使用 AppLocker 規則Working with AppLocker rules

適用於Applies to

  • Windows 10Windows10
  • Windows ServerWindows Server

本主題適用于 IT 專業人員,說明 AppLocker 規則類型,以及如何針對您的應用程式控制原則使用它們。This topic for IT professionals describes AppLocker rule types and how to work with them for your application control policies.

本節內容In this section

主題Topic 說明Description
建立使用檔案雜湊條件的規則Create a rule that uses a file hash condition 本主題適用于 IT 專業人員,說明如何使用檔案雜湊條件建立 AppLocker 規則。This topic for IT professionals shows how to create an AppLocker rule with a file hash condition.
建立使用路徑條件的規則Create a rule that uses a path condition 本主題適用于 IT 專業人員,說明如何建立含有路徑條件的 AppLocker 規則。This topic for IT professionals shows how to create an AppLocker rule with a path condition.
建立使用發行者條件的規則Create a rule that uses a publisher condition 本主題適用于 IT 專業人員,說明如何使用發行者條件建立 AppLocker 規則。This topic for IT professionals shows how to create an AppLocker rule with a publisher condition.
建立 AppLocker 預設規則Create AppLocker default rules 本主題適用于 IT 專業人員,說明建立一組標準 AppLocker 規則(可讓 Windows 系統檔案執行)的步驟。This topic for IT professionals describes the steps to create a standard set of AppLocker rules that will allow Windows system files to run.
新增 AppLocker 規則的例外Add exceptions for an AppLocker rule 本主題適用于 IT 專業人員,說明指定哪些 app 可以或無法以例外狀況執行到 AppLocker 規則的步驟。This topic for IT professionals describes the steps to specify which apps can or cannot run as exceptions to an AppLocker rule.
建立已封裝應用程式的規則Create a rule for packaged apps 本主題適用于 IT 專業人員,說明如何為封裝 app 建立具有發行者條件的 AppLocker 規則。This topic for IT professionals shows how to create an AppLocker rule for packaged apps with a publisher condition.
刪除 AppLocker 規則Delete an AppLocker rule 本主題適用于 IT 專業人員,說明刪除 AppLocker 規則所需的步驟。This topic for IT professionals describes the steps to delete an AppLocker rule.
編輯 AppLocker 規則Edit AppLocker rules 本主題適用于 IT 專業人員,說明在 AppLocker 中編輯發行者規則、路徑規則及檔案雜湊規則的步驟。This topic for IT professionals describes the steps to edit a publisher rule, path rule, and file hash rule in AppLocker.
啟用 DLL 規則集合Enable the DLL rule collection 本主題適用于 IT 專業人員,說明針對 AppLocker 啟用 DLL 規則收集功能的步驟。This topic for IT professionals describes the steps to enable the DLL rule collection feature for AppLocker.
強制執行 AppLocker 規則Enforce AppLocker rules 本主題適用于 IT 專業人員,說明如何使用 AppLocker 強制執行應用程式控制規則。This topic for IT professionals describes how to enforce application control rules by using AppLocker.
執行自動產生規則精靈Run the Automatically Generate Rules wizard 本主題適用于 IT 專業人員,說明執行此嚮導以在參考裝置上建立 AppLocker 規則的步驟。This topic for IT professionals describes steps to run the wizard to create AppLocker rules on a reference device.

下表說明三個 AppLocker 強制執行模式。The three AppLocker enforcement modes are described in the following table. 從連結的群組原則物件(GPO)衍生的設定會覆寫您在此處定義的強制模式設定。The enforcement mode setting defined here can be overwritten by the setting derived from a linked Group Policy Object (GPO) with a higher precedence.

