Won't this break our staff's workflows?

It would if we enforced on day one. The rollout starts in audit mode: the agent reports what's being executed without blocking. That's where we find the quiet legitimate software nobody thought to mention. The accountant's macro-heavy spreadsheet, the office manager's archaic utility, a developer's bespoke tooling. We allowlist those, then enforce. The disruption we see in the field is near zero when the rollout is sequenced properly.

What about shadow IT? Staff installing things themselves?

Application control is exactly what stops it. That's a feature, not a bug. If someone installs an unapproved tool, it doesn't run. They call the helpdesk, we decide whether to allowlist it or redirect to an approved equivalent. This is where the cultural conversation with staff happens; the technical side already handled the block.

Is this the same as antivirus?

No. Antivirus is a blocklist (it knows about bad things). Application control is an allowlist (it only lets approved things run). The difference matters because attackers change the 'bad thing' faster than antivirus can keep up. An allowlist doesn't care what the bad thing is called; if it isn't approved, it doesn't run.

How long does a proper rollout take?

Typical 50-seat business: 6 to 10 weeks end-to-end. Two weeks in audit mode to gather data, two weeks tuning the ruleset and getting exceptions signed off, then a staged enforcement rollout by department over the remaining weeks. Rushed rollouts are the ones that cause business disruption; sequenced ones don't.

Essential Eight · Control 01 of 08

Application control

Only letting approved programs run on your computers. Everything else is blocked by default.

Why this control matters

If malware can't run, it can't encrypt your files, steal your credentials, or open a back door. Application control is the single most effective technical control in the Essential Eight, and the one most businesses skip because it's harder to deploy and needs thought put into the rollout. Done properly it stops an entire class of attack cold.

The three maturity levels

Application control at Essential Eight ML1, ML2 and ML3.

These are the published ACSC requirements for this specific control at each maturity level. Your overall Essential Eight maturity is scored against your weakest control, not averaged, so a gap here pulls down the whole score.

ML1 The 2026 baseline

Application control prevents execution of unwanted applications in the user profile and temporary folders on workstations.

ML2 Regulated or under audit

Application control is applied to all user profile folders and to all locations on servers. Microsoft's recommended application blocklist is implemented.

ML3 Defence or sensitive

Application control rulesets are validated annually or more frequently. Blocklists of drivers with known vulnerabilities are implemented.

Not sure which level you should aim for?

The three-question picker on the Essential Eight hub will point you at the right target based on your regulatory position and the kind of data you hold.

Take the maturity picker

How we run it

The way CCP implements application control for clients.

We deploy application control through Microsoft Intune and Windows Defender Application Control with a phased rollout: audit mode for 7 to 14 days first, so we learn what your staff actually run. Then enforcement in batches, with scripts and macros last. Exceptions go through a ticket, not a local override. The ruleset is reviewed quarterly and validated annually as you move toward ML3.

Talk to a tech about this control See which plan includes it

Free self-assessment

No email required.

Score yourself on all eight controls, get a branded PDF.

Eight questions, your estimated Essential Eight maturity level, and a branded PDF report you can share with your board, insurer, broker or auditor. Runs entirely in your browser. Nothing is sent to us unless you choose to book a call.

Take the self-assessment

Common questions

What people actually ask about application control.

Won't this break our staff's workflows?: It would if we enforced on day one. The rollout starts in audit mode: the agent reports what's being executed without blocking. That's where we find the quiet legitimate software nobody thought to mention. The accountant's macro-heavy spreadsheet, the office manager's archaic utility, a developer's bespoke tooling. We allowlist those, then enforce. The disruption we see in the field is near zero when the rollout is sequenced properly.
What about shadow IT? Staff installing things themselves?: Application control is exactly what stops it. That's a feature, not a bug. If someone installs an unapproved tool, it doesn't run. They call the helpdesk, we decide whether to allowlist it or redirect to an approved equivalent. This is where the cultural conversation with staff happens; the technical side already handled the block.
Is this the same as antivirus?: No. Antivirus is a blocklist (it knows about bad things). Application control is an allowlist (it only lets approved things run). The difference matters because attackers change the 'bad thing' faster than antivirus can keep up. An allowlist doesn't care what the bad thing is called; if it isn't approved, it doesn't run.
How long does a proper rollout take?: Typical 50-seat business: 6 to 10 weeks end-to-end. Two weeks in audit mode to gather data, two weeks tuning the ruleset and getting exceptions signed off, then a staged enforcement rollout by department over the remaining weeks. Rushed rollouts are the ones that cause business disruption; sequenced ones don't.

Related controls

Related Essential Eight controls that work alongside this one.

See all eight

Control 02

Patch applications

Keeping your software up to date so it has the latest security fixes.

Read the control

Control 04

User application hardening

Turning off features in web browsers and Office that attackers commonly abuse.

Read the control

Control 05

Restrict administrative privileges

Making sure only the people who need admin rights have them, and only when they need them.

Read the control

These ML1 / ML2 / ML3 summaries distil the ACSC's published Essential Eight Maturity Model. For the full, authoritative text, see the ACSC Essential Eight Maturity Model .

The qualifier

Let's see if we're a fit.

Seven questions, one moment of your time. We'd rather tell you now than three months in.