Problem solve Get help with specific problems with your technologies, process and projects.

Using Windows 8 AppLocker and application sideloading in Windows 8

Windows 8 AppLocker, which IT can use to set policies for which apps can run on enterprise desktops, should be in every administrator's toolbox.

Organizations planning a Windows 8 upgrade have to choose between Windows 8 Professional and Windows 8 Enterprise. The latter edition offers remote desktop functionality not available in Windows 8 Pro, including Windows To Go and BranchCache. Here are some more features found only in Windows 8 Enterprise.


One feature carried over from Windows 7 to Windows 8 Enterprise is AppLocker, a rules-based mechanism that lets IT control which files and applications can run on enterprise desktops.

Administrators can centrally manage AppLocker through group policies that include rules for blacklisting or whitelisting scripts, dynamic link libraries and executable files. AppLocker also includes policies for Windows Installer files and Windows Store app packages and their installer files (.appx). Support for Windows Store files is new in Windows 8 Enterprise, as is the ability to manage .mst files, a type of Windows Installer file.

To deploy AppLocker, administrators usually create the necessary policies and then apply them through Group Policy. However, an Active Directory environment is not mandatory. In a small network, administrators can install the policies directly on Windows 8 Enterprise desktops. And in either environment, admins can set up publication rules to permit software updates to specific applications without having to set up a rule for each update.

For organizations that want to maintain tighter controls over their desktops yet still retain flexibility, AppLocker could prove an invaluable addition to their arsenal of management tools.

Application sideloading

Microsoft now requires that Metro-style applications be distributed through the Windows Store. For organizations with their own line-of-business applications, this approach might not acceptable. Windows 8 Enterprise offers a solution: application sideloading.

Sideloading lets organizations publish Metro-style apps directly to their own desktops, without going through the Windows Store. Users or administrators can install approved, in-house apps (via an app installation package). At the same time, admins can prevent unapproved and potentially malicious apps from being installed.

Sideloading is available in some form in all Windows 8 editions, but it's only in Enterprise that the feature is turned on by default. Other editions also require an activation key to be created for each app, which needs to be added to the system through a special sideloading script.

Windows 8 Enterprise, on the other hand, lets organizations distribute apps with far less fuss. In fact, IT can build what is essentially an internal app store for distributing their in-house applications. When used with AppLocker, sideloading provides a controlled, secure way to distribute internal Metro-style apps to Windows 8 Enterprise desktops.

Windows 8 Enterprise or Windows 8 Professional?

Features such as Windows To Go, DirectAccess, RemoteFX enhancements, BranchCache, AppLocker and application sideloading add important functionality to the Windows 8 Enterprise edition. Depending on the needs of your organization, one or more of them could prove valuable enough to warrant Windows 8 Enterprise over Windows 8 Pro. So the better you understand how these features work, the easier it will be to decide whether to go with Windows 8 Professional or Windows 8 Enterprise.

Dig Deeper on Windows 8 and 8.1

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.