Using a Reference Computer to Create and Maintain AppLocker Policies

Applies To: Windows 7, Windows 8, Windows Server 2008 R2, Windows Server 2012

This topic describes the steps to create and maintain AppLocker policies by using a reference computer.

Background and prerequisites

An AppLocker reference computer must be configured before it can be used to create and maintain AppLocker policies. For the procedure to do this, see Configure the AppLocker Reference Computer.

An AppLocker reference computer used for AppLocker policy creation and maintenance should contain the corresponding applications for each organizational unit (OU) to mimic your production environment.

Important

The reference computer must be running one of the supported editions of Windows 7 or Windows 8. For information about operating system requirements for AppLocker, see Requirements to Use AppLocker.

You can perform AppLocker policy testing on the reference computer, either by using the Audit only enforcement setting or Windows PowerShell cmdlets. You can also use the reference computer as part of a testing configuration that might include policies created by using Software Restriction Policies.

Step 1: Automatically generate rules on the reference computer

AppLocker allows you to automatically generate rules for all files within a folder. AppLocker scans the specified folder and creates the condition types that you choose for each file in that folder. For the procedure to do this, see:

Note

If you are running the wizard to create your first rules for a Group Policy Object (GPO), you will be prompted to create the default rules, which allow critical system files to run, after completing the wizard. You may edit the default rules at any time. If your organization has decided to edit the default rules or create custom rules to allow the Windows system files to run, ensure that you delete the default rules after replacing them with your custom rules.

Step 2: Create the default rules on the reference computer

AppLocker includes default rules for each rule collection. These rules are intended to help ensure that the files that are required for Windows to operate properly are allowed in an AppLocker rule collection. You must run the default rules for each rule collection. For information about default rules and considerations when using them, see Understanding AppLocker Default Rules. For the procedure to create default rules, see:

Important

You can use the default rules as a template when creating your own rules to allow files within the Windows directory to run. However, these rules are only meant to function as a starter policy when you are first testing AppLocker rules.

Step 3: Modify rules and the rule collection on the reference computer

If AppLocker policies are currently in your production environment, export the policy from the corresponding GPO and save it to the reference computer. For the procedure to do this, see:.

If no AppLocker policies have been deployed, then create the rules and develop the policies by using the following procedures:

Step 4: Test and update the policy on the reference computer

You should test each set of rules to ensure that they perform as intended. The Test-AppLockerPolicy Windows PowerShell cmdlet can be used to determine whether any of the rules in your rule collection will be blocked on your reference computer. Perform the steps on each reference computer that you used to define the AppLocker policy. Ensure that the reference computer is joined to the domain and is receiving the AppLocker policy from the appropriate GPO. Because AppLocker rules are inherited from linked GPOs, you should deploy all of the rules for simultaneous testing in all of your test GPOs. Use the following procedures to complete this step:

Warning

If you have set the enforcement setting on the rule collection to Enforce rules or have not configured the rule collection, the policy will be implemented when the GPO is updated in the next step. If you have set the enforcement setting on the rule collection to Audit only, then application access events are written to the AppLocker log and the policy will not take effect.

Step 5: Export and import the policy into production

When the AppLocker policy has been tested successfully, it can be imported into the GPO (or imported into individual computers that are not managed by Group Policy) and once again checked for its intended effectiveness. To do this, perform the following procedures:

If the AppLocker policy enforcement setting is Audit only and you are satisfied that the policy is fulfilling your intent, you can change it to Enforce rules. For information about how to change the enforcement setting, see:

Step 6: Monitor the effect of the policy in production

If additional refinements or updates are necessary after a policy is deployed, use the appropriate procedures below to monitor and update the policy:

See Also

Concepts

Deploying the AppLocker Policy into Production