AppLocker Policies Deployment Guide

Microsoft Corporation

Published: April 2011

Abstract This guide provides steps based on your design and planning investigation for deploying

application control policies by using AppLocker for Windows Server 2008 R2 and Windows 7. It is

intended for security architects, security administrators, and system administrators. Through a

sequential and iterative deployment process, you can create application control policies, test and

adjust the policies, and implement a method for maintaining those policies as the needs in your

organization change.

Copyright information

This document is provided “as-is”. Information and views expressed in this document, including

URL and other Internet Web site references, may change without notice. You bear the risk of

using it.

This document does not provide you with any legal rights to any intellectual property in any

Microsoft product. You may copy and use this document for your internal, reference purposes.

© 2011 Microsoft Corporation. All rights reserved.

Microsoft, Active Directory, AppLocker, Active Directory, Internet Explorer, RemoteApp,

PowerShell, Windows, Windows Vista, and Windows Server are trademarks of the Microsoft

group of companies.

All other trademarks are property of their respective owners.

Contents

AppLocker Policies Deployment Guide...........................................................................................6

Purpose of this guide................................................................................................................... 6

Prerequisites to deploying AppLocker policies............................................................................6

Contents of this guide.................................................................................................................. 6

Additional resources.................................................................................................................... 7

Understanding the AppLocker Policy Deployment Process............................................................7

Resources in support of the deployment process........................................................................9

Requirements for Deploying AppLocker Policies............................................................................9

Your deployment plan...............................................................................................................9

Supported operating systems.................................................................................................11

Your policy distribution mechanism........................................................................................12

Your event collection and analysis system.............................................................................12

Using Software Restriction Policies with AppLocker Policies........................................................13

Understanding the difference between SRP and AppLocker.....................................................13

Using SRP and AppLocker together..........................................................................................13

Testing and validating SRP policies and AppLocker policies that are deployed in the same

environment........................................................................................................................... 14

Step 1: Test the effect of SRP policies...................................................................................14

Step 2: Test the effect of AppLocker policies..........................................................................15

Creating Your AppLocker Policies.................................................................................................15

AppLocker policy deployment steps..........................................................................................15

Step 1: Use your plan.............................................................................................................15

Step 2: Create your rules and rule collections........................................................................16

Step 3: Configure the enforcement setting.............................................................................16

Step 4: Update the GPO........................................................................................................16

Step 5: Test the effect of the policy.........................................................................................16

Step 6: Implement the policy..................................................................................................16

Step 7: Test the effect of the policy and adjust.......................................................................16

Next steps................................................................................................................................. 16

Creating Your AppLocker Rules....................................................................................................17

Creating AppLocker rules..........................................................................................................17

Automatically generate your rules..........................................................................................17

Create your rules individually.................................................................................................17

About selecting rules.................................................................................................................18

Next steps................................................................................................................................. 18

Testing and Updating an AppLocker Policy...................................................................................18

Step 1: Enable the Audit only enforcement setting....................................................................19

Step 2: Configure the Application Identity service to start automatically....................................19

Step 3: Test the policy...............................................................................................................19

Step 4: Analyze AppLocker events............................................................................................19

Step 5: Modify the AppLocker policy..........................................................................................20

Step 6: Repeat policy testing, analysis, and policy modification................................................20

Deploying the AppLocker Policy into Production...........................................................................20

Understanding your design decisions....................................................................................21

AppLocker deployment methods............................................................................................21

Deploying AppLocker Policies by Using the Enforce Rules Setting..............................................21

Background and prerequisites...................................................................................................21

Step 1: Retrieve the AppLocker policy.......................................................................................22

Step 2: Alter the enforcement setting.........................................................................................22

Step 3: Update the policy..........................................................................................................22

Step 4: Monitor the effect of the policy......................................................................................23

Using a Reference Computer to Create and Maintain AppLocker Policies...................................23

Background and prerequisites...................................................................................................23

Step 1: Automatically generate rules on the reference computer..............................................23

Step 2: Create the default rules on the reference computer......................................................24

Step 3: Modify rules and the rule collection on the reference computer....................................24

Step 4: Test and update the policy on the reference computer..................................................24

Step 5: Export and import the policy into production.................................................................25

Step 6: Monitor the effect of the policy in production.................................................................25

Determine Which Applications Are Digitally Signed on a Reference Computer............................26

Configure the AppLocker Reference Computer............................................................................26

Additional resources...............................................................................................................27

Maintaining AppLocker Policies....................................................................................................27

Maintaining AppLocker policies by using Group Policy..............................................................28

Step 1: Understand the current behavior of the policy...........................................................28

Step 2: Export the AppLocker policy from the GPO...............................................................29

Step 3: Update the AppLocker policy by editing the appropriate AppLocker rule...................29

Step 4: Test the AppLocker policy..........................................................................................29

Step 5: Import the AppLocker policy into the GPO.................................................................29

Step 6: Monitor the resulting policy behavior..........................................................................29

Maintaining AppLocker policies by using the Local Security Policy snap-in..............................29

Step 1: Understand the current behavior of the policy...........................................................30

Step 2: Update the AppLocker policy by modifying the appropriate AppLocker rule..............30

Step 3: Test the AppLocker policy..........................................................................................30

Step 4: Deploy the policy with the modified rule.....................................................................30

Step 5: Monitor the resulting policy behavior..........................................................................30

Additional resources..................................................................................................................30

AppLocker Policies Deployment Guide

This topic for the IT professional introduces the concepts and describes the steps required to

deploy AppLocker™ policies in Windows Server® 2008 R2 and Windows® 7.

