How To Secure Your Operating System via Windows 10 Applocker

Published:12 September 2022 - 8 min. read

Leo Castillote Image

Leo Castillote

Read more tutorials by Leo Castillote!

Azure Cloud Labs: these FREE, on‑demand Azure Cloud Labs will get you into a real‑world environment and account, walking you through step‑by‑step how to best protect, secure, and recover Azure data.

Are you looking for ways to add another layer of security to your local computer or across a domain? Consider stepping up your game with the Windows 10 AppLocker!

AppLocker gives you the power to control which apps and files users can run. And in this tutorial, you’ll learn how to set up AppLocker and secure your Windows 10 operating system.

Feel like you need more privacy? Read on and start securing your system!

Prerequisites

This tutorial will be a hands-on demonstration. If you’d like to follow along, be sure you have the following:

  • A Windows 10 Education or Enterprise computer – This tutorial uses Windows 10 Enterprise 21H2.
  • An administrator user account to set up locally or access a domain controller for an organizational setup.
  • A domain controller server for a multi-computer setup – This tutorial uses Windows Server 2019 Datacenter.

Configuring the Application Identity Service to Start on Bootup

Before you even begin to set up AppLocker rules and apply them to your local computer, you first need to tweak the Application Identity Service. Setting the Application Identity Service to start automatically on bootup enforces Windows 10 AppLocker rules.

Open a PowerShell console as an administrator, and run the below command to start the Application Identity service on bootup automatically.

sc.exe config appidsvc start= auto

The output below shows that the configuration was successful.

Setting Application Identity service to start automatically
Setting Application Identity service to start automatically

Next, run the following Get-Service command to verify the Application Identity service starts automatically and runs.

Get-Service AppIDSvc | select -Property Name, Status, StartType

Below, you can see the AppIDSvc status is Running with the start type set to Automatic.

Scanning Application Identity status and start type
Scanning Application Identity status and start type

If you see a stopped status, run the Start-Service command below to start the Application Identity Service (AppIDSvc).

Start-Service -Name “AppIDSvc”

Creating Default Windows 10 AppLocker Rules

Now that you have configured the Application Identity service, the next step is to create default AppLocker rules. Creating AppLocker rules lets you control which apps are allowed and denied.

You can set Windows 10 AppLocker rules for four categories of products, as follows:

  • Executable Rules – Executable files (.exe, and the less common .com).
  • Windows Installer Rules – Windows installer files (.msi, .msp, and .mst).
  • Script Rules – Script files (.bat, .cmd, .js, .ps1, and .vbs).
  • Packaged app Rules – Packaged apps and Packaged app installers (.appx).

The rule of thumb is to create default rules to allow all the approved apps that fall in any of the categories already running on a local computer.

To create default AppLocker rules, you’ll first need access to the Local Security Policy tool:

1. Open the Run dialog box, type secpol.msc, and click OK (or press Enter) to access the Local Security Policy.

Running the Local Security Policy
Running the Local Security Policy

2. On the Local Security Policy window, expand the Application Control Policies and AppLocker.

Accessing AppLocker rules via Local Security Policy
Accessing AppLocker rules via Local Security Policy

3. Select, and right-click on Executable Rules → select Create Default Rules to create the default AppLocker rules for the selected category.

Repeat this step for the rest categories (Windows Installer, Script Rules, and Packaged app Rules).

Creating default rules for all categories
Creating default rules for all categories

4. Lastly, select each category and verify the default AppLocker rules exist, as shown below.

Below, you can see a group of three default rules, similar to others except for Packaged app Rules, which has only one.

Viewing default executable rules
Viewing default executable rules

Creating Rules to Deny Applications

Now that your default AppLocker rules are in place, you can start creating rules to deny apps. Denying apps adds security to your machine since you get to deny access to malicious apps. The Local Security Policy also plays a part in creating rules to deny apps on your system.

In this tutorial, you’ll create rules for the Executable Rules category and test if they actually work. But once you’re confident in creating rules, you can create rules for other categories and see their differences.

Note that the steps in creating rules for each category are similar except for the Packaged app Rule.