強制執行模式Enforcement mode 說明Description
未設定Not configured 這是預設設定,這表示除非具有較高優先順序的連結 GPO 具有此設定的不同值,否則會強制執行此處定義的規則。This is the default setting which means that the rules defined here will be enforced unless a linked GPO with a higher precedence has a different value for this setting.
強制執行規則Enforce rules 強制執行規則。Rules are enforced.
僅限審計Audit only 已審核規則但未強制執行。Rules are audited but not enforced. 當使用者執行受 AppLocker 規則影響的應用程式時,會允許執行應用程式,並將有關 app 的資訊新增至 AppLocker 事件記錄檔。When a user runs an app that is affected by an AppLocker rule, the app is allowed to run and the info about the app is added to the AppLocker event log. [僅限審核強制模式] 可協助您判斷原則在強制執行原則之前會受到策略影響的應用程式。The Audit-only enforcement mode helps you determine which apps will be affected by the policy before the policy is enforced. 規則集合的 AppLocker 原則設定為 [僅供審核] 時,不會強制執行該規則集合的規則When the AppLocker policy for a rule collection is set to Audit only, rules for that rule collection are not enforced

合併來自各種 Gpo 的 AppLocker 原則時,會合並來自所有 Gpo 的規則,並套用入選個 GPO 的強制模式設定。When AppLocker policies from various GPOs are merged, the rules from all the GPOs are merged and the enforcement mode setting of the winning GPO is applied.

規則集合Rule collections

AppLocker 主控台是組織成規則集合,可執行檔、腳本、Windows 安裝程式檔案、封裝 app 以及封裝應用程式安裝程式,以及 DLL 檔案。The AppLocker console is organized into rule collections, which are executable files, scripts, Windows Installer files, packaged apps and packaged app installers, and DLL files. 這些集合提供一種簡單的方法來區分不同類型的應用程式的規則。These collections give you an easy way to differentiate the rules for different types of apps. 下表列出每個規則集合中包含的檔案格式。The following table lists the file formats that are included in each rule collection.

規則集合Rule collection 相關聯的檔案格式Associated file formats
可執行檔Executable files .exe.exe
.com.com
指令碼Scripts .ps1.ps1
.bat.bat
.cmd.cmd
.vbs.vbs
.js.js
Windows Installer 檔案Windows Installer files .msi.msi
.msp.msp
.mst.mst
封裝應用程式和封裝應用程式安裝程式Packaged apps and packaged app installers .appx.appx
DLL 檔案DLL files .dll.dll
.ocx.ocx

重要: 如果您使用的是 DLL 規則,您必須為所有允許的應用程式所使用的每個 DLL 建立 allow 規則。Important: If you use DLL rules, you need to create an allow rule for each DLL that is used by all of the allowed apps.

使用 DLL 規則時,AppLocker 必須檢查應用程式載入的每個 DLL。When DLL rules are used, AppLocker must check each DLL that an application loads. 因此,如果使用 DLL 規則,使用者可能會遇到效能降低的問題。Therefore, users may experience a reduction in performance if DLL rules are used.

預設不會啟用 DLL 規則集合。The DLL rule collection is not enabled by default. 若要瞭解如何啟用 DLL 規則集合,請參閱dll 規則集合。To learn how to enable the DLL rule collection, see DLL rule collections.

EXE 規則適用于可移植的可執行檔(PE)檔案。EXE rules apply to portable executable (PE) files. AppLocker 會檢查檔案是否為有效的 PE 檔案,而不是只根據檔案副檔名來套用規則,因為攻擊者可以輕鬆變更。AppLocker checks whether a file is a valid PE file, rather than just applying rules based on file extension, which attackers can easily change. 不論副檔名為何,AppLocker EXE 規則集合只要是有效的 PE 檔案,就能在檔案上運作。Regardless of the file extension, the AppLocker EXE rule collection will work on a file as long as it is a valid PE file.

規則條件Rule conditions

規則條件是協助 AppLocker 識別規則適用之應用程式的準則。Rule conditions are criteria that help AppLocker identify the apps to which the rule applies. 這三個主要規則條件分別是發行者、路徑和檔案雜湊。The three primary rule conditions are publisher, path, and file hash.

  • Publisher:根據其數位簽章識別應用程式Publisher: Identifies an app based on its digital signature
  • 路徑:依應用程式在電腦或網路上的檔案系統中的位置來識別 appPath: Identifies an app by its location in the file system of the computer or on the network
  • 檔案雜湊:代表已識別檔案的系統計算加密雜湊File hash: Represents the system computed cryptographic hash of the identified file

