Application control excludes user profiles and temporary folders
Ensure application control is in place everywhere except user profiles and temp folders.
Plain language
This control is about making sure that only approved software can run on your computers, except in some specific areas like user profiles and temporary folders. Without this control, unwanted software or viruses could sneak in and cause harm, like slowing down your systems or stealing important information.
Framework
ASD Essential Eight
Control effect
Preventative
E8 mitigation strategy
Application control
Classifications
N/A
Official last update
N/A
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML2
Official control statement
Application control is applied to all locations other than user profiles and temporary folders used by operating systems, web browsers and email clients.
Why it matters
If application control doesn’t cover user profiles and OS/browser/email temp folders, attackers can run malware from these paths, leading to data loss and outages.
Operational notes
Regularly review allow/deny rules and logs for user profile and browser/email temp paths, and confirm common temp locations can’t be used to launch executables.
Implementation tips
- The IT team should review and configure application control settings to exclude user profiles and temporary folders on your computers, ensuring that application restrictions are set up everywhere else.
- System administrators should regularly update the list of approved software the organisation uses to ensure only necessary programs are allowed to run.
- Security officers need to work with the IT team to establish procedures for handling requests for new software to be added to the approved list, ensuring it’s safe before approval.
- The IT team should utilise tools like Microsoft’s AppLocker or another third-party application control solution to help manage and enforce these rules.
Audit / evidence tips
-
AskHave all team members been informed about application control policies and their exclusions?
-
GoodStaff have received regular updates and training on application control policies, and relevant communication records are available
-
AskAre application control settings correctly configured to exclude only user profiles and temporary folders in the system?
-
GoodConfiguration settings only exclude user profiles and temporary folders, and these settings are reviewed regularly
Cross-framework mappings
How E8-AC-ML2.2 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (2) expand_less | ||
| Annex A 8.18 | Annex A 8.18 requires restrictions and tight control over utilities that can override system and application controls, which includes pre... | |
| Annex A 8.19 | E8-AC-ML2.2 specifies control with folder exclusions, whereas Annex A 8.19 involves managing software installation security | |
ASD ISM
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| ISM-0843 | E8-AC-ML2.2 requires application control to be applied across system locations, explicitly excluding user profiles and temporary folders ... | |
| sync_alt Partially overlaps (3) expand_less | ||
| ISM-0846 | E8-AC-ML2.2 requires application control coverage across locations (with defined exclusions for user profiles and temporary folders) | |
| ISM-0955 | ISM-0955 requires implementing application control using hash, publisher certificate, or path rules to control what can execute | |
| ISM-1657 | ISM-1657 requires application control that restricts execution to an organisation-approved set of executable artefacts | |
| handshake Supports (6) expand_less | ||
| ISM-1234 | ISM-1234 requires email content filtering to prevent harmful content in email bodies and attachments from reaching users | |
| ISM-1392 | E8-AC-ML2.2 requires broad application control with folder exclusions | |
| ISM-1490 | ISM-1490 requires implementing application control on internet-facing servers | |
| ISM-1544 | ISM-1544 requires implementing Microsoft’s recommended application blocklist to block known undesirable/unauthorised applications | |
| ISM-1656 | ISM-1656 requires application control to be implemented on non-internet-facing servers to stop unapproved code from running | |
| ISM-1746 | E8-AC-ML2.2 enforces control excluding certain folders, while ISM-1746 maintains file system integrity, preventing unauthorised permissio... | |
| link Related (1) expand_less | ||
| ISM-1871 | ISM-1871 requires application control to be applied to all locations except user profiles and temporary folders used by operating systems... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.