Happy WDAC Wednesday! In the first two posts we covered the benefits provided by Application Control for Business (ACFB) enhances malware prevention beyond AV/EDR solutions, and outlined a high-level implementation strategy – starting with audit mode before moving into enforcement. At this point you might be thinking this sounds a lot like AppLocker – and you’d be right. AppLocker however is feature complete and Microsoft’s efforts are focussed on Application Control for Business.
So how do AppLocker and Application Control for Business differ, and why ACFB should be used moving forward?
Origins of AppLocker
AppLocker was originally implemented with Windows 7 and Windows Server 2008 back in 2009. It was designed to replace Software Restriction Policies which were traditionally used to blacklist application and the policies were difficult to manage. AppLocker brought a more modern approach, using Publisher rules which made handling application updates significantly easier.
Limitations of AppLocker
If you are using AppLocker in 2025 there are important considerations you should be aware of:
- AppLocker is feature complete – Microsoft is no longer actively developing it, which means although it receives security updates, no new capabilities or improvements are expected.
- AppLocker lacks two key features ACFB offers to significantly reduce the complexity of managing an application whitelist – Managed Installer and the Intelligent Security Graph.
- AppLocker doesn’t enforce drivers or kernel mode binaries, leaving a gap in protection that ACFB is designed to cover.
Managed Installer is the most significant capability difference ACFB provides over App Locker. It allows your ACFB policy to automatically trust applications installed by your software distribution platform such as Intune or MECM – without needing to manually define rules within your ACFB policy. This dramatically simplifies the policy management reducing the overhead typically associated with maintaining your whitelist.
Other differences
Another notable difference is that AppLocker rules can be scoped to specific groups of users. For example, you can configure a rule allow only administrators to run installers or execute certain applications. This granularity can offer flexibility in managing access.
ACFB however is designed with a different philosophy, that rules apply equally to all users. This approach ensures that even if a malicious actor gains local administrative privileges they cannot bypass the policy.
For a complete list of difference refer to this Microsoft Learn article: https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/feature-availability
AppLocker and ACFB co-existance
Migrating from AppLocker to ACFB is made easier given AppLocker and ACFB policies can co-exist on the same device. If both are in enforcement mode, a block from either policy will take precedence, so careful planning and is essential, especially if one policy is more permissive than the other.
Interestingly the powerful Managed installer capability in ACFB is actually implemented using an AppLocker policy. This means even if you are intending to migrate off AppLocker, a minimal AppLocker policy will be required as part of your ACFB implementation.
What’s next
n the next #WDACWednesday we’ll look at specific considerations when using ACFB to meet Essential Eight compliance for Application Control.