Configure Exceptions for an AppLocker Rule

  • Article

Applies To: Windows 7, Windows Server 2008 R2

This topic describes the steps to specify which applications can or cannot run as exceptions to an AppLocker rule in Windows Server 2008 R2 and Windows 7.

Rule exceptions allow you to specify files or folders to exclude from the rule. For more information about exceptions, see Understanding AppLocker Rule Exceptions.

You can perform this task by using Group Policy for an AppLocker policy in a Group Policy Object (GPO) or by using the Local Security Policy snap-in for an AppLocker policy on a local computer.

  • To configure exceptions for a rule by using Group Policy

  • To configure exceptions for a rule by using the Local Security Policy snap-in

To complete this procedure, you must have Edit Setting permission to edit a GPO. By default, members of the Domain Admins group, the Enterprise Admins group, and the Group Policy Creator Owners group have this permission.

To configure exceptions for a rule by using Group Policy

  1. Click Start, click Administrative Tools, and then click Group Policy Management to open the Group Policy Management Console (GPMC).

  2. Locate the GPO that contains the AppLocker policy to modify, right-click the GPO, and click Edit.

  3. In the console tree, double-click Application Control Policies, and then double-click AppLocker.

  4. Expand the rule collection, right-click the rule that you want to configure exceptions for, and then click Properties.

  5. Click the Exceptions tab.

  6. In the Add exception box, select the rule type that you want to create, and then click Add.

    • For a publisher exception, click Browse, select the file that contains the publisher to exclude, and then click OK.

    • For a path exception, choose the file or folder path to exclude, and then click OK.

    • For a file hash exception, edit the file hash rule, and click Remove.

Membership in the local Administrators group, or equivalent, is the minimum required to complete this procedure.

To configure exceptions for a rule by using the Local Security Policy snap-in

  1. Click Start, type secpol.msc in the Search programs and files box, and then press ENTER.

  2. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Yes.

  3. In the console tree, double-click Application Control Policies, and then double-click AppLocker.

  4. Expand the rule collection, right-click the rule that you want to configure exceptions for, and then click Properties.

  5. Click the Exceptions tab.

  6. In the Add exception box, select the rule type that you want to create, and then click Add.

    • For a publisher exception, click Browse, select the file that contains the publisher to exclude, and then click OK.

    • For a path exception, choose the file or folder path to exclude, and then click OK.

    • For a file hash exception, edit the file hash rule, and click Remove.