發行者Publisher

此條件會根據可用的數位簽章和延伸屬性來識別 app。This condition identifies an app based on its digital signature and extended attributes when available. [數位簽章] 包含有關建立 app 的公司(發行者)的相關資訊。The digital signature contains info about the company that created the app (the publisher). 可執行檔、dll、Windows 安裝程式、封裝 app 和封裝應用程式安裝程式也都有延伸屬性,這些屬性是從二進位資源中取得。Executable files, dlls, Windows installers, packaged apps and packaged app installers also have extended attributes, which are obtained from the binary resource. 如果是可執行檔、dll 和 Windows 安裝程式,這些屬性會包含該檔案所屬的產品名稱、發行者提供的原始檔案名,以及該檔案的版本號碼。In case of executable files, dlls and Windows installers, these attributes contain the name of the product that the file is a part of, the original name of the file as supplied by the publisher, and the version number of the file. 針對封裝應用程式和封裝應用程式安裝程式,這些延伸屬性包含應用程式套件的名稱和版本。In case of packaged apps and packaged app installers, these extended attributes contain the name and the version of the app package.

注意: 在封裝應用程式和封裝 app 的安裝程式規則集合中建立的規則,只能有發行者條件,因為 Windows 不支援未簽名的封裝應用程式和封裝應用程式安裝程式。Note: Rules created in the packaged apps and packaged app installers rule collection can only have publisher conditions since Windows does not support unsigned packaged apps and packaged app installers.

注意: 可能的話,請盡可能使用發行者規則的條件,因為它們可以在應用程式更新及檔案位置中的變更。Note: Use a publisher rule condition when possible because they can survive app updates as well as a change in the location of files.

當您選取發行商條件的參照檔案時,此嚮導會建立一個指定發行者、產品、檔案名及版本號碼的規則。When you select a reference file for a publisher condition, the wizard creates a rule that specifies the publisher, product, file name, and version number. 您可以將滑杆往上移動,或使用 [產品]、[檔案名] 或 [版本編號] 欄位中的萬用字元(\ *)來使規則更加通用。You can make the rule more generic by moving the slider up or by using a wildcard character (*) in the product, file name, or version number fields.

注意: 若要在 [建立規則] 嚮導中輸入 publisher 規則條件之任何欄位的自訂值,您必須選取 [使用自訂值] 核取方塊。Note: To enter custom values for any of the fields of a publisher rule condition in the Create Rules Wizard, you must select the Use custom values check box. 選取此核取方塊後,就無法使用滑杆。When this check box is selected, you cannot use the slider.

檔案版本套件版本控制使用者是否可以執行特定版本、較舊版本或更新版本的 app。The File version and Package version control whether a user can run a specific version, earlier versions, or later versions of the app. 您可以選擇版本號碼,然後設定下列選項:You can choose a version number and then configure the following options:

  • 恰好.Exactly. 規則只適用于這個版本的應用程式The rule applies only to this version of the app
  • 及更高版本。And above. 此規則適用于此版本及所有更新的版本。The rule applies to this version and all later versions.
  • 以及下方。And below. 此規則適用于此版本及所有舊版。The rule applies to this version and all earlier versions.

下表說明如何套用發行者條件。The following table describes how a publisher condition is applied.

選項Option 發行者條件允許或拒絕 .。。The publisher condition allows or denies…
所有已簽署的檔案All signed files 所有由任何發行者簽署的檔案。All files that are signed by any publisher.
僅發行者Publisher only 所有由命名發行者簽署的檔案。All files that are signed by the named publisher.
發行者與產品名稱Publisher and product name 已命名發行者簽署之指定產品的所有檔案。All files for the specified product that are signed by the named publisher.
發行者與產品名稱及檔案名Publisher and product name, and file name 由發行者簽署之命名產品的任何版本的命名檔案或套件。Any version of the named file or package for the named product that are signed by the publisher.
Publisher、產品名稱、檔案名及檔案版本Publisher, product name, file name, and file version 恰好Exactly
由發行者簽署之命名產品的指定版本的命名檔案或套件。The specified version of the named file or package for the named product that are signed by the publisher.
Publisher、產品名稱、檔案名及檔案版本Publisher, product name, file name, and file version 及以上And above
指定版本的命名檔案或套件,以及由發行者簽署之產品的任何新發行版本本。The specified version of the named file or package and any new releases for the product that are signed by the publisher.
Publisher、產品名稱、檔案名及檔案版本Publisher, product name, file name, and file version 及以下And below
指定版本的命名檔案或套件,以及由發行者簽署之產品的任何舊版版本。The specified version of the named file or package and any earlier versions for the product that are signed by the publisher.
自訂Custom 您可以編輯 [發行者]、[****產品名稱]、 [檔案名]、[****版本****套件名稱] 和 [套件版本] 欄位,以建立自訂規則。You can edit the Publisher, Product name, File name, Version Package name, and Package version fields to create a custom rule.

