This tutorial will show you how to configure group policy application locker on Windows 2012 server.

This tutorial will show you how to block all applications installation or execution.

This tutorial will show you how to allow a specific application to run.

This will help your computer environment in compliance with international information security certifications like ISO 27001.

The domain controller is running Windows 2012 R2.

The domain computers are running Windows 7 and Windows 10.

Application locker will work on Windows Enterprise or Ultimate edition.

Application locker will not work on Windows professional edition.

Hardware List:

The following section presents the list of equipment used to create this Windows tutorial.

Every piece of hardware listed above can be found at Amazon website.

Windows Playlist:

On this page, we offer quick access to a list of videos related to Windows.

Don’t forget to subscribe to our youtube channel named FKIT.

Windows Related Tutorial:

On this page, we offer quick access to a list of tutorials related to Windows.

Tutorial – Creating the Application Locker GPO

The following tasks were executed on a domain controller running Windows 2012 R2 with Active directory.

Click on the Start menu, locate and open the Group Policy Management tool.

Windows 2012 - Group Policy Management

On the Group Policy Management screen, locate the folder named Group Policy Objects.

Right-click the Group Policy Objects folder and select the New option.

Windows 2012 - Group Policy Objects

Enter a name for your new policy.

Windows 2012 - Applocker

In our example, the new GPO was named: SOFTWARE POLICY.

On the Group Policy Management screen, expand the folder named Group Policy Objects.

Right-click your new Group Policy Object and select the Edit option.

Windows 2008 - Application locker application

On the group policy editor screen, you will be presented to User configurations and Computer configurations.

We will change only the Computer configurations.

We don’t need to change any User configuration.

First, we need to configure the Windows service named Application Identity to start automatically.

On the group policy editor screen, expand the Computer configuration folder and locate the following item.

•  Computer Configuration > Windows Settings > Security Settings > System Services

Windows 2012 - GPO Application Identity

On the right, the list of available services for Windows will be presented.

Windows 2012 - Application Identity Service

Double click the configuration item named Application Identity.

On the configuration item screen, you need to select the Automatic option.

Windows 2012 - Application Identity automatically

In order to the Application locker to work the domain computers need to have the Application identity service running.

Tutorial – Configuring the Application Locker GPO

On the group policy editor screen, expand the Computer configuration folder and locate the following item.

• Computer Configuration > Windows Settings > Security Settings > Application Control Policies> AppLocker

Windows 2012 - Applocker gpo

On the right, the configuration items available for the Application locker policy will be presented.

Windows 2012 - Applocker initial screen

Click on the configuration item named Configure Rule enforcement.

The Applocker properties window will be presented.

WIndows 2012 - applocker properties

Enable the Executable rules and select the Enforce rules option.

Enable the Windows Installer rules and select the Enforce rules option.

Enable the Packaged App rules and select the Enforce rules option.

Click on the OK button.

Windows 2012 - applocker properties configuration

Next, we need to create the default software rules.

Right-click on the Executables Rules policy and select the Create default rules option.

To finish the group policy creation you need to close the Group policy editor window.

Only when you close the group policy window, the system will save your configuration.

GPO - Create Default Rules

The executable default rules state the following:

Every EXE file inside the Windows folder is allowed to be executed.

Every EXE file inside the Program files folder is allowed to be executed.

The Administrators group members are allowed to execute any EXE file.

To authorize another application, right-click on the Executable rules and select the Create new rule option.

gpo - Applocker default rules

Right-click on the Windows installer Rules and select the Create default rules option.

To authorize another application, right-click on the Windows installer rules and select the Create new rule option.

GPO - Windows installer Create Default Rules

Right-click on the Package App rules and select the Create default rules option.

To finish the group policy creation you need to close the Group policy editor window.

Only when you close the group policy window, the system will save your configuration.

Tutorial – Applying the Application Locker GPO

You have finished the creation of the Application locker GPO.

But, you still need to enable the use of your new Group Policy.

On the Group policy management screen, you need to right-click the Organizational Unit desired and select the option to link an existent GPO.

Windows-2012-Applocker application

In our example, we are going to link the group policy named SOFTWARE POLICY to the root of our domain named TECH.LOCAL.

Gpo - Applying applocker

After applying the GPO you need to wait for 10 or 20 minutes.

During this time the GPO will be replicated to other domain controllers that you might have.

After waiting 20 minutes, you should reboot a user’s computer.

During the boot, the computer will get and apply a copy of the new group policy.

To test the configuration, you need to login on a domain computer, download any software and try to run it.

Your computer should automatically block any application that is not specifically allowed on the GPO to run.

Gpo - applocker error message