Application control excludes user profiles and temporary folders
Ensure application control is in place everywhere except user profiles and temp folders.
🏛️ Framework
ASD Essential Eight
🧭 Control effect
Preventative
🛠️ E8 mitigation strategy
Application control
🔐 Classifications
N/A
🗓️ Official last update
N/A
✏️ Control Stack last updated
22 Feb 2026
🎯 E8 maturity levels
ML2
Application control is applied to all locations other than user profiles and temporary folders used by operating systems, web browsers and email clients.
Source: ASD Essential Eight
Plain language
This control is about making sure that only approved software can run on your computers, except in some specific areas like user profiles and temporary folders. Without this control, unwanted software or viruses could sneak in and cause harm, like slowing down your systems or stealing important information.
Why it matters
If application control doesn’t cover user profiles and OS/browser/email temp folders, attackers can run malware from these paths, leading to data loss and outages.
Operational notes
Regularly review allow/deny rules and logs for user profile and browser/email temp paths, and confirm common temp locations can’t be used to launch executables.
Implementation tips
- The IT team should review and configure application control settings to exclude user profiles and temporary folders on your computers, ensuring that application restrictions are set up everywhere else.
- System administrators should regularly update the list of approved software the organisation uses to ensure only necessary programs are allowed to run.
- Security officers need to work with the IT team to establish procedures for handling requests for new software to be added to the approved list, ensuring it’s safe before approval.
- The IT team should utilise tools like Microsoft’s AppLocker or another third-party application control solution to help manage and enforce these rules.
Audit / evidence tips
-
Ask: Have all team members been informed about application control policies and their exclusions?
-
Good: Staff have received regular updates and training on application control policies, and relevant communication records are available
-
Ask: Are application control settings correctly configured to exclude only user profiles and temporary folders in the system?
-
Good: Configuration settings only exclude user profiles and temporary folders, and these settings are reviewed regularly
Cross-framework mappings
How E8-AC-ML2.2 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| Partially overlaps (2) | ||
| Annex A 8.18 | E8-AC-ML2.2 excludes user profiles and certain folders from application control | |
| Annex A 8.19 | E8-AC-ML2.2 specifies control with folder exclusions, whereas Annex A 8.19 involves managing software installation security | |
ASD ISM
| Control | Notes | Details |
|---|---|---|
| Partially meets (1) | ||
| ISM-0843 | E8-AC-ML2.2 applies application control to system locations except specific folders, while ISM-0843 focuses on workstations only, making ... | |
| Partially overlaps (2) | ||
| ISM-0955 | ISM-0955 requires implementing application control using hash, publisher certificate, or path rules to control what can execute | |
| ISM-1657 | ISM-1657 requires application control that restricts execution to an organisation-approved set of executable artefacts | |
| Supports (7) | ||
| ISM-0846 | E8-AC-ML2.2 mandates application control with specific exclusions, while ISM-0846 prevents tampering or exemptions, preserving the contro... | |
| ISM-1234 | ISM-1234 requires email content filtering to prevent harmful content in email bodies and attachments from reaching users | |
| ISM-1392 | E8-AC-ML2.2 requires broad application control with folder exclusions | |
| ISM-1490 | ISM-1490 requires implementing application control on internet-facing servers | |
| ISM-1544 | ISM-1544 requires implementing Microsoft’s recommended application blocklist to block known undesirable/unauthorised applications | |
| ISM-1656 | ISM-1656 requires application control to be implemented on non-internet-facing servers to stop unapproved code from running | |
| ISM-1746 | E8-AC-ML2.2 enforces control excluding certain folders, while ISM-1746 maintains file system integrity, preventing unauthorised permissio... | |
| Related (1) | ||
| ISM-1871 | ISM-1871 requires application control to be applied to all locations except user profiles and temporary folders used by operating systems... | |