FSLogix Application Masking Configuration


Security groups for masking

Share where rules will be placed

Copy script to have rules available on VDA (copy them) in order to make use of app masking

  1. We have already installed the application apprule editor on the master image/VDA. We need to open it up and create the rules

  1. Open rule editor from your VDA (make sure you run as admin, otherwise you won`t be able to apply/save rule at the end)

  1. Create a new rule set and save it using a naming convention relevant to what you`re doing (for ease of management)

  1. Once you have saved (select „enter file name” basically saves the object with this name) you are presented with 3 possibilities of defining the rule. Most comprehensive one is the „chose from installed programs” entry.
  • For our testing, we will select „Mozilla Thunderbird”

  • After selection, we can go with „scan” to list all the entries from where app is presented to the user.

  • Once scan is complete, click ok to see the list

  • In order to test if this rule works, toggle „apply rules to system” button

  • You should notice that thunderbird app is no longer available on your desktop as „apply rules to system” radio button is toggled on. You may see the shortcut in start menu as you are looking for the app but selecting it does nothing. Logging off and back on should take care of this

  • Toggle the „apply rules to system” one more time to restore app functionality (we now know how it will behave in production)

  1. Now it is time to assign this rule to user/group objects before saving.
  • Select the „Manage Assignments” radio button

  • You will see that „Everyone” is already set as „does not apply”. This means that rule will not apply to this group. We need to add a group to which this rule will apply. If not already done so, create a group and add users as members

  • Once group was created, you can add it to the assignment rule set:

  • Once added, you will have „everyone” left with „no rule apply” and „nothunderbird” with „rule apply”

  • This means that rule will only apply to members of „nothunderbird” group.
  1. Now that the rule is done, you can create a share to have them centrally available with the right permissions, copy them over and implement the copy script

Saved rules (on VDA): C:\Users\dexanul\Documents

Source (share): \\Ddc\AppMask

Destination (VDA): C:\Program Files\FSLogix\Apps\Rules

  • Set copy script via policy in order to have the rules copied over via GPO. You will need to copy the files to full path. Relative path may result in permissions issue.

Full path:


Relative path:


  • Script itself needs to only be updated with the share where rules reside: