Configure the AppLocker Reference Computer
Updated: January 8, 2015
Applies To: Windows 7, Windows 8.1, Windows Server 2008 R2, Windows Server 2012 R2, Windows Server 2012, Windows 8
This topic for the IT professional describes the steps to create an AppLocker policy platform structure on a reference computer.
An AppLocker reference computer that is used for the development and deployment of AppLocker policies should mimic the directory structure and corresponding applications in the organizational unit (OU) or business group for the production environment. On a reference computer, you can:
Maintain an application list for each business group.
Develop AppLocker policies by creating individual rules or by creating a policy by automatically generating rules.
Create the default rules to allow the Windows system files to run properly.
Run tests and analyze the event logs to determine the affect of the policies that you intend to deploy.
The reference computer does not need to be joined to a domain, but it must be able to import and export AppLocker policies in XML format. The reference computer must be running one of the supported editions of Windows as listed in Requirements to Use AppLocker.
Do not use operating system snapshots when creating AppLocker rules. If you take a snapshot of the operating system, install an application, create AppLocker rules, and then revert to a clean snapshot and repeat the process for another application, there is a chance that duplicate Rule GUIDs can be created. If duplicate GUIDs are present AppLocker policies will not work as expected.
To configure a reference computer
- If the operating system is not already installed, install one of the supported editions of Windows on the computer.
If you have the Group Policy Management Console (GPMC) installed on another computer to test your implementation of AppLocker policies, you can export the policies to that computer.
Configure the administrator account.
To update local policies, you must be a member of the local Administrators group. To update domain policies, you must be a member of the Domain Admins group or have been delegated privileges to use Group Policy to update a Group Policy Object (GPO).
Install all applications that run in the targeted business group or OU by using the same directory structure.
The reference computer should be configured to mimic the structure of your production environment. It depends on having the same applications in the same directories to accurately create the rules.
Import the AppLocker Windows PowerShell cmdlet module.
To use the AppLocker cmdlets, you must first import the AppLocker module by using the following command at the Windows PowerShell command prompt: C:\PS> Import-Module AppLocker. Scripting must be enabled on the computer. For information about Windows PowerShell, see the Windows PowerShell Help file (WindowsPowerShellHelp.chm). For information about using the cmdlets, see Use the AppLocker Windows PowerShell Cmdlets.
After you configure the reference computer, you can create the AppLocker rule collections. You can build, import, or automatically generate the rules. For procedures to do this, see Working with AppLocker Rules.