Share via

Packaged Apps Rules in AppLocker

Updated: June 21, 2012

Applies To: Windows 8, Windows Server 2012

This topic explains the AppLocker rule collection for the Packaged apps that are introduced in Windows Server 2012 and Windows 8.

Packaged apps (also known as Windows 8 apps) are based on a model, which ensures that all the files within an app package, including the app installer, share the same identity. This model is represented by the publisher name, the package name, and the package version. Therefore, it is possible to control the entire app by using a single AppLocker rule. Unlike other AppLocker rule collections, rules for Packaged apps are not restricted to specific file extensions. However, the Packaged app installer, which has the .appx extension, is a new file type that can be controlled by rules in this rule collection. Because Windows only supports signed Packaged apps, AppLocker only supports Publisher rules for this rule collection.

For more information about how you can manage Packaged apps with AppLocker, see Packaged Apps and Packaged App Installer Rules in AppLocker.

The following table lists the default rule that is available for the Packaged app and the Packaged app installer rule collections.

Purpose Name User Rule condition type

Allow members of the Everyone group to run Packaged apps and Packaged app installers that are signed by any publisher.

(Default Rule) All signed .appx file types


Any publisher


To prevent all Packaged apps from running on a newly domain-joined computer, by default AppLocker blocks all Packaged apps on a computer running Windows Server 2012 or Windows 8 if the existing domain policy has rules configured in the Executable rule collection. You must take explicit action to allow Packaged apps in your enterprise. You can either allow only a select set of Packaged apps, or if you want to allow all Packaged apps, you can create a default rule for the Packaged apps collection.

See Also


Understanding AppLocker Default Rules