AppLocker rule collection extensions
This article describes the rule collection extensions added in Windows 10 and later. Rule collection extensions are optional features available only for the EXE and DLL rule collections. Configure rule collection extensions by directly editing your AppLocker policy XML as shown in the following XML fragment.
<RuleCollectionExtensions>
<ThresholdExtensions>
<Services EnforcementMode="Enabled"/>
</ThresholdExtensions>
<RedstoneExtensions>
<SystemApps Allow="Enabled"/>
</RedstoneExtensions>
</RuleCollectionExtensions>
Important
When adding any rule collection extensions to your AppLocker policy, you must include both the ThresholdExtensions and RedstoneExtensions or your policy will cause unexpected behavior.
Services enforcement
By default, AppLocker policy only applies to code running in a user's context. On Windows 10, Windows 11, and Windows Server 2016 or later, you can apply AppLocker policy to nonuser processes, including services running as SYSTEM. You must enable services enforcement when using AppLocker with Windows Defender Application Control's (WDAC) managed installer feature.
To apply AppLocker policy to nonuser processes, set <Services EnforcementMode="Enabled"/> in the <ThresholdExtensions> section as shown in the preceding XML fragment.
System apps
When using AppLocker to control nonuser processes, your policy must allow all Windows system code or your device night behave unexpectedly. To automatically allow all system code that is part of Windows, set <SystemApps Allow="Enabled"/> in the <RedstoneExtensions> section as shown in the preceding XML fragment.
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for