run the built-in Calculator.

Furthermore, if we look in the AppLocker log we’ll see that blocking Calculator produces the “Allow” event (both for Administrator’s and User1’s accounts):

Whatever the reason is for blocking the built-in Calculator Windows should not register “allow” event 8002 instead of “deny” 8004 event – this is the first bug in Applocker/Windows 10 Enterpise configuration.

The second is the obviously incorrect Applocker handling of the metro style applications, which leads not only to blocking allowed applications but to non-functioning Start menu and desktop customizations as well (cause they’re the metro style apps themselves).