Denying Applications via the Publisher Conditions

When you launch an app, you’re granting the publisher permissions to make changes to your system, especially if the app is constantly connected to the internet. Sounds too risky?

Creating rules to deny applications via the Publisher conditions will do the trick if you don’t trust a particular publisher.

1. Select and right-click on the category of your choice (Executable Rules) → choose Create New Rule to initiate creating a new rule.

Creating a new rule
Creating a new rule

2. Next, click Next when you see the Before You Begin page since it’s just an introductory page.

3. On the Permissions tab, choose the Deny option, which is the Action the rule will take.

Ensure you define the users affected by this rule. But leave Everyone selected for this tutorial, and click Next.

Setting rule permissions
Setting rule permissions

4. Now, choose from three options for creating a rule (except Packaged app):

  • Publisher – For an application that the software publisher signs.
  • Path – For a specific file or folder.
  • File hash – For a file that is not signed.

But in this tutorial, select the Publisher option, and click Next.

Creating an AppLocker rule with the Publisher condition allows you to set a more or less specific rule about a file.

Choosing a condition for the rule
Choosing a condition for the rule

5. Configure the Publisher conditions with the following:

Choosing the Any publisher option might not be a wise decision at all. Some of your apps from the same publisher may not work, so take caution when choosing this option.

  • Browse your local computer for the file you need to make a deny rule for.
  • Adjust the slider according to your need to select which properties define the rule; it could be as detailed as the file version or the publisher.

In this example, the chosen property is Google Chrome’s File version.

  • Click Next to continue setting exceptions to the rule conditions.
Choosing a file property for the deny rule
Choosing a file property for the deny rule

6. At this point, click Next, as there is no need to make exceptions for the deny rule.

Skipping adding exceptions
Skipping adding exceptions

7. Provide a descriptive name for the rule, and click Create to create the rule with the Publisher condition.

Creating an AppLocker rule with the Publisher condition
Creating an AppLocker rule with the Publisher condition

8. Ultimately, try accessing applications from the publisher you set the deny rule for. If the deny rule works, you’ll get the following message.

Regardless of your chosen condition, you’ll get the same message below when you launch an app denied under the Executable Rules category.

Verifying the AppLocker deny rules work
Verifying the AppLocker deny rules work

Denying Applications via the Path Conditions

Suppose you trust a publisher but are skeptical about one of their applications. If so, your best choice is to create rules to deny specific applications or folder paths.

1. Create another rule as you did in steps one to four of the “Denying Applications via the Publisher Conditions” section.

But this time, choose the Path condition for a specific file or folder path.

Choosing the Path condition for the new deny rule
Choosing the Path condition for the new deny rule

2. On the Path tab, choose the file or folder path to which you want to apply the rule, and click Next.

For instance, you want to prohibit users from pulling up Notepad. In that case, specify or browse Notepad’s full path.

Note that choosing a folder applies the AppLocker rule to all the files in that folder.

Choosing a file or a folder path
Choosing a file or a folder path

3. Skip adding exceptions in the Exceptions tab and click Next.

Skipping adding exceptions
Skipping adding exceptions

4. Finally, change the rule’s Name and Description, and click Create to finalize the deny rule.

Setting the deny rule’s name and description
Setting the deny rule’s name and description

Denying Applications via the File Hash

As you know, a malicious app can disguise itself as one of your daily tools that controls your system’s behavior. Stumbling upon an app (unsigned or from an unverified publisher) can wreak havoc on your machine.

How to avoid unintentionally running these malicious apps? Besides having a powerful anti-virus, creating rules to deny applications via file hash is a huge help.

1. Create a new deny rule, and choose the File hash condition this time.

2. Next, browse, select the file or folder you need to set a rule, and click Next.

Selecting a file or a folder using file hash
Selecting a file or a folder using file hash

3. Lastly, change the deny rule’s Name and Description (optional), and click Create to create the new deny rule.

Naming the new deny rule with File Hash condition
Naming the new deny rule with File Hash condition

Deploying Windows 10 AppLocker Rules Using a Group Policy Object (GPO)

By now, you already know how to deny applications on your computer. But what if you need to apply AppLocker rules to more than one computer or for an organization? Using a GPO, you can deploy AppLocker rules to computers in an organization’s domain.

