How to Check if AppLocker Policies are Active in Batch Script
AppLocker is a powerful security feature in Windows (Pro, Enterprise, and Server editions) that allows administrators to control which applications and files users can run. By creating rules based on file paths, publishers, or hashes, AppLocker can effectively block ransomware and unauthorized software. For IT auditors and security engineers, verifying that these policies are actually "Active" and "Enforced" on a machine is a critical compliance check.
This guide explains how to use Batch and PowerShell to audit AppLocker status.
Why Validate AppLocker Status?
- Security Enforcement Monitoring: Ensuring that a machine hasn't bypassed its "Application Control" policies due to a service failure or a local policy override.
- Ransomware Prevention Audit: Verifying that "Enforce" mode is active rather than just "Audit only" mode.
- Troubleshooting: Identifying if a "This app has been blocked" error is actually caused by AppLocker or another security feature like SmartScreen.
AppLocker requires the Application Identity (AppIDSvc) service to be running. If this service is stopped, your policies (even if configured) will not be enforced.
Method 1: Checking the Application Identity Service (Fastest)
AppLocker cannot function without the AppIDSvc service. Checking its status is the most basic validation step.
@echo off
echo [PROCESS] Verifying AppLocker Infrastructure ^(AppIDSvc^)...
sc query AppIDSvc >nul 2>&1
if %errorlevel% neq 0 (
echo [INFO] AppIDSvc service is not installed on this system.
echo [NOTE] AppLocker may not be available on this Windows edition.
pause
exit /b 1
)
sc query AppIDSvc | findstr /i /c:"RUNNING" >nul
if %errorlevel% equ 0 (
echo [SUCCESS] Application Identity service is ACTIVE.
) else (
echo [WARNING] AppIDSvc is installed but NOT running.
echo [RISK] AppLocker policies will not be enforced!
echo [HELP] Start the service with: net start AppIDSvc
)
pause
Method 2: Retrieving Effective Policies (PowerShell)
To see the actual rules currently being enforced on the machine, you should use the Get-AppLockerPolicy cmdlet from your Batch script.
@echo off
setlocal
:: Check for admin rights
net session >nul 2>&1
if %errorlevel% neq 0 (
echo [ERROR] Administrator privileges are required.
pause
exit /b 1
)
echo [PROCESS] Retrieving Effective AppLocker Rules...
echo.
:: We query the 'Effective' policy which combines local and domain GPOs
powershell -NoProfile -Command ^
"$policy = Get-AppLockerPolicy -Effective -ErrorAction SilentlyContinue;" ^
"if ($policy -and $policy.RuleCollections.Count -gt 0) {" ^
" $policy | Select-Object -ExpandProperty RuleCollections" ^
"} else {" ^
" Write-Host '[INFO] No active AppLocker policies are configured on this machine.'" ^
"}"
pause
Creating a Security Compliance Audit Tool
A professional script checks for the service, identifies the enforcement mode (Audit vs. Enforce), and provides a clear security report.
@echo off
setlocal EnableDelayedExpansion
echo ============================================================
echo AppLocker Security Infrastructure Auditor
echo ============================================================
:: 0. Check for admin rights
net session >nul 2>&1
if %errorlevel% neq 0 (
echo [ERROR] Administrator privileges are required for a full audit.
pause
exit /b 1
)
:: 1. Verify Service Existence
echo.
echo [CHECK 1] Application Identity Service:
sc query AppIDSvc >nul 2>&1
if !errorlevel! neq 0 (
echo [FAIL] AppIDSvc is not installed.
echo [NOTE] AppLocker requires Windows Enterprise, Education, or Server.
echo ============================================================
pause
exit /b 1
)
:: 2. Verify Service State
sc query AppIDSvc | findstr /i /c:"RUNNING" >nul
if !errorlevel! equ 0 (
echo [PASS] AppIDSvc is RUNNING.
) else (
echo [WARN] AppIDSvc is NOT running. Policies will not be enforced.
echo [HELP] Start with: net start AppIDSvc
)
:: 3. Check Service Start Type
echo.
echo [CHECK 2] Service Start Type:
for /f "tokens=3" %%t in ('sc qc AppIDSvc 2^>nul ^| findstr /i "START_TYPE"') do set "START_TYPE=%%t"
if "!START_TYPE!"=="AUTO_START" (
echo [PASS] Set to Automatic ^(will start on boot^).
) else if "!START_TYPE!"=="DEMAND_START" (
echo [WARN] Set to Manual. May not start after reboot.
echo [HELP] Change with: sc config AppIDSvc start= auto
) else (
echo [INFO] Start type: !START_TYPE!
)
:: 4. Check Enforcement Mode (via PowerShell)
echo.
echo [CHECK 3] Enforcement Configurations:
powershell -NoProfile -Command ^
"$policy = Get-AppLockerPolicy -Effective -ErrorAction SilentlyContinue;" ^
"if ($policy -and $policy.RuleCollections.Count -gt 0) {" ^
" $policy.RuleCollections | ForEach-Object {" ^
" $mode = if ($_.EnforcementMode -eq 'Enabled') { '[ENFORCE]' } elseif ($_.EnforcementMode -eq 'AuditOnly') { '[AUDIT ]' } else { '[NOTCFG]' };" ^
" Write-Host (' ' + $mode + ' ' + $_.RuleCollectionType)" ^
" }" ^
"} else {" ^
" Write-Host ' [INFO] No AppLocker rule collections are configured.'" ^
"}" 2>nul
echo.
echo ============================================================
echo [NOTE] 'ENFORCE' = Blocking unauthorized apps.
echo 'AUDIT' = Logging only ^(not blocking^).
echo 'NOTCFG' = Not configured for this category.
echo ============================================================
pause
Common Pitfalls and How to Avoid Them
Edition Limitations
AppLocker is NOT available on Windows Home editions. While you can enable the AppIDSvc service, the policies will simply be ignored.
Wrong Way:
:: Trying to audit AppLocker on Windows 11 Home
Correct Way:
Your script should check the Windows Edition first (see our other guide on winver detection) to ensure the machine is capable of AppLocker before reporting a failure.
Local vs. Domain GPO
Local policies might say "Enforce," but a Domain GPO can override them.
In your script, always use the -Effective flag with Get-AppLockerPolicy. This tells PowerShell to ignore the local configuration file and instead report exactly what the system's kernel is currently applying, which accounts for all Domain, Local, and Security GPOs.
Best Practices for Policy Monitoring
- Check the Event Logs: AppLocker logs blocked apps to
Applications and Services Logs > Microsoft > Windows > AppLocker. Usewevtutilin your Batch script to query for recent "Blocked" events. - Verify Service Start Type: Ensure
AppIDSvcis set toAutomaticstart, otherwise it might stay stopped after a reboot. - Audit Mode Usage: If you are deploying new software, use your script to verify the machine is in
AuditOnlymode so you can see what would have been blocked without stopping production work.
Note that SmartScreen is a separate feature. If AppLocker is "Off" but apps are still blocked, your script should investigate the SmartScreen status next.
Conclusion
Checking if AppLocker policies are active via Batch script is an essential task for any modern security administrator managing enterprise-grade Windows ecosystems. By accurately identifying both the health of the Application Identity service and the specific enforcement modes active on a machine, you can ensure that your application control perimeter remains unbreachable. This professional approach to system auditing reduces the risk of unauthorized software execution and provides a clear, automated view of your defense status, simplifying compliance and protecting your infrastructure from evolving cyber threats.