Purpose of this guideThis guide provides steps based on your design and planning investigation for deploying

application control policies by using AppLocker. It is intended for security architects, security

administrators, and system administrators. Through a sequential and iterative deployment

process, you can create application control policies, test and adjust the policies, and implement a

method for maintaining those policies as the needs in your organization change.

This guide covers the use of Software Restriction Policies (SRP) in conjunction with AppLocker

policies to control application usage. For a comparison of SRP and AppLocker, see Using

Software Restriction Policies with AppLocker Policies in this guide. To understand if AppLocker is

the correct application control solution for you, see Understanding AppLocker Policy Design

Decisions.

For a web version of this document, see AppLocker Policies Deployment Guide in the Windows

Server Technical Library.

Prerequisites to deploying AppLocker policiesThe following are prerequisites or recommendations to deploying policies:

Understand the capabilities of AppLocker:

AppLocker Technical Overview

AppLocker Step-by-Step Guide

Document your application control policy deployment plan by addressing these tasks:

Understanding the AppLocker Policy Deployment Process

Understanding AppLocker Policy Design Decisions

Determining Your Application Control Objectives

Creating the List of Applications Deployed to Each Business Group

Selecting the Types of Rules to Create

Determining Group Policy Structure and Rule Enforcement

Planning for AppLocker Policy Management

Creating Your AppLocker Planning Document

6

Contents of this guideThis guide provides steps based on your design and planning investigation for deploying

application control policies created and maintained by AppLocker for computers running Windows

Server 2008 R2 and Windows 7. It contains the following topics:

Understanding the AppLocker Policy Deployment Process

Requirements for Deploying AppLocker Policies

Using Software Restriction Policies with AppLocker Policies

Creating Your AppLocker Policies

Deploying the AppLocker Policy into Production

Maintaining AppLocker Policies

Additional resourcesUsing Software Restriction Policies to Protect Against Unauthorized Software

(http://go.microsoft.com/fwlink/?LinkID=155634)

This TechNet article is about SRP in Windows XP and Windows Server 2003 and is also

applicable to Windows Vista® and Windows Server 2008. It provides an in-depth look at how

software restriction policies can be used to fight viruses, regulate which ActiveX controls can

be downloaded, run only digitally signed scripts, and enforce that only approved software is

installed on system computers.

Software Restriction Policies

This collection of Windows Server 2003 product help topics describes the concepts to

understand and the steps to implement and maintain SRP.

AppLocker

This topic lists AppLocker documentation resources for the IT professional.

Understanding the AppLocker Policy Deployment Process

This planning and deployment topic describes the process to use AppLocker when deploying

application control policies in Windows Server 2008 R2 and Windows 7.

To successfully deploy AppLocker policies, you need to identify your application control objectives

and construct the policies for those objectives. The key to the process is the accurate inventory of

your organization's applications, which requires investigation with all the targeted business

groups. With an accurate inventory, you can create rules and set enforcement criteria that will

allow the organization to use the required applications and allow the IT department to manage a

controlled set of applications.

7

The following diagram shows the main points in the design, planning, and deployment process for

AppLocker.

8

Resources in support of the deployment processThe following documentation contains information about designing, planning, deploying, and

maintaining AppLocker policies:

For information about the AppLocker policy design and planning requirements and process, see the AppLocker Policies Design Guide.

For information about the AppLocker policy deployment requirements and process, see the AppLocker Policies Deployment Guide (http://go.microsoft.com/fwlink/?LinkId=160260).

For information about AppLocker policy maintenance and monitoring, see the AppLocker Operations Guide (http://go.microsoft.com/fwlink/?LinkId=160259).

For information about AppLocker policy architecture, components, and processing, see the AppLocker Technical Reference (http://go.microsoft.com/fwlink/?LinkId=160263).

Requirements for Deploying AppLocker Policies

This deployment topic lists the requirements you need to meet before deploying AppLocker

policies.

The following requirements must be met or addressed before deploying your AppLocker policies:

Your deployment plan

The supported operating systems

Your policy distribution mechanism

Your event collection and analysis system

Your deployment planAn AppLocker policy deployment plan is the result of investigating what applications are required

and necessary in your organization, what applications are optional, and what applications are

forbidden. To develop this plan, see Planning Application Control Policies by Using

AppLocker. The following table is an example of the data you need to collect and the decisions

you need to make in order to successfully deploy AppLocker policies on computers running

Windows Server 2008 R2 or Windows 7.

Busine

ss

group

Organizat

ional unit

Implem

ent

AppLoc

ker?

Applicat

ions

Installation path Use

default

rule or

define new

rule

condition

All

ow

or

den

y

GPO

nam

e

Supp

ort

polic

y

Bank Teller- Yes Teller C:\Program Files\ File is All Tell Web

9

Busine

ss

group

Organizat

ional unit

Implem

ent

AppLoc

ker?

Applicat

ions

Installation path Use

default

rule or

define new

rule

condition

All

ow

or

den

y

GPO

nam

e

Supp

ort

polic

y

Tellers East and

Teller-

West

softwar

e

Woodgrove\Teller.exe signed;

create a

publisher

condition

ow ers help

Window

s files

C:\Windows Create a

path

exception

to the

default

rule to

exclude \

Windows\

Temp

All

ow

Help

desk

Time

Sheet

Organiz

er

C:\Program Files\

Woodgrove\HR\

Timesheet.exe

File is not

signed;

create a

file hash

condition

All

ow

Web

help

Human

Resour

ces

HR-All Yes Check

Payout

C:\Program Files\

Woodgrove\HR\

Checkcut.exe

File is

signed;

create a

publisher

condition

All

ow

HR Web

help

Internet

Explore

r 7

C:\Program Files\

Internet Explorer\

File is

signed;

