How to Configure Windows Server 2016 AppLocker
AppLocker is an application control feature in Windows Server 2016 that allows administrators to specify which applications users are permitted to run. By defining allow or deny rules based on file attributes such as publisher, file path, or file hash, AppLocker significantly reduces the risk from unauthorized software, malware, and insider threats. AppLocker rules are distributed through Group Policy and can be applied to executables, scripts, Windows Installer packages, DLLs, and packaged apps.
Prerequisites
- Windows Server 2016 Enterprise or Datacenter edition (AppLocker requires these editions for enforcement).
- Active Directory and Group Policy for deployment in a domain environment.
- The Application Identity service must be running for AppLocker to enforce rules.
Step 1: Start the Application Identity Service
AppLocker requires the Application Identity (AppIDSvc) service to be running:
Set-Service -Name AppIDSvc -StartupType Automatic
Start-Service -Name AppIDSvc
Get-Service -Name AppIDSvcStep 2: Create Default AppLocker Rules
Default rules allow Windows system files and Program Files to run. Create them for Executable rules:
$gpo = Open-GPO -Name "AppLocker Policy" -Domain "corp.local"
New-AppLockerPolicy -RuleType Publisher, Hash, Path -User Everyone -Optimize -Xml | Set-AppLockerPolicy -Ldap "LDAP://DC=corp,DC=local"Generate default rules using the AppLocker cmdlets:
Get-AppLockerFileInformation -Directory "C:Windows" -Recurse -FileType Exe | New-AppLockerPolicy -RuleType Publisher, Hash -User "Everyone" -Optimize -Xml | Out-File "C:AppLockerDefaultExeRules.xml"Step 3: Create a Publisher-Based Rule
Publisher rules are the most flexible — they survive file updates. Create a rule allowing Microsoft-signed executables:
$fileInfo = Get-AppLockerFileInformation -Path "C:WindowsSystem32cmd.exe"
New-AppLockerPolicy -FileInformation $fileInfo -RuleType Publisher -User "Everyone" -Xml | Out-File "C:AppLockerCmdRule.xml"Step 4: Create a Path-Based Rule
Allow all applications in Program Files to run:
New-AppLockerPolicy -RuleType Path -FileInformation (Get-AppLockerFileInformation -Directory "C:Program Files" -Recurse -FileType Exe) -User "Everyone" -Xml | Out-File "C:AppLockerProgramFilesRule.xml"Step 5: Create a Hash-Based Rule
Hash rules identify files by their cryptographic hash. They are most specific but do not survive updates:
$fileInfo = Get-AppLockerFileInformation -Path "C:Toolsputty.exe"
New-AppLockerPolicy -FileInformation $fileInfo -RuleType Hash -User "Everyone" -Xml | Out-File "C:AppLockerPuttyHashRule.xml"Step 6: Apply AppLocker Policy via Group Policy
Merge and apply AppLocker rules to a GPO:
Set-AppLockerPolicy -XmlPolicy "C:AppLockerDefaultExeRules.xml" -Ldap "LDAP://CN={GPO-GUID},CN=Policies,CN=System,DC=corp,DC=local"Or apply locally for testing:
Set-AppLockerPolicy -XmlPolicy "C:AppLockerDefaultExeRules.xml"Step 7: Set AppLocker to Audit Mode First
Before enforcing rules, run in audit mode to identify what would be blocked:
[xml]$policy = Get-Content "C:AppLockerDefaultExeRules.xml"
$policy.AppLockerPolicy.RuleCollection | ForEach-Object { $_.EnforcementMode = "AuditOnly" }
$policy.Save("C:AppLockerAuditPolicy.xml")
Set-AppLockerPolicy -XmlPolicy "C:AppLockerAuditPolicy.xml"Step 8: Review AppLocker Audit Events
Check which applications would be blocked (event ID 8003 = would be blocked, 8002 = allowed):
Get-WinEvent -LogName "Microsoft-Windows-AppLocker/EXE and DLL" | Where-Object {$_.Id -eq 8003} | Select-Object TimeCreated, Message | Format-ListView all AppLocker events:
Get-AppLockerPolicy -Effective -XmlStep 9: Export the Effective Policy
Get-AppLockerPolicy -Effective -Xml | Out-File "C:AppLockerEffectivePolicy.xml"Step 10: Create DLL Rules
DLL rules prevent malicious DLLs from being loaded but have a performance impact. Enable with caution:
Get-AppLockerFileInformation -Directory "C:WindowsSystem32" -Recurse -FileType Dll | New-AppLockerPolicy -RuleType Publisher -User "Everyone" -Xml | Out-File "C:AppLockerDllRules.xml"Step 11: Package App Rules
AppLocker also controls Windows Store and packaged apps. Create rules to allow or block specific packaged apps:
Get-AppLockerFileInformation -Packages | New-AppLockerPolicy -RuleType Publisher -User "Everyone" -Xml | Out-File "C:AppLockerPackagedAppsPolicy.xml"Verify packaged app rules are included in the effective policy:
Get-AppLockerPolicy -Effective | Select-Object -ExpandProperty RuleCollections | Where-Object {$_.RuleCollectionType -eq "Appx"}Summary
AppLocker in Windows Server 2016 provides granular application control that reduces the attack surface by preventing unauthorized software execution. The recommended deployment approach is to start with audit mode, review logs, whitelist necessary applications, then switch to enforcement mode. Publisher rules are preferred for maintainability, while hash rules provide the strictest control for specific approved tools.
