Overview of Windows AppLocker

Applies To: Windows Server 2008 R2

AppLocker is a new feature in Windows 7 and Windows Server 2008 R2 that replaces the Software Restriction Policies feature. AppLocker contains new capabilities and extensions that reduce administrative overhead and help administrators control how users can access and use files, such as executable files, scripts, Windows Installer files, and DLLs. Using AppLocker, you can:

  • Define rules based on file attributes derived from the digital signature, including the publisher, product name, file name, and file version. For example, you can create rules based on the publisher attribute that is persistent through updates, or you can create rules for a specific version of a file.

  • Assign a rule to a security group or an individual user.

  • Create exceptions to rules. For example, you can create a rule that allows all Windows processes to run except Registry Editor (Regedit.exe).

  • Use audit-only mode to deploy the policy and understand its impact before enforcing it.

  • Import and export rules. The import and export affects the entire policy. For example, if you export a policy, all of the rules from all of the rule collections are exported, including the enforcement settings for the rule collections. If you import a policy, the existing policy is overwritten.

  • Simplify creating and managing AppLocker rules by using AppLocker PowerShell cmdlets.

For more information about AppLocker rules, see Understanding AppLocker Rules.

What has changed?

The following table compares AppLocker to Software Restriction Policies.

Feature Software Restriction Policies AppLocker

Rule scope

All users

Specific user or group

Rule conditions provided

File hash, path, certificate, registry path, and Internet zone rules

File hash, path, and publisher rules

Rule types provided

Allow and deny

Allow and deny

Default rule action

Allow or deny


Audit-only mode



Wizard to create multiple rules at one time



Policy import or export



Rule collection



PowerShell support



Custom error messages



AppLocker requirements

AppLocker is available in all editions of Windows Server 2008 R2 and in Windows 7 Ultimate and Windows 7 Enterprise. To use AppLocker, you need:

  • A computer running Windows Server 2008 R2, Windows 7 Ultimate, Windows 7 Enterprise, or Windows 7 Professional to create the AppLocker rules. Windows 7 Professional can be used to create the rules, but the rules cannot be enforced on computers running Windows 7 Professional. The computer can be a domain controller.

  • For Group Policy deployment, at least one computer with the Group Policy Management Console (GPMC) or Remote Server Administration Tools (RSAT) installed to host the AppLocker rules.

  • Computers running Windows Server 2008 R2, Windows 7 Ultimate, or Windows 7 Enterprise to enforce the AppLocker rules that you create.