Microsoft today announced the removal of restrictions related to AppLocker to facilitate faster enterprise deployments. The adjustment removes version verification checks for Win10 2004, 20H2 and 21H2 versions and all Win11 systems.
AppLocker helps organizations control the applications and files that users can run. They include executables, scripts, Windows installer files, dynamic link libraries (DLLs), application packages, and application package installers.
Attached are the following key features and functions of AppLocker.
Define rules based on file attributes that are permanently used during application updates, such as: publisher name (derived from digital signature), product name, file name, and file version. You can also create rules based on file paths and hashes.
Assign rules to security groups or individual users.
Create rule exceptions. For example, you can create rules to allow all users to run all Windows binaries except the registry editor (regedit.exe).
Use audit-only mode to deploy a policy and understand its impact before enforcing it.
Create rules on a staging server and test them, then export them to a production environment and import them into a Group Policy object later.
The creation and management of AppLocker rules can be simplified by using Windows PowerShell.
Microsoft previously required mandatory differentiation of AppLocker policies based on Windows version and management endpoint, for example, enterprises could deploy AppLocker policies in all Win10 and Win11 versions if they were managed using the MDM approach, while using the Group Policy approach, they could only deploy AppLocker in Win10 and Win11 Enterprise editions or shiftbooks. AppLocker.
Now that Microsoft has removed these version checks, enterprise administrators can more easily deploy AppLocker without differentiating between system versions and management methods on the following versions of Windows and later.
Windows 11, version 22H2 (KB5017389, released on September 30, 2022)
Windows 11, version 21H2 (KB5018483, released on October 25, 2022)
Windows 10, version 2004 (KB5018482, released on October 25, 2022)
Windows 10, version 20H2
Windows 10, version 21H1
This update also allows IT administrators to use Windows Defender Application Control (WDAC) to deploy Managed Installer policies for systems without differentiating between different Windows versions.