Software Restriction Policies Explained
By CtrlOne Team ·
Windows has long had built-in ways to control which programs run: Software Restriction Policies (SRP) and the newer AppLocker. Understanding what they do - and their limits - helps you use them well. This article explains these mechanisms and how CtrlOne applies them across a fleet without hand-editing each machine.

What Software Restriction Policies do
SRP is a Windows feature that allows or denies programs based on rules - path, hash, or certificate. It was the original built-in application-control mechanism and is still present in Windows, letting administrators stop specified software from executing.
SRP and AppLocker together
AppLocker is the more modern, more granular successor, with rules by publisher, path, and file hash and clearer allow/deny enforcement. CtrlOne uses both AppLocker and SRP mechanisms so application control works across the range of Windows editions and scenarios it manages, rather than relying on a single mechanism.
How CtrlOne applies them at scale
Configuring SRP or AppLocker by hand per machine is slow and error-prone. CtrlOne defines the rules centrally and applies them by group across the fleet, holds them tamper-resistant, and records policy versions and an audit log - so the built-in Windows mechanisms are actually manageable at scale.
Honest about the mechanism
These are Windows's own execution-control features - CtrlOne orchestrates them, it does not replace the operating system or invent a parallel enforcement engine. And they control which programs run; they are not malware scanners. That is exactly why policy-based control pairs with antivirus and EDR.
Frequently asked questions
What is a Software Restriction Policy?
A built-in Windows feature that allows or denies programs by path, hash, or certificate. It was the original application-control mechanism; AppLocker is its more modern, more granular successor.
Does CtrlOne use SRP or AppLocker?
Both - it orchestrates Windows's own AppLocker and Software Restriction Policy mechanisms so application control works across the editions and scenarios it manages, applied centrally by group.
Do these policies detect malware?
No - they control which programs are allowed to run, not whether a file is malicious. They pair with antivirus and EDR, which handle detection.
Apply Windows application control at scale
See how CtrlOne orchestrates AppLocker and Software Restriction Policies across your fleet.