create a

publisher

condition

De

ny

Help

desk

Window

s files

C:\Windows Use the

default

rule for the

Windows

path

All

ow

Help

desk

10

Event processing policy

Business group AppLocker event

collection location

Archival policy Analyzed? Security policy

Bank Tellers Forwarded to:

srvBT093

Standard None Standard

Human

Resources

DO NOT

FORWARD

60 months Yes; summary

reports monthly

to managers

Standard

Policy maintenance policy

Business group Rule update

policy

Application

decommission

policy

Application

version policy

Application

deployment policy

Bank Tellers Planned: Monthly

through business

office triage

Emergency:

request through

help desk

Through business

office triage; 30-

day notice required

General policy:

keep past

versions for 12

months

List policies for

each application

Coordinated

through business

office; 30-day

notice required

Human

Resources

Planned: through

HR triage

Emergency:

request through

help desk

Through HR triage;

30-day notice

required

General policy:

keep past

versions for 60

months

List policies for

each application

Coordinated

through HR; 30-

day notice

required

Supported operating systemsAppLocker is supported only on the following editions of these operating systems:

Operating system/edition AppLocker policies created

and maintained

AppLocker policies deployed

Windows Server 2008 R2

Standard

Yes Yes

11

Operating system/edition AppLocker policies created

and maintained

AppLocker policies deployed

Windows Server 2008 R2

Enterprise

Yes Yes

Windows Server 2008 R2

Datacenter

Yes Yes

Windows Server 2008 R2 for

Itanium-Based Systems

Yes Yes

Windows 7 Professional Yes No

Windows 7 Ultimate Yes Yes

Windows 7 Enterprise Yes Yes

Software Restriction Policies are supported on versions of Windows beginning with Windows XP

and Windows Server 2003 including the above versions. However, the SRP Basic User feature is

not supported on the above operating systems.

Your policy distribution mechanismAppLocker uses Group Policy management architecture to effectively distribute application

control policies. AppLocker policies can also be configured on individual computers by using the

Local Security Policy snap-in. You will need a way to distribute the AppLocker policies throughout

the targeted business group.

Your event collection and analysis systemEvent processing is important to understand application usage. You must have a process in place

to collect and analyze AppLocker events so that application usage is appropriately restricted and

understood. For procedures to monitor AppLocker events, see:

Configure an AppLocker Policy for Audit Only

Configure an AppLocker Policy for Enforce Rules

View the AppLocker Log in Event Viewer

Review AppLocker Events with Get-AppLockerFileInformation

12

Using Software Restriction Policies with AppLocker Policies

This topic describes how to use Software Restriction Policies (SRP) and AppLocker policies in the

same deployment for Windows operating systems beginning with Windows XP and Windows

Server 2003 and including Windows Server 2008 R2 and Windows 7.

Understanding the difference between SRP and AppLockerYou might want to deploy application control policies onto Windows operating systems earlier

than Windows Server 2008 R2 or Windows 7. You can use AppLocker policies only on the

supported editions of Windows Server 2008 R2 and Windows 7, but you can use SRP on

supported editions of Windows beginning with Windows Server 2003 and Windows XP. To

compare features and functions in SRP and AppLocker so that you can determine when to use

each technology to meet your application control objectives, see Determine Your Application

Control Objectives.

Using SRP and AppLocker togetherBoth SRP and AppLocker use Group Policy for domain management. However, when both SRP

policies and AppLocker policies exist in the same Group Policy object (GPO), AppLocker policies

will take precedence over SRP policies on computers running Windows Server 2008 R2 or

Windows 7. For information about how inheritance in Group Policy applies to AppLocker policies

and SRP policies, see Understanding AppLocker Rules and Enforcement Setting

Inheritance in Group Policy.

As an example of how both types of policy would affect the bank's "Teller software" application,

consider the following scenario where the application is deployed on different Windows desktop

operating systems and managed by the Tellers GPO.

Operating system Tellers GPO with

AppLocker policy

Tellers GPO with SRP

policy

Tellers GPO with both

AppLocker policy and

SRP policy

Windows 7 AppLocker policies in

the GPO are applied

and supersede any

local AppLocker

policies.

Local AppLocker

policies supersede

any SRP policies

applied through the

GPO.

AppLocker policies in

the GPO are applied

and supersede the

SRP policies in the

GPO and any local

AppLocker policies or

SRP policies.

13

Operating system Tellers GPO with

AppLocker policy

Tellers GPO with SRP

policy

Tellers GPO with both

AppLocker policy and

SRP policy

Windows Vista AppLocker policies

are not applied.

SRP policies in the

GPO are applied and

supersede any local

SRP policies.

AppLocker policies

are not applied.

SRP policies in the

GPO are applied and

supersede any local

SRP policies.

AppLocker policies

not applied.

Windows XP AppLocker policies

are not applied.

SRP policies in the

GPO are applied and

supersede any local

SRP policies.

AppLocker policies

are not applied.

SRP policies in the

GPO are applied and

supersede any local

SRP policies.

AppLocker policies

not applied.

For information about supported versions and editions of the operating system, see

Supported operating systems.

Testing and validating SRP policies and AppLocker policies that are deployed in the same environmentBecause SRP policies and AppLocker policies function differently but can exist in the same GPO

or in linked GPOs, testing the result of the policy is critical to successfully controlling application

usage in the targeted organization. Configuring a testing and policy distribution system can aid in

understanding the result of a policy. The effects of SRP policies and AppLocker policies need to

be tested separately and by using different tools even when in the same GPO.