路徑Path

這個規則條件會透過應用程式在電腦或網路上的檔案系統中的位置來識別它。This rule condition identifies an application by its location in the file system of the computer or on the network.

AppLocker 使用適用于已知路徑的自訂路徑變數,例如程式檔案和 Windows。AppLocker uses custom path variables for well-known paths, such as Program Files and Windows.

下表詳細說明這些路徑變數。The following table details these path variables.

Windows 目錄或磁片Windows directory or disk AppLocker 路徑變數AppLocker path variable Windows 環境變數Windows environment variable
WindowsWindows WINDIR%WINDIR% 系統%SystemRoot%
System32 與 SysWOW64System32 and SysWOW64 SYSTEM32%SYSTEM32% %SystemDirectory%%SystemDirectory%
Windows 安裝目錄Windows installation directory %OSDRIVE%%OSDRIVE% %SystemDrive%%SystemDrive%
程式檔Program Files PROGRAMFILES%PROGRAMFILES% % ProgramFiles% 與% ProgramFiles (x86)%%ProgramFiles% and %ProgramFiles(x86)%
卸除式媒體(例如 CD 或 DVD)Removable media (for example, a CD or DVD) 抽取式%REMOVABLE%
可移動存放裝置(例如,USB 快閃記憶體磁片磁碟機)Removable storage device (for example, a USB flash drive) 處於%HOT%

重要: 因為路徑規則條件可以設定為包含大量的資料夾和檔案,所以應該仔細規劃路徑條件。Important: Because a path rule condition can be configured to include a large number of folders and files, path conditions should be carefully planned. 例如,如果含有路徑條件的允許規則包含非管理員可將資料寫入的資料夾位置,則使用者可以將未核准的檔案複製到該位置,然後執行檔案。For example, if an allow rule with a path condition includes a folder location that non-administrators are allowed to write data into, a user can copy unapproved files into that location and run the files. 基於這個原因,最佳做法是不為標準使用者可寫入位置(例如使用者設定檔)建立路徑條件。For this reason, it is a best practice to not create path conditions for standard user writable locations, such as a user profile.

檔案雜湊File hash

當您選擇檔案雜湊規則條件時,系統會計算已識別檔案的加密雜湊。When you choose the file hash rule condition, the system computes a cryptographic hash of the identified file. 這個規則條件的優點是,因為每個檔案都有唯一的雜湊值,所以檔案雜湊規則條件只適用于一個檔案。The advantage of this rule condition is that because each file has a unique hash, a file hash rule condition applies to only one file. 缺點是,每次更新檔案(例如安全性更新或升級)時,檔案的雜湊都會變更。The disadvantage is that each time the file is updated (such as a security update or upgrade) the file's hash will change. 因此,您必須手動更新檔案雜湊規則。As a result, you must manually update file hash rules.

AppLocker 預設規則AppLocker default rules

AppLocker 包含預設規則,可協助您在 AppLocker 規則集合中允許 Windows 正常運作所需的檔案。AppLocker includes default rules, which are intended to help ensure that the files that are required for Windows to operate properly are allowed in an AppLocker rule collection. 如需背景,請參閱瞭解 AppLocker 預設規則及相關步驟,請參閱建立 applocker 預設規則For background, see Understanding AppLocker default rules, and for steps, see Create AppLocker default rules.

可執行檔的預設規則類型包括:Executable default rule types include:

  • 允許本機管理員群組的成員執行所有 app。Allow members of the local Administrators group to run all apps.
  • 允許 [所有人] 群組的成員執行位於 Windows 資料夾中的 app。Allow members of the Everyone group to run apps that are located in the Windows folder.
  • 允許 [所有人] 群組的成員執行位於 [Program Files] 資料夾中的 app。Allow members of the Everyone group to run apps that are located in the Program Files folder.

