How to Configure AppLocker on Windows Server 2012 R2

AppLocker is an application whitelisting technology built into Windows Server 2012 R2 that allows administrators to control which applications, scripts, Windows Installer packages, and DLLs are permitted to run in the environment. Unlike Software Restriction Policies, AppLocker offers rule-based control using publisher, path, or file hash criteria. It integrates with Group Policy and provides detailed audit logs through Windows Event Log. For enterprise environments, AppLocker significantly reduces the attack surface by preventing unauthorized or malicious software from executing.

Prerequisites

AppLocker requires the Application Identity service to be running — this service evaluates rules at runtime. You need Group Policy management rights if deploying via GPO, or local Administrator rights for standalone configuration. AppLocker policies apply to users and computers; rule enforcement requires Windows Server 2012 R2, Windows 8.1, or Windows 7 Enterprise/Ultimate on client machines. Standard and Home editions of Windows only support AppLocker in audit mode. The Application Identity service must start automatically for AppLocker to function correctly.

Starting the Application Identity Service

The Application Identity (AppIDSvc) service must be running for AppLocker rules to be enforced. Configure it to start automatically:

Set-Service -Name AppIDSvc -StartupType Automatic
Start-Service -Name AppIDSvc
Get-Service -Name AppIDSvc

Verify the service is running:

Status   Name               DisplayName
------   ----               -----------
Running  AppIDSvc           Application Identity

To configure this via Group Policy for domain-wide deployment, navigate to Computer Configuration > Windows Settings > Security Settings > System Services and set Application Identity to Automatic.

Understanding AppLocker Rule Types

AppLocker enforces four rule collections, each targeting a different type of executable:

  • Executable rules — .exe and .com files
  • Windows Installer rules — .msi, .msp, and .mst files
  • Script rules — .ps1, .bat, .cmd, .vbs, and .js files
  • Packaged app rules — Windows Store apps (AppX)

Each collection can have rules based on three conditions: Publisher (digital signature), Path (file or folder location), or File Hash (SHA-256 hash of the file).

Generating Default AppLocker Rules

Before enforcing custom rules, generate the default rules that allow Windows and Program Files to run. Without these, all users including Administrators would be blocked from running system applications:

# Generate default executable rules
New-AppLockerPolicy -RuleType Publisher, Path, Hash -User Everyone `
    -Optimize -IgnoreMissingFileInformation | Set-AppLockerPolicy -Merge

# Or use the built-in default rules via GUI:
# Group Policy > AppLocker > Executable Rules > right-click > Create Default Rules

The default rules allow:

  • Everyone to run files in %WINDIR%
  • Everyone to run files in %PROGRAMFILES%
  • BUILTINAdministrators to run all files

Creating Publisher-Based Rules via PowerShell

Publisher rules are the most flexible and survive application updates. The rule trusts a specific publisher and optionally pins to a product name and version:

# Create a publisher rule for Microsoft Office
$FileInfo = Get-AppLockerFileInformation -Path "C:Program FilesMicrosoft OfficeOffice15WINWORD.EXE"
$Rule = New-AppLockerPolicy -FileInformation $FileInfo -RuleType Publisher -User Everyone
$Rule | Set-AppLockerPolicy -Merge

Create a rule allowing a specific publisher across all their signed software:

# Create rule from file, trusting publisher only (any product, any version)
$FileInfo = Get-AppLockerFileInformation -Path "C:Program FilesNotepad++notepad++.exe"
New-AppLockerPolicy -FileInformation $FileInfo -RuleType Publisher -User "Domain Users" | 
    Set-AppLockerPolicy -Merge

Creating Path-Based Rules

Path rules allow or deny execution based on file or folder location. They use AppLocker environment variables for portability:

# Allow execution from a specific application folder
$Rule = New-Object Microsoft.Security.ApplicationId.PolicyManagement.PolicyModel.FilePathRule
# Use the GUI approach for complex path rules, or use XML policy files

# Example: Create path rule via XML
$PolicyXml = @"

  
    
      
        
      
    
  

"@
$PolicyXml | Set-AppLockerPolicy -Xml -Merge

Deploying AppLocker Policy via Group Policy

For domain-wide deployment, configure AppLocker through Group Policy. The recommended approach is to first run in Audit Only mode to discover what applications run in the environment before enforcing:

# Export current local policy to review
Get-AppLockerPolicy -Local | ConvertTo-XML | Out-File C:AppLockerPolicy.xml

# Set enforcement mode to Audit for all rule collections
$Policy = Get-AppLockerPolicy -Local
# Edit enforcement mode in the XML to AuditOnly, then re-import
Set-AppLockerPolicy -XmlPolicy C:AppLockerPolicy-Audit.xml

In the Group Policy editor, navigate to Computer Configuration > Windows Settings > Security Settings > Application Control Policies > AppLocker. Configure rule enforcement per collection type. Set collections to Audit Only initially, then switch to Enforce Rules after validating the policy.

Blocking Common Attack Vectors

A hardened AppLocker policy should block execution from user-writable directories. Create deny rules for locations users can write to:

# Example deny rule XML for user temp directories
$DenyPolicyXml = @"

  
    
      
        
      
    
    
      
        
      
    
  

"@
$DenyPolicyXml | Set-AppLockerPolicy -Xml -Merge

Script Rule Enforcement

Block users from running PowerShell scripts from unauthorized locations while allowing IT scripts:

$ScriptPolicyXml = @"

  
    
      
        
      
    
    
      
        
      
    
    
      
        
      
    
  

"@
$ScriptPolicyXml | Set-AppLockerPolicy -Xml -Merge

Reviewing AppLocker Audit Logs

AppLocker logs events to the Applications and Services Logs in Event Viewer. Review audit events to identify applications that would be blocked:

# Query AppLocker EXE audit events (Event ID 8003 = would be blocked, 8004 = blocked, 
# 8002 = allowed, 8001 = allowed by default)
Get-WinEvent -LogName "Microsoft-Windows-AppLocker/EXE and DLL" | 
    Where-Object {$_.Id -in @(8003,8004)} | 
    Select-Object TimeCreated, Id, Message | 
    Format-List | Out-File C:AppLockerAudit.txt

View script audit events:

Get-WinEvent -LogName "Microsoft-Windows-AppLocker/MSI and Script" |
    Select-Object TimeCreated, Id, Message | Format-List

Verification

Test the current effective policy against a specific file:

Get-AppLockerFileInformation -Path "C:UserstestuserDownloadssuspicious.exe" | 
    Test-AppLockerPolicy -Path {$_.Path} -User testuser

View the effective policy applied to the local machine:

Get-AppLockerPolicy -Effective | ConvertTo-XML | Select-XML -XPath "//RuleCollection" | 
    ForEach-Object {$_.Node.OuterXml}

Summary

AppLocker on Windows Server 2012 R2 provides granular control over what applications can execute in your environment. The recommended deployment process is: start the Application Identity service, generate default rules, configure audit mode via GPO, analyze audit logs over several days to catalog the application inventory, create allow rules for legitimate software, block high-risk execution paths like user temp directories, then switch to enforcement mode. Combined with auditing, AppLocker is a powerful defense against malware, ransomware, and insider threats.