Step 1: Test the effect of SRP policiesYou can use the Group Policy Management Console (GPMC) or the Resultant Set of Policy

(RSoP) snap-in to determine the effect of applying SRP policies by using GPOs. For information

about using RSoP, see Resultant Set of Policy. For information about using the GPMC, see

Group Policy Management Console.

Step 2: Test the effect of AppLocker policiesYou can test AppLocker policies by using Windows PowerShell cmdlets. For information about

investigating the result of a policy, see Test an AppLocker Policy with Test-AppLockerPolicy

and Review AppLocker Events with Get-AppLockerFileInformation.

Note

14

Another method to use when determining the result of a policy is to set the enforcement mode to

audit-only. When the policy is deployed, events will be written to the AppLocker logs as if the

policy was enforced. For information about using the audit-only mode, see Understanding

AppLocker Enforcement Settings and Configure an AppLocker Policy for Audit Only.

Creating Your AppLocker Policies

This overview topic describes the steps to create an AppLocker policy and prepare it for

deployment.

AppLocker policy deployment stepsCreating effective application control policies with AppLocker starts by creating the rules for each

application. Rules are grouped into one of four rule collections. The rule collection then can be

configured to be enforced or to run in an audit-only mode. An AppLocker policy includes the rules

in the four rule collections and the enforcement settings for each rule collection.

Step 1: Use your planYou can develop an application control policy plan to guide you in making successful deployment

decisions. For more information about how to do this and what you should consider, see the

AppLocker Policies Design Guide. The guide is intended for security architects, security

administrators, and system administrators. It contains the following topics to help you create an

AppLocker policy deployment plan for your organization that will address your specific application

control requirements by department, organizational unit, or business group:

1. Understanding the AppLocker Policy Deployment Process

2. Understanding AppLocker Policy Design Decisions

3. Determining Your Application Control Objectives

4. Creating the List of Deployed Applications Deployed to Each Business Group

5. Selecting the Types of Rules to Create

6. Determining Group Policy Structure and Rule Enforcement

7. Planning for AppLocker Policy Management

8. Creating Your AppLocker Policy Deployment Design Document

Step 2: Create your rules and rule collectionsEach rule applies to one or more applications and imposes a specific rule condition upon them.

Rules can be created individually or can be generated by the Automatically Generate Rules

wizard. For steps to create the rules, see Creating Your AppLocker Rules.

15

Step 3: Configure the enforcement settingAn AppLocker policy is a set of rule collections that are configured with a rule enforcement

setting. The enforcement setting can be Enforce rules, Audit only, or Not configured. If an

AppLocker policy has at least one rule and is set to Not configured, all the rules in that policy will

be enforced. For information about configuring this setting, see Configure an AppLocker Policy

for Audit Only and Configure an AppLocker Policy for Enforce Rules.

Step 4: Update the GPOAppLocker policies can be defined locally on a computer or applied through Group Policy. To use

Group Policy to apply AppLocker policies, you must either create a new Group Policy object

(GPO) or you must update an existing GPO. You can create or modify AppLocker policies using

the Group Policy Management Console (GPMC) or you can import an AppLocker policy into a

GPO. For the procedure to do this, see Import an AppLocker Policy into a GPO.

Step 5: Test the effect of the policyEither in a test environment, or with the enforcement setting set at Audit only, verify that the

results of the policy are what you intended. For information about testing a policy, see Testing and

Updating an AppLocker Policy.

Step 6: Implement the policyDepending upon your deployment method, either import the AppLocker policy to the GPO in your

production environment or, if the policy is already deployed, change the enforcement setting to

your production environment value, either Enforce rules or Audit only.

Step 7: Test the effect of the policy and adjustValidate the effect of the policy by analyzing the AppLocker logs for application usage, and modify

the policy as necessary. To do this, see Discovering the Effect of an AppLocker Policy.

Next stepsFollow the steps described in the topics below to continue the deployment process:

1. Creating Your AppLocker Rules

2. Testing and Updating an AppLocker Policy

3. Deploying the AppLocker Policy into Production

Creating Your AppLocker Rules

This topic describes what you need to know about AppLocker rules and the different methods to

create rules.

16

Creating AppLocker rulesAppLocker rules apply to the targeted application and are the components that make up the

AppLocker policy. Depending on your IT environment and the business group requiring

application control policies, setting these access rules for each application can be time-

consuming and prone to error. With AppLocker, you can create rules by using either of the

following methods. However, creating rules derived from your planning document can help you

avoid unintended results. For information about this planning document and other planning

activities, see AppLocker Policies Design Guide.

Automatically generate your rulesWith a reference computer, you can automatically create a set of default rules for each of the

installed applications, test and modify each rule as necessary, and deploy the policies. Creating

most of the rules for all the installed applications gives you a starting point to build and test your

policies. For information about performing this task, see the following:

Configure the AppLocker Reference Computer

Run the Automatically Generate Rules Wizard

Create AppLocker Default Rules

Edit AppLocker Rules

Configure Exceptions for an AppLocker Rule

Create your rules individuallyYou can create rules and set the mode to audit only for each of the installed applications, test and

update each rule as necessary, and then deploy the policies. Creating rules individually might be

best when you are targeting a small number of applications within a business group.

AppLocker includes default rules for each rule collection. These rules are intended to

help ensure that the files that are required for Windows to operate properly are allowed in

an AppLocker rule collection. For information about creating the default rules for the

Windows operating system, see Create AppLocker Default Rules. You can edit the

default rules.

