Packaged Apps and Packaged App Installer Rules in AppLocker

 

Applies To: Windows 8.1, Windows Server 2012 R2, Windows Server 2012, Windows 8 Enterprise

This topic explains the AppLocker rule collection for packaged app installers and packaged apps introduced in Windows Server 2012 and Windows 8.

Commonly known as Windows apps, packaged apps can be installed through the Microsoft AppStore or can be side loaded using the Windows PowerShell cmdlets if you have an Enterprise license. Packaged apps can be installed by a standard user unlike some desktop applications that sometimes require administrative privileges for installation. In this topic, desktop applications refer to Win32 apps that run on the classic user desktop.

Typically, an app consists of multiple components – the installer used to install the app and one or more Exes, Dlls or Scripts. With desktop applications, not all those components always share common attributes such as the publisher name, product name and product version. Therefore, AppLocker has to control each of these components separately through different rule collections – Exe, Dll, Script and Windows Installers. In contrast, all the components of a packaged app share the same attributes: Publisher name, Package name and Package version. It is therefore possible to control an entire app with a single rule.

In Windows Server 2012 and Windows 8, AppLocker enforces rules for packaged apps separately from desktop applications. A single AppLocker rule for a packaged app can control both the installation and the running of an app. Because all packaged apps are signed, AppLocker supports only publisher rules for packaged apps. A publisher rule for a packaged app is based on the following attributes of the app:

  • Publisher name

  • Package name

  • Package version

In summary, including AppLocker rules for packaged apps in your policy design provides:

  • The ability to control the installation and the running the packaged app

  • The ability to control all the components of the app with a single rule rather than controlling individual binaries within the app

  • The ability to create application control policies that survive application updates

  • Management of packaged apps through Group Policy.

See also

Resource

Windows Server 2008 R2 and Windows 7

Windows Server 2012 and Windows 8

Product evaluation

Frequently Asked Questions

AppLocker Step-by-Step Guide

AppLocker Overview

Procedures

AppLocker Operations Guide

Administer AppLocker

Manage Packaged Apps with AppLocker

Scripting

Using the AppLocker Windows PowerShell Cmdlets

Using the AppLocker Windows PowerShell Cmdlets

Technical content

AppLocker Technical Reference

AppLocker Technical Reference

Design, planning and deployment

AppLocker Policies Design Guide

AppLocker Policies Deployment Guide

AppLocker Policies Design Guide

AppLocker Policies Deployment Guide

General information and additional resources

AppLocker Documentation for Windows 7 and Windows Server 2008 R2

AppLocker Overview [Client]