腳本預設規則類型包括:Script default rule types include:

  • 允許本機管理員群組的成員執行所有腳本。Allow members of the local Administrators group to run all scripts.
  • 允許 [所有人] 群組的成員執行位於 [Program Files] 資料夾中的腳本。Allow members of the Everyone group to run scripts that are located in the Program Files folder.
  • 允許 [所有人] 群組的成員執行位於 Windows 資料夾中的腳本。Allow members of the Everyone group to run scripts that are located in the Windows folder.

Windows Installer 的預設規則類型包括:Windows Installer default rule types include:

  • 允許本機管理員群組的成員執行所有 Windows 安裝程式檔案。Allow members of the local Administrators group to run all Windows Installer files.
  • 允許 [所有人] 群組的成員執行所有數位簽署的 Windows 安裝程式檔案。Allow members of the Everyone group to run all digitally signed Windows Installer files.
  • 允許 [所有人] 群組的成員執行位於 Windows\Installer 資料夾中的所有 Windows 安裝程式檔案。Allow members of the Everyone group to run all Windows Installer files that are located in the Windows\Installer folder.

DLL 預設規則類型:DLL default rule types:

  • 允許本機管理員群組的成員執行所有 dll。Allow members of the local Administrators group to run all DLLs.
  • 允許 [所有人] 群組的成員執行位於 [Program Files] 資料夾中的 dll。Allow members of the Everyone group to run DLLs that are located in the Program Files folder.
  • 允許 [所有人] 群組的成員執行位於 Windows 資料夾中的 dll。Allow members of the Everyone group to run DLLs that are located in the Windows folder.

封裝應用程式的預設規則類型如下:Packaged apps default rule types:

  • 允許 [所有人] 群組的成員安裝並執行所有已簽署的封裝 app 和封裝應用程式安裝程式。Allow members of the Everyone group to install and run all signed packaged apps and packaged app installers.

AppLocker 規則行為AppLocker rule behavior

如果特定的規則集合沒有 AppLocker 規則,則會允許所有具有該檔案格式的檔案執行。If no AppLocker rules for a specific rule collection exist, all files with that file format are allowed to run. 不過,當建立了特定規則集合的 AppLocker 規則時,只有規則中明確允許的檔案才能執行。However, when an AppLocker rule for a specific rule collection is created, only the files explicitly allowed in a rule are permitted to run. 例如,如果您在 %SystemDrive%\FilePath中建立允許 .exe 檔案執行的可執行規則,則只允許執行位於該路徑中的可執行檔。For example, if you create an executable rule that allows .exe files in %SystemDrive%\FilePath to run, only executable files located in that path are allowed to run.

規則可以設定為使用 [允許] 或 [拒絕] 動作:A rule can be configured to use allow or deny actions:

  • 允許。Allow. 您可以指定要在您的環境中執行哪些檔案,以及哪些使用者或使用者群組。You can specify which files are allowed to run in your environment, and for which users or groups of users. 您也可以設定例外狀況,找出排除在規則之外的檔案。You can also configure exceptions to identify files that are excluded from the rule.
  • 登出.Deny. 您可以指定允許在您的環境中執行哪些檔案,以及使用者或使用者群組。You can specify which files are not allowed to run in your environment, and for which users or groups of users. 您也可以設定例外狀況,找出排除在規則之外的檔案。You can also configure exceptions to identify files that are excluded from the rule.

重要: 最佳做法是使用例外狀況的 [允許動作]。Important: For a best practice, use allow actions with exceptions. 您可以使用 [允許] 和 [拒絕] 動作組合,但在任何情況下都能瞭解 [拒絕] 動作會覆寫允許動作,而且可以受到規避。You can use a combination of allow and deny actions but understand that deny actions override allow actions in all cases, and can be circumvented.

重要: 如果您將至少執行 Windows Server 2012 或 Windows 8 的電腦加入已強制執行檔的 AppLocker 規則的網域,則使用者將無法執行任何封裝應用程式,除非您也為封裝應用程式建立規則。Important: If you join a computer running at least Windows Server 2012 or Windows 8 to a domain that already enforces AppLocker rules for executable files, users will not be able to run any packaged apps unless you also create rules for packaged apps. 如果您想要允許您的環境中的任何封裝 app 繼續控制可執行檔,您應該為封裝 app 建立預設規則,並將 [強制執行] 模式設定為 [封裝式應用程式規則] 集合僅供審核。If you want to allow any packaged apps in your environment while continuing to control executable files, you should create the default rules for packaged apps and set the enforcement mode to Audit-only for the packaged apps rule collection.