For information about performing this task, see the following:

Create a Rule that Uses a Publisher Condition

Create a Rule That Uses a Path Condition

Create a Rule That Uses a File Hash Condition

Edit AppLocker Rules

Enforce AppLocker Rules

Configure an AppLocker Policy for Audit Only

Note

17

About selecting rulesAppLocker policies are composed of distinct rules for specific applications. These rules are

grouped by collection and implemented through an AppLocker policy definition. AppLocker

policies are managed either by using Group Policy or by using the Local Security Policy snap-in

for a single computer.

When determining what types of rules to create for each of your business groups or

organizational units (OUs), you should also determine what enforcement setting to use for each

group. Different rule types are more applicable for some applications, depending on the way that

the applications are deployed in a specific business group.

For information about how to determine and document your AppLocker rules, see AppLocker

Policies Design Guide.

For information about AppLocker rules and AppLocker policies, see the following topics:

Understanding AppLocker Rule Behavior

Understanding AppLocker Rule Exceptions

Understanding AppLocker Rule Collections

Understanding AppLocker Allow and Deny Actions on Rules

Understanding AppLocker Rule Condition Types

Understanding AppLocker Default Rules

Next steps1. Import an AppLocker Policy into a GPO or Import an AppLocker Policy from Another

Computer

2. Testing and Updating an AppLocker Policy

3. Deploying the AppLocker Policy into Production

Testing and Updating an AppLocker Policy

This topic discusses the steps required to test an AppLocker policy prior to deployment.

You should test each set of rules to ensure that the rules perform as intended. If you use Group

Policy to manage AppLocker policies, complete the following steps for each Group Policy object

(GPO) where you have created AppLocker rules. Because AppLocker rules are inherited from

linked GPOs, you should deploy all of the rules for simultaneous testing in all of your test GPOs.

Step 1: Enable the Audit only enforcement settingBy using the Audit only enforcement setting, you can ensure that the AppLocker rules that you

have created are properly configured for your organization. This setting can be enabled on the

Enforcement tab of the AppLocker Properties dialog box. For the procedure to do this, see

Configure an AppLocker Policy for Audit Only.

18

Step 2: Configure the Application Identity service to start automaticallyBecause AppLocker uses the Application Identity service to verify the attributes of a file, you must

configure it to start automatically in any one GPO that applies AppLocker rules. For the procedure

to do this, see Start the Application Identity Service. For AppLocker policies that are not

managed by a GPO, you must ensure that the service is running on each computer in order for

the policies to be applied.

Step 3: Test the policyTest the AppLocker policy to determine if your rule collection needs to be modified. Because you

have created AppLocker rules, enabled the Application Identity service, and enabled the Audit

only enforcement setting, the AppLocker policy should be present on all client computers that are

configured to receive your AppLocker policy.

The Test-AppLockerPolicy Windows PowerShell cmdlet can be used to determine whether any

of the rules in your rule collection will be blocked on your reference computers. For the procedure

to do this, see Test an AppLocker Policy with Test-AppLockerPolicy.

Step 4: Analyze AppLocker eventsYou can either manually analyze AppLocker events or use the Get-AppLockerFileInformation

Windows PowerShell cmdlet to automate the analysis.

To manually analyze AppLocker events

You can view the events either in Event Viewer or a text editor and then sort those events to

perform an analysis, such as looking for patterns in application usage events, access

frequencies, or access by user groups. If you have not configured an event subscription, then you

will have to review the logs on a sampling of computers in your organization. For more

information about using Event Viewer, see View the AppLocker Log in Event Viewer.

To analyze AppLocker events by using Get-AppLockerFileInformation

You can use the Get-AppLockerFileInformation Windows PowerShell cmdlet to analyze

AppLocker events from a remote computer. If an application is being blocked and should be

allowed, you can use the AppLocker cmdlets to help troubleshoot the problem.

For both event subscriptions and local events, you can use the Get-AppLockerFileInformation

cmdlet to determine which files have been blocked or would have been blocked (if you are using

the Audit only enforcement mode) and how many times the event has occurred for each file. For

the procedure to do this, see Review AppLocker Events with Get-AppLockerFileInformation.

After using Get-AppLockerFileInformation to determine how many times that a file would have

been blocked from running, you should review your rule list to determine whether a new rule

should be created for the blocked file or whether an existing rule is too strictly defined. Ensure

that you check which GPO is currently preventing the file from running. To determine this, you can

use the Group Policy Results Wizard to view rule names.

19

Step 5: Modify the AppLocker policyAfter you have identified which rules need to be edited or added to the policy, you can use the

Group Policy Management Console to modify the AppLocker rules in the relevant GPOs. For

AppLocker policies that are not managed by a GPO, you can use the Local Security Policy snap-

in. For information how to modify an AppLocker policy, see, Editing an AppLocker Policy.

Step 6: Repeat policy testing, analysis, and policy modificationRepeat the previous steps 3–5 until all the rules perform as intended before applying

enforcement.

Deploying the AppLocker Policy into Production

This topic describes the tasks that should be completed before deploying AppLocker application

control settings.

After successfully testing and modifying the AppLocker policy for each Group Policy object

(GPO), you are ready to deploy the enforcement settings into production. For most organizations,

this means switching the AppLocker enforcement setting from Audit only to Enforce rules.

However, it is important to follow the deployment plan that you created earlier. For more

information, see the AppLocker Policies Design Guide. Depending upon the needs of different

business groups in your organization, you might be deploying different enforcement settings for

linked GPOs.

Understanding your design decisionsBefore deploying an AppLocker policy, you should have determined:

For each business group, which applications will be controlled and in what manner. For more information, see Create the List of Applications Deployed to Each Business Group.

How to handle requests for application access. For information about what to consider when developing your support policies, see Planning for AppLocker Policy Management.

How to manage events, including forwarding events. For information about event management in AppLocker, see Monitoring Application Usage with AppLocker.

