Implement Microsoft's Application Blocklist
Organisations must use Microsoft's blocklist to stop unauthorised applications from running.
Plain language
If your organisation doesn't use Microsoft's blocklist, unauthorised applications might run on your computers. These rogue apps could mess with your sensitive data or even let hackers into your system. By using the blocklist, you're essentially putting guardrails up, stopping anything you haven't explicitly approved from causing havoc.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2023
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML2, ML3
Guideline
Guidelines for system hardeningSection
Operating system hardeningTopic
Application ControlOfficial control statement
Microsoft's recommended application blocklist is implemented.
Why it matters
Without Microsoft’s recommended application blocklist, known malicious or unwanted apps may run on endpoints, increasing malware execution and unauthorised access risk.
Operational notes
Regularly update Microsoft’s recommended blocklist and validate WDAC/AppLocker rules so newly identified malicious apps are blocked across all managed endpoints.
Implementation tips
- Organisation's IT Manager should communicate with Microsoft's technical support to understand the latest blocklist updates. How: Subscribe to updates and regularly coordinate with Microsoft to ensure the blocklist is current and applicable to your systems.
- The IT team should configure company computers to apply Microsoft’s blocklist using available tools like Windows Defender Application Control. How: Access the control settings on each device or manage them centrally through your network systems and enforce the blocklist.
- Procurement staff should ensure any new software purchases are verified against the Microsoft blocklist. How: Before buying or installing any new application, check it against the blocklist to ensure it's not prohibited.
- Managers should educate employees on the importance of only using allowed software. How: Conduct mandatory training sessions explaining why unapproved applications can pose risks and how the blocklist helps keep everyone safe.
- The IT team should perform regular checks to ensure the blocklist is active on all devices. How: Use audit tools or management software to verify that every device has the blocklist enforced, and manually check settings on a sample of devices.
Audit / evidence tips
-
Aska report of all software installed on company computers in the past month
GoodA list showing only allowed applications and confirmation that no blocklisted apps are installed
-
GoodLogs indicating regular updates synchronised with the latest Microsoft blocklist releases
-
Askto see training materials used to educate staff about authorised applications
GoodComprehensive guides and evidence of participation by all employees
-
GoodA report showing successful verification that the blocklist is active and enforced across devices
-
Aska checklist or protocol used by procurement before purchasing software
GoodDocumented steps where checking against the Microsoft blocklist is a mandatory clause before any software agreement
Cross-framework mappings
How ISM-1544 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
E8
| Control | Notes | Details |
|---|---|---|
| handshake Supports (4) expand_less | ||
| E8-AC-ML1.1 | E8-AC-ML1.1 requires application control on workstations so that only approved applications can run | |
| E8-AC-ML1.2 | E8-AC-ML1.2 requires application control to cover user profiles and temporary folders to block execution of unapproved software from thos... | |
| E8-AC-ML2.2 | ISM-1544 requires implementing Microsoft’s recommended application blocklist to block known undesirable/unauthorised applications | |
| E8-AC-ML3.1 | ISM-1544 requires implementation of Microsoft’s recommended application blocklist to stop unauthorised applications from executing | |
| link Related (1) expand_less | ||
| E8-AC-ML2.3 | E8-AC-ML2.3 requires organisations to implement Microsoft’s recommended application blocklist to prevent execution of known risky/abusabl... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.