規則例外狀況Rule exceptions

您可以將 AppLocker 規則套用至個別使用者或一組使用者。You can apply AppLocker rules to individual users or to a group of users. 如果您將規則套用到一組使用者,該群組中的所有使用者都會受到該規則的影響。If you apply a rule to a group of users, all users in that group are affected by that rule. 如果您需要允許使用者群組的子集使用 app,您可以為該子集建立特殊規則。If you need to allow a subset of a user group to use an app, you can create a special rule for that subset. 例如,[允許所有人都能執行 Windows,除了登錄編輯程式] 這項規則可讓組織中的所有人都能執行 Windows 作業系統,但不允許任何人執行登錄編輯程式。For example, the rule "Allow everyone to run Windows except Registry Editor" allows everyone in the organization to run the Windows operating system, but it does not allow anyone to run Registry Editor.

此規則的效果會防止使用者執行其支援工作所需的程式,例如技術支援人員。The effect of this rule would prevent users such as Help Desk personnel from running a program that is necessary for their support tasks. 若要解決此問題,請建立適用于 [技術支援中心] 使用者群組的第二個規則:「允許服務台執行登錄編輯程式」。To resolve this problem, create a second rule that applies to the Help Desk user group: "Allow Help Desk to run Registry Editor." 如果您建立不允許任何使用者執行登錄編輯程式的拒絕規則,則 deny 規則會覆寫第二個規則,讓技術支援人員的使用者群組執行登錄編輯程式。If you create a deny rule that does not allow any users to run Registry Editor, the deny rule will override the second rule that allows the Help Desk user group to run Registry Editor.

DLL 規則集合DLL rule collection

由於預設不啟用 DLL 規則集合,因此您必須先執行下列程式,才能建立並強制執行 DLL 規則。Because the DLL rule collection is not enabled by default, you must perform the following procedure before you can create and enforce DLL rules.

本機管理員群組或對等的成員資格是完成此程式的最低需求。Membership in the local Administrators group, or equivalent, is the minimum required to complete this procedure.

啟用 DLL 規則集合To enable the DLL rule collection

  1. 按一下 [開始],輸入secpol,然後按 enter。Click Start, type secpol.msc, and then press ENTER.

  2. 如果出現 [使用者帳戶控制] 對話方塊,請確認其顯示的動作是您想要的動作,然後按一下 [是]If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Yes.

  3. 在主控台樹中,按兩下 [應用程式控制原則],以滑鼠右鍵按一下 [ AppLocker],然後按一下 [屬性]。In the console tree, double-click Application Control Policies, right-click AppLocker, and then click Properties.

  4. 按一下 [高級] 索引標籤,選取 [啟用 DLL 規則集合] 核取方塊,然後按一下 [確定]Click the Advanced tab, select the Enable the DLL rule collection check box, and then click OK.

    重要事項: 在強制執行 DLL 規則之前,請確認任何允許的應用程式所使用的每個 DLL 都有允許的規則。Important: Before you enforce DLL rules, make sure that there are allow rules for each DLL that is used by any of the allowed apps.

AppLocker 嚮導AppLocker wizards

您可以使用兩個 AppLocker 嚮導來建立規則:You can create rules by using two AppLocker wizards:

  1. [建立規則] 嚮導可讓您一次建立一個規則。The Create Rules Wizard enables you to create one rule at a time.
  2. [自動產生規則] 嚮導可讓您一次建立多個規則。The Automatically Generate Rules Wizard allows you to create multiple rules at one time. 您可以選取資料夾,並讓嚮導針對該資料夾中的相關檔案建立規則,或者在封裝應用程式中,讓嚮導為電腦上安裝的所有封裝應用程式建立規則。You can either select a folder and let the wizard create rules for the relevant files within that folder or in case of packaged apps let the wizard create rules for all packaged apps installed on the computer. 您也可以指定要套用規則的使用者或群組。You can also specify the user or group to which to apply the rules. 這個嚮導只會自動產生 [允許] 規則。This wizard automatically generates allow rules only.