Your GPO structure, including how to include both Software Restriction Policies (SRP) policies and AppLocker policies. For more information, see Determine Group Policy structure and rule enforcement.

For information about how AppLocker deployment is dependent upon design decisions, see

Understanding AppLocker Policy Design Decisions.

20

AppLocker deployment methodsIf you have configured a reference computer, you can create and update your AppLocker policies

on this computer, test the policies, and then export the policies to the appropriate GPO for

distribution. The other method is to create the policies with the enforcement setting set at Audit

only and observe the events generated.

Using a Reference Computer to Create and Maintain AppLocker Policies

This topic describes the steps to use an AppLocker reference computer to prepare application

control policies for deployment by using Group Policy or other means.

Deploying AppLocker Policies by Using the Enforce Rules Setting

This topic describes the steps to deploy the AppLocker policy by changing the enforcement

setting to either Audit only or Enforce rules.

Deploying AppLocker Policies by Using the Enforce Rules Setting

This topic describes the steps to deploy AppLocker policies by using the enforcement setting

method.

Background and prerequisitesThese procedures assume that you have already deployed AppLocker policies with the

enforcement set to Audit only, and you have been collecting data through the AppLocker event

logs and other channels to determine what effect these policies have on your environment and

the policy's adherence to your application control design.

For information about the AppLocker policy enforcement setting, see Understanding AppLocker

Enforcement Settings.

For information about how to plan an AppLocker policy deployment, see AppLocker Policies

Design Guide.

Step 1: Retrieve the AppLocker policyUpdating an AppLocker policy that is currently enforced in your production environment can have

unintended results. Using Group Policy, you can export the policy from the Group Policy object

(GPO) and then update the rule or rules by using AppLocker on your AppLocker reference or test

computer. For the procedure to do this, see Export an AppLocker Policy from a GPO and

Import an AppLocker Policy into a GPO. For local AppLocker policies, you can update the rule

or rules by using the Local Security policy snap-in on your AppLocker reference or test computer.

For the procedures to do this, see Export an AppLocker Policy to an XML File and Import an

AppLocker Policy from Another Computer.

21

Step 2: Alter the enforcement settingRule enforcement is applied only to a collection of rules, not to individual rules. AppLocker divides

the rules into four collections: executable files, Windows Installer files, scripts, and DLL files. By

default, if enforcement is not configured and rules are present in a rule collection, those rules are

enforced. For information about the enforcement setting, see Understanding AppLocker

Enforcement Settings. For the procedure to alter the enforcement setting, see Configure an

AppLocker Policy for Audit Only.

Step 3: Update the policyYou can edit an AppLocker policy by adding, changing, or removing rules. However, you cannot

specify a version for the AppLocker policy by importing additional rules. To ensure version control

when modifying an AppLocker policy, use Group Policy management software that allows you to

create versions of GPOs. An example of this type of software is the Advanced Group Policy

Management feature from the Microsoft Desktop Optimization Pack. For more information about

Advanced Group Policy Management, see Advanced Group Policy Management Overview

(http://go.microsoft.com/fwlink/?LinkId=145013).

You should not edit an AppLocker rule collection while it is being enforced in Group

Policy. Because AppLocker controls what files are allowed to run, making changes to a

live policy can create unexpected behavior.

For the procedure to update the GPO, see Import an AppLocker Policy into a GPO.

For the procedures to distribute policies for local computers by using the Local Security Policy

snap-in, see Export an AppLocker Policy to an XML FIle and Import an AppLocker Policy

from Another Computer.

Step 4: Monitor the effect of the policyWhen a policy is deployed, it is important to monitor the actual implementation of that policy. You

can do this by monitoring your support organization's application access request activity and

reviewing the AppLocker event logs. To monitor the effect of the policy, see View the AppLocker

Log in Event Viewer and Review AppLocker Events with Get-AppLockerFileInformation.

Using a Reference Computer to Create and Maintain AppLocker Policies

This topic describes the steps to create and maintain AppLocker policies by using a reference

computer.

Caution

22

Background and prerequisitesAn AppLocker reference computer must be configured before it can be used to create and

maintain AppLocker policies. For the procedure to do this, see Configure the AppLocker

Reference Computer.

An AppLocker reference computer used for AppLocker policy creation and maintenance should

contain the corresponding applications for each organizational unit (OU) to mimic your production

environment.

The reference computer must be running one of the supported editions of Windows 7.

For information about operating system requirements for AppLocker, see Requirements

to Use AppLocker.

You can perform AppLocker policy testing on the reference computer, either by using the Audit

only enforcement setting or Windows PowerShell cmdlets. You can also use the reference

computer as part of a testing configuration that might include policies created by using Software

Restriction Policies.

Step 1: Automatically generate rules on the reference computerAppLocker allows you to automatically generate rules for all files within a folder. AppLocker scans

the specified folder and creates the condition types that you choose for each file in that folder. For

the procedure to do this, see Run the Automatically Generate Rules Wizard.

If you are running the wizard to create your first rules for a Group Policy object (GPO),

you will be prompted to create the default rules, which allow critical system files to run,

after completing the wizard. You may edit the default rules at any time. If your

organization has decided to edit the default rules or create custom rules to allow the

Windows system files to run, ensure that you delete the default rules after replacing them

with your custom rules.

Step 2: Create the default rules on the reference computerAppLocker includes default rules for each rule collection. These rules are intended to help ensure

that the files that are required for Windows to operate properly are allowed in an AppLocker rule

collection. You must run the default rules for each rule collection. For information about default

rules and considerations when using them, see Understanding AppLocker Default Rules. For

the procedure to create default rules, see Create AppLocker Default Rules.

