Deploying AppLocker Policies by Using the Enforce Rules Setting
Applies To: Windows 7, Windows Server 2008 R2
This topic describes the steps to deploy AppLocker policies by using the enforcement setting method.
To view this content that has been updated with the new Packaged app rule collection that applies to Windows Server 2012 and Windows 8, see Deploy AppLocker policies by using the Enforce Rules setting.
Background and prerequisites
These procedures assume that you have already deployed AppLocker policies with the enforcement set to Audit only, and you have been collecting data through the AppLocker event logs and other channels to determine what effect these policies have on your environment and the policy's adherence to your application control design.
For information about the AppLocker policy enforcement setting, see Understanding AppLocker Enforcement Settings.
For information about how to plan an AppLocker policy deployment, see AppLocker Policies Design Guide.
Step 1: Retrieve the AppLocker policy
Updating an AppLocker policy that is currently enforced in your production environment can have unintended results. Using Group Policy, you can export the policy from the Group Policy object (GPO) and then update the rule or rules by using AppLocker on your AppLocker reference or test computer. For the procedure to do this, see Export an AppLocker Policy from a GPO and Import an AppLocker Policy into a GPO. For local AppLocker policies, you can update the rule or rules by using the Local Security policy snap-in on your AppLocker reference or test computer. For the procedures to do this, see Export an AppLocker Policy to an XML File and Import an AppLocker Policy from Another Computer.
Step 2: Alter the enforcement setting
Rule enforcement is applied only to a collection of rules, not to individual rules. AppLocker divides the rules into four collections: executable files, Windows Installer files, scripts, and DLL files. By default, if enforcement is not configured and rules are present in a rule collection, those rules are enforced. For information about the enforcement setting, see Understanding AppLocker Enforcement Settings. For the procedure to alter the enforcement setting, see Configure an AppLocker Policy for Audit Only.
Step 3: Update the policy
You can edit an AppLocker policy by adding, changing, or removing rules. However, you cannot specify a version for the AppLocker policy by importing additional rules. To ensure version control when modifying an AppLocker policy, use Group Policy management software that allows you to create versions of GPOs. An example of this type of software is the Advanced Group Policy Management feature from the Microsoft Desktop Optimization Pack. For more information about Advanced Group Policy Management, see Advanced Group Policy Management Overview (http://go.microsoft.com/fwlink/?LinkId=145013).
You should not edit an AppLocker rule collection while it is being enforced in Group Policy. Because AppLocker controls what files are allowed to run, making changes to a live policy can create unexpected behavior.
For the procedure to update the GPO, see Import an AppLocker Policy into a GPO.
For the procedures to distribute policies for local computers by using the Local Security Policy snap-in, see Export an AppLocker Policy to an XML File and Import an AppLocker Policy from Another Computer.
Step 4: Monitor the effect of the policy
When a policy is deployed, it is important to monitor the actual implementation of that policy. You can do this by monitoring your support organization's application access request activity and reviewing the AppLocker event logs. To monitor the effect of the policy, see View the AppLocker Log in Event Viewer and Review AppLocker Events with Get-AppLockerFileInformation.