其他考量Additional considerations

  • 根據預設,AppLocker 規則不允許使用者開啟或執行任何不是明確允許的檔案。By default, AppLocker rules do not allow users to open or run any files that are not specifically allowed. 系統管理員應該維持最新的允許應用程式清單。Administrators should maintain an up-to-date list of allowed applications.

  • 更新應用程式後,不會保留下列兩種類型的 AppLocker 條件:There are two types of AppLocker conditions that do not persist following an update of an app:

    • 檔案雜湊條件檔案雜湊規則條件可以與任何 app 搭配使用,因為會在建立規則時產生 app 的加密雜湊值。A file hash condition File hash rule conditions can be used with any app because a cryptographic hash value of the app is generated at the time the rule is created. 不過,雜湊值是特定于該應用程式的確切版本。However, the hash value is specific to that exact version of the app. 如果在組織內使用了多個版本的應用程式,您需要針對所使用的每個版本及任何發行的新版本,建立檔案雜湊條件。If there are several versions of the application in use within the organization, you need to create file hash conditions for each version in use and for any new versions that are released.

    • 含特定產品版本集的發行者條件如果您建立使用 [精確版本] 選項的發行者規則條件,則在安裝新版本的 app 時,規則將無法保留。A publisher condition with a specific product version set If you create a publisher rule condition that uses the Exactly version option, the rule cannot persist if a new version of the app is installed. 必須建立新的發行者條件,或必須在規則中編輯版本,才能使其變得更不明確。A new publisher condition must be created, or the version must be edited in the rule to be made less specific.

  • 如果應用程式未以數位方式簽署,您就無法使用該應用程式的發行者規則條件。If an app is not digitally signed, you cannot use a publisher rule condition for that app.

  • AppLocker 規則不能用來管理執行 windows Server2008R2 或 Windows7 之前的 Windows 作業系統的電腦。AppLocker rules cannot be used to manage computers running a Windows operating system earlier than Windows Server2008R2 or Windows7. 您必須改為使用軟體限制原則。Software Restriction Policies must be used instead. 如果 AppLocker 規則是在群群組原則物件(GPO)中定義,則只會套用那些規則。If AppLocker rules are defined in a Group Policy Object (GPO), only those rules are applied. 若要確保軟體限制原則規則與 AppLocker 規則之間的互通性,請在不同的 Gpo 中定義軟體限制原則規則與 AppLocker 規則。To ensure interoperability between Software Restriction Policies rules and AppLocker rules, define Software Restriction Policies rules and AppLocker rules in different GPOs.

  • 在執行 Windows Server 2012 和 Windows 8 的裝置上,您可以使用封裝應用程式和封裝應用程式的安裝程式規則集合。The packaged apps and packaged apps installer rule collection is available on devices running at least Windows Server 2012 and Windows 8.

  • 強制執行規則集合的規則,且封裝應用程式和封裝應用程式的安裝程式規則集合不包含任何規則時,就不允許執行封裝應用程式和封裝應用程式安裝程式。When the rules for the executable rule collection are enforced and the packaged apps and packaged app installers rule collection does not contain any rules, no packaged apps and packaged app installers are allowed to run. 若要允許任何封裝 app 和封裝應用程式安裝程式,您必須為封裝 app 和封裝應用程式安裝程式規則集合建立規則。In order to allow any packaged apps and packaged app installers, you must create rules for the packaged apps and packaged app installers rule collection.

  • 當 AppLocker 規則集合設定為 [僅供審核] 時,不會強制執行規則。When an AppLocker rule collection is set to Audit only, the rules are not enforced. 當使用者執行包含在規則中的應用程式時,應用程式會以正常方式開啟並執行,而有關該應用程式的資訊會新增至 AppLocker 事件記錄檔。When a user runs an application that is included in the rule, the app is opened and runs normally, and information about that app is added to the AppLocker event log.

  • 已設定的自訂 URL 可能會包含在應用程式遭到封鎖時所顯示的訊息中。A custom configured URL can be included in the message that is displayed when an app is blocked.

  • 預期會隨著封鎖的 app 而開始增加支援人員呼叫次數,直到使用者知道他們無法執行不允許的 app。Expect an increase in the number of Help Desk calls initially because of blocked apps until users understand that they cannot run apps that are not allowed.