You can use the default rules as a template when creating your own rules to allow files

within the Windows directory to run. However, these rules are only meant to function as a

starter policy when you are first testing AppLocker rules.

Important Note Important

23

Step 3: Modify rules and the rule collection on the reference computerIf AppLocker policies are currently in your production environment, export the policy from the

corresponding GPO and save it to the reference computer. For the procedure to do this, see

Export an AppLocker Policy from a GPO. If no AppLocker policies have been deployed, then

create the rules and develop the policies by using the following procedures:

Create a Rule that Uses a Publisher Condition

Create a Rule that Uses a File Hash Condition

Create a Rule that Uses a Path Condition

Edit AppLocker Rules

Configure Exceptions for an AppLocker Rule

Delete an AppLocker Rule

Enable the DLL Rule Collection

Enforce AppLocker Rules

Step 4: Test and update the policy on the reference computerYou should test each set of rules to ensure that they perform as intended. The Test-

AppLockerPolicy Windows PowerShell cmdlet can be used to determine whether any of the

rules in your rule collection will be blocked on your reference computer. Perform the steps on

each reference computer that you used to define the AppLocker policy. Ensure that the reference

computer is joined to the domain and is receiving the AppLocker policy from the appropriate

GPO. Because AppLocker rules are inherited from linked GPOs, you should deploy all of the

rules for simultaneous testing in all of your test GPOs. Use the following procedures to complete

this step:

Test an AppLocker Policy with Test-AppLockerPolicy

Discover the Effect of an AppLocker Policy

If you have set the enforcement setting on the rule collection to Enforce rules or have

not configured the rule collection, the policy will be implemented when the GPO is

updated in the next step. If you have set the enforcement setting on the rule collection to

Audit only, then application access events are written to the AppLocker log and the

policy will not take effect.

Step 5: Export and import the policy into productionWhen the AppLocker policy has been tested successfully, it can be imported into the GPO (or

imported into individual computers that are not managed by Group Policy) and once again

checked for its intended effectiveness. To do this, perform the following procedures:

Caution

24

Export an AppLocker Policy to an XML FIle

Import an AppLocker Policy into a GPO or Import an AppLocker Policy onto Another Computer

Discover the Effect of an AppLocker Policy

If the AppLocker policy enforcement setting is Audit only and you are satisfied that the policy is

fulfilling your intent, you can change it to Enforce rules. For information about how to change the

enforcement setting, see Configure an AppLocker Policy for Enforce Rules.

Step 6: Monitor the effect of the policy in productionIf additional refinements or updates are necessary after a policy is deployed, use the appropriate

procedures below to monitor and update the policy:

Discover the Effect of an AppLocker Policy

Review AppLocker Events with Get-AppLockerFileInformation

Editing an AppLocker Policy

Refresh an AppLocker Policy

Determine Which Applications Are Digitally Signed on a Reference Computer

This topic describes how to use AppLocker logs and tools to determine which applications are

digitally signed.

The Windows PowerShell cmdlet Get-AppLockerFileInformation can be used to determine

which applications installed on your reference computers are digitally signed. Perform the

following steps on each reference computer that you used to define the AppLocker policy. The

computer does not need to be joined to the domain.

Membership in the local Administrators group, or equivalent, is the minimum required to

complete this procedure.

1. From the command line on the reference computer, run Get-AppLockerFileInformation with the appropriate parameters.

The Get-AppLockerFileInformation cmdlet retrieves the AppLocker file information from

a list of files or from an event log. File information that is retrieved can include publisher

information, file hash information, and file path information. File information from an event

log may not contain all of these fields. Files that are not signed do not have any publisher

information.

2. Analyze the publisher's name and digital signature status from the output of the command.

To determine which applications are digitally signed on a reference computer

25

For command parameters, syntax, and examples, see Get-AppLockerFileInformation.

Configure the AppLocker Reference Computer

This topic describes steps to create an AppLocker policy platform structure on a reference

computer running Windows 7.

An AppLocker reference computer used for the development and deployment of AppLocker

policies should mimic the directory structure and corresponding applications in the organizational

unit (OU) or business group for the production environment. On a reference computer, you can:

Maintain an application list for each business group.

Develop AppLocker policies by either creating individual rules or creating a policy by automatically generating rules.

Create the default rules to allow the Windows system files to run properly.

Run tests and analyze the event logs to determine the affect of the policies you intend to deploy.

The reference computer does not need to be joined to a domain but must be able to import and

export AppLocker policies in XML format. The reference computer must be running one of the

supported editions of Windows 7. For information about the supported editions, see

Requirements to Use AppLocker.

1. If the operating system is not already installed, install one of the supported editions of Windows 7 on the computer.

Note

If you use another computer to test your implementation of AppLocker policies by

using Group Policy, you can export the policies to the other computer on which

the Group Policy Management Console (GPMC) is installed.

2. Configure the administrator account.

To update local policies, you must be a member of the local Administrators group. To

update domain policies, you must be a member of the Domain Admins group or have

delegated privileges to use Group Policy to update a Group Policy object (GPO).

3. Install all applications that run in the targeted business group or OU by using the same directory structure.

The reference computer should be configured to mimic the structure of your production

environment. It is dependent upon the same applications in the same directories as they

are in production in order to accurately create the rules.

4. Import the AppLocker Windows PowerShell cmdlet module.

To use the AppLocker cmdlets, you must first import the AppLocker module by using the

To configure a reference computer

26

following command at the Windows PowerShell command prompt: C:\PS> Import-Module

AppLocker. Scripting must be enabled on the computer. For information about Windows

PowerShell, see the Windows PowerShell Help file (WindowsPowerShellHelp.chm). For

information about using the cmdlets, see Using the AppLocker Windows PowerShell

Cmdlets.