Creating a GPO lets you deploy AppLocker to multiple Windows 10 computers simultaneously without manually doing so on each computer.

To create an AppLocker GPO, you’ll first need to create an OU:

Note that it’s best practice to initially deploy a GPO in a “test organizational unit” (OU) to avoid messing things up in your AD structure.

1. Launch Active Directory Users and Computers, right-click your domain (left panel) → New → Organizational Unit to initiate adding a new OU.

Creating a new OU in the domain controller
Creating a new OU in the domain controller

2. Next, provide a name you prefer for your test OU. Keep the accidental deletion protection checked and click OK to create the new OU.

Naming a new OU
Naming a new OU

3. Add a computer to your test OU with the following:

  • Click Computers (left panel) to access the list of available computers on your domain controller.
  • Drag and drop a computer to your test OU.
  • Click Yes to continue adding the selected computer to your test OU when you get the warning message box.
Adding a computer to the test OU
Adding a computer to the test OU

4. Now, launch Group Policy Management, where you’ll create a GPO.

Expand your domain (left panel) → right-click on your test OU → Create a GPO in this domain, and Link it here… to initiate creating a GPO.

Creating an AppLocker GPO
Creating an AppLocker GPO

5. Name the GPO as you like, and click OK to finalize creating the GPO.

Naming the AppLocker GPO
Naming the AppLocker GPO

6. Once created, right-click on your AppLocker GPO, select Enforced in the context menu, and click OK in the message box.

Changing the Enforced setting for the GPO applies the settings in the GPO to the object (a Local System, Domain, Site, or Organizational Unit).

Enforcing the AppLocker GPO
Enforcing the AppLocker GPO

7. Next, right-click on the AppLocker GPO and choose Edit to open the Group Policy Management Editor.

Opening Group Policy Management Editor
Opening Group Policy Management Editor

8. Configure the Application Identity properties with the following:

  • Under Computer Configuration, expand Policies → Windows Settings → Security Settings.
  • Select System Settings and double-click on Application Identity to access its properties.
  • Tick the Define this policy setting box, and choose Automatic to set the Application Identity to start automatically on bootup.

Automatically starting Application Identity is crucial as it acts as a switch for AppLocker to work.

  • Click Apply and OK to save the changes to the Application Identity properties.
Making Application Identity start automatically
Making Application Identity start automatically

9. Scroll down and expand Application Control Policies (left panel) → expand AppLocker.

Locating AppLocker in Group Policy Management Editor
Locating AppLocker in Group Policy Management Editor

10. Now, create your default AppLocker rules by replicating all the steps from the Creating Default AppLocker Rules section.

11. Lastly, follow the steps in the Creating AppLocker Deny Rules section to create your deny rules.

Verifying Application Identity and AppLocker GPO Status

After deploying your AppLocker rules via a GPO, check the status of AppIDSvc on the computer you added to the test OU. You’ll also verify if you successfully applied your AppLocker GPO to the test OU.

1. Log in to the computer you added to the test OU.

2. Next, run the below command to check the AppIDSvc status.

Get-Service AppIDSvc | select -Property Name, Status, StartType
Scanning Application Identity status and start type
Scanning Application Identity status and start type

3. Now, run the gpresult command below to check the applied GPOs

gpresult /r

Look for the AppLocker GPO under Computer Settings, which confirms the GPO has been applied.

Checking the AppLocker GPO status
Checking the AppLocker GPO status

4. Finally, test your AppLocker deny rules again. And if they work, you will see a message box similar to the one below.

Great job! You are now ready to replicate these steps and deploy your AppLocker to a live organizational unit.

Testing if the deny rules work correctly
Testing if the deny rules work correctly

Conclusion

Whether an application, package, or script, AppLocker lets you control which to allow or deny making changes in your system. And in this tutorial, you learned how to create Windows 10 AppLocker rules to secure your system to a local computer and deploy those rules to multiple machines with a GPO.

With this newfound knowledge, will you consider AppLocker to protect your system from malicious attacks?

Hate ads? Want to support the writer? Get many of our tutorials packaged as an ATA Guidebook.

Explore ATA Guidebooks

Looks like you're offline!