Additional resources After you configure the reference computer, you can now create the AppLocker rule

collections. You can build, import, or automatically generate the rules. For procedures to do this, see AppLocker Rule Procedures.

Maintaining AppLocker Policies

This topic describes how to maintain rules within AppLocker policies.

Common AppLocker maintenance scenarios include:

A new application is deployed, and you need to update an AppLocker policy.

A new version of an application is deployed, and you need to either update an AppLocker policy or create a new rule to update the policy.

An application is no longer supported by your organization, so you need to prevent it from being used.

An application appears to be blocked but should be allowed.

An application appears to be allowed but should be blocked.

A single user or small subset of users needs to use a specific application that is blocked.

There are two methods you can use to maintain AppLocker policies:

Maintaining AppLocker policies by using Group Policy

Maintaining AppLocker policies by using the Local Security Policy snap-in

As new applications are deployed or existing applications are removed by your organization or

updated by the software publisher, you might need to make revisions to your rules and update the

Group Policy object (GPO) to ensure that your policy is current.

You can edit an AppLocker policy by adding, changing, or removing rules. However, you cannot

specify a version for the AppLocker policy by importing additional rules. To ensure version control

when modifying an AppLocker policy, use Group Policy management software that allows you to

create versions of GPOs, such as Microsoft Advanced Group Policy Management (AGPM). For

more information about AGPM, see Advanced Group Policy Management Overview

(http://go.microsoft.com/fwlink/?LinkId=145013).

You should not edit an AppLocker rule collection while it is being enforced in Group

Policy. Because AppLocker controls what files are allowed to run, making changes to a

live policy can create unexpected behavior.

Caution

27

Maintaining AppLocker policies by using Group PolicyFor every scenario, the steps to maintain an AppLocker policy distributed by Group Policy include

the following tasks.

Step 1: Understand the current behavior of the policyBefore modifying a policy, evaluate how the policy is currently implemented. For example, if a

new version of the application is deployed, you can use Test-AppLockerPolicy to verify the

effectiveness of your current policy for that application. To read the procedures necessary to

understand the current behavior of the policy, see Discovering the Effect of an AppLocker

Policy. Updating your AppLocker planning document will help you track your findings. For

information about creating this document, see Creating Your AppLocker Planning Document.

For information about Test-AppLockerPolicy and examples of how to use it, see Test-

AppLockerPolicy (http://go.microsoft.com/fwlink/?LinkId=169000).

Step 2: Export the AppLocker policy from the GPOUpdating an AppLocker policy that is currently enforced in your production environment can have

unintended results. Therefore, export the policy from the GPO and update the rule or rules by

using AppLocker on your AppLocker reference or test computer. To prepare an AppLocker policy

for modification, see Export an AppLocker Policy from a GPO.

Step 3: Update the AppLocker policy by editing the appropriate AppLocker ruleAfter the AppLocker policy has been exported from the GPO into the AppLocker reference or test

computer, or has been accessed on the local computer, the specific rules can be modified as

required.

To modify AppLocker rules, see the following:

Edit AppLocker Rules

Merge AppLocker Policies by Using Set-ApplockerPolicy or Merge AppLocker Policies Manually

Delete an AppLocker Rule

Enforce AppLocker Rules

Step 4: Test the AppLocker policyYou should test each collection of rules to ensure that the rules perform as intended. (Because

AppLocker rules are inherited from linked GPOs, you should deploy all rules for simultaneous

testing in all test GPOs.) For steps to perform this testing, see Testing and Updating an

AppLocker Policy.

28

Step 5: Import the AppLocker policy into the GPOAfter testing, import the AppLocker policy back into the GPO for implementation. To update the

GPO with a modified AppLocker policy, see Import an AppLocker Policy into a GPO.

Step 6: Monitor the resulting policy behaviorAfter deploying a policy, evaluate the policy's effectiveness. For steps to understand the new

behavior of the policy, see Discovering the Effect of an AppLocker Policy.

Maintaining AppLocker policies by using the Local Security Policy snap-inFor every scenario, the steps to maintain an AppLocker policy distributed by using the Local

Security Policy snap-in include the following tasks.

Step 1: Understand the current behavior of the policyBefore modifying a policy, evaluate how the policy is currently implemented. To read the

procedures necessary to understand the current behavior of the policy, see Discovering the

Effect of an AppLocker Policy. Updating your AppLocker planning document will help you track

your findings. For information about creating this document, see Creating Your AppLocker

Planning Document.

Step 2: Update the AppLocker policy by modifying the appropriate AppLocker ruleRules are grouped into a collection, which can have the policy enforcement setting applied to it.

By default, AppLocker rules do not allow users to open or run any files that are not specifically

allowed.

To modify AppLocker rules, see the appropriate topic in the AppLocker Rule Procedures

collection.

Step 3: Test the AppLocker policyYou should test each collection of rules to ensure that the rules perform as intended. For steps to

perform this testing, see Testing and Updating an AppLocker Policy.

Step 4: Deploy the policy with the modified ruleYou can export and then import AppLocker policies to deploy the policy to other computers

running Windows 7 or Windows Server 2008 R2. To perform this task, see Export an AppLocker

Policy to an XML File and Import an AppLocker Policy from Another Computer.

29

Step 5: Monitor the resulting policy behaviorAfter deploying a policy, evaluate the policy's effectiveness. For steps to understand the new

behavior of the policy, see Discovering the Effect of an AppLocker Policy.

Additional resourcesFor steps to perform other AppLocker policy tasks, see Administering AppLocker.

30