mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-06-20 21:03:42 +00:00
from master
This commit is contained in:
Joey Caparas
@ -13,7 +13,7 @@ ms.date: 09/21/2017
|
||||
# Administer AppLocker
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
- Windows 10
|
||||
- Windows Server
|
||||
|
||||
This topic for IT professionals provides links to specific procedures to use when administering AppLocker policies.
|
||||
@ -65,6 +65,6 @@ You must have Edit Setting permission to edit a GPO. By default, members of the
|
||||
|
||||
## Using Windows PowerShell to administer AppLocker
|
||||
|
||||
For how-to info about administering AppLocker with Windows PowerShell, see [Use the AppLocker Windows PowerShell Cmdlets](use-the-applocker-windows-powershell-cmdlets.md). For reference info and examples how to administer AppLocker with Windows PowerShell, see the [AppLocker cmdlets](http://technet.microsoft.com/library/hh847210.aspx).
|
||||
For how-to info about administering AppLocker with Windows PowerShell, see [Use the AppLocker Windows PowerShell Cmdlets](use-the-applocker-windows-powershell-cmdlets.md). For reference info and examples how to administer AppLocker with Windows PowerShell, see the [AppLocker cmdlets](https://technet.microsoft.com/library/hh847210.aspx).
|
||||
|
||||
|
||||
|
||||
@ -13,7 +13,7 @@ ms.date: 09/21/2017
|
||||
# Determine which apps are digitally signed on a reference device
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
- Windows 10
|
||||
- Windows Server
|
||||
|
||||
This topic for the IT professional describes how to use AppLocker logs and tools to determine which applications are digitally signed.
|
||||
@ -29,7 +29,7 @@ Membership in the local **Administrators** group, or equivalent, is the minimum
|
||||
|
||||
2. Analyze the publisher's name and digital signature status from the output of the command.
|
||||
|
||||
For command parameters, syntax, and examples, see [Get-AppLockerFileInformation](http://technet.microsoft.com/library/ee460961.aspx).
|
||||
For command parameters, syntax, and examples, see [Get-AppLockerFileInformation](https://technet.microsoft.com/library/ee460961.aspx).
|
||||
|
||||
## Related topics
|
||||
|
||||
|
||||
@ -13,14 +13,14 @@ ms.date: 09/21/2017
|
||||
# Manage packaged apps with AppLocker
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
- Windows 10
|
||||
- Windows Server
|
||||
|
||||
This topic for IT professionals describes concepts and lists procedures to help you manage Packaged apps with AppLocker as part of your overall application control strategy.
|
||||
|
||||
## Understanding Packaged apps and Packaged app installers for AppLocker
|
||||
|
||||
Packaged apps, also known as Universal Windows apps, are based on a model that ensures all the files within an app package share the same identity. With classic Windows apps, each file within the app could have a unique identity.
|
||||
Packaged apps, also known as Universal Windows apps, are based on a model that ensures all the files within an app package share the same identity. With classic Windows apps, each file within the app could have a unique identity.
|
||||
With packaged apps, it is possible to control the entire app by using a single AppLocker rule.
|
||||
|
||||
>**Note:** AppLocker supports only publisher rules for packaged apps. All packaged apps must be signed by the software publisher because Windows does not support unsigned packaged apps.
|
||||
@ -29,7 +29,7 @@ Typically, an app consists of multiple components: the installer that is used to
|
||||
|
||||
### <a href="" id="bkmk-compareclassicmetro"></a>Comparing classic Windows apps and packaged apps
|
||||
|
||||
AppLocker policies for packaged apps can only be applied to apps installed on computers running at least Windows Server 2012 or Windows 8, but classic Windows apps can be controlled on devices running at least Windows Server
|
||||
AppLocker policies for packaged apps can only be applied to apps installed on computers running at least Windows Server 2012 or Windows 8, but classic Windows apps can be controlled on devices running at least Windows Server
|
||||
2008 R2 or Windows 7. The rules for classic Windows apps and packaged apps can be enforced in tandem. The differences between packaged apps and classic Windows apps that you should consider include:
|
||||
|
||||
- **Installing the apps** All packaged apps can be installed by a standard user, whereas a number of classic Windows apps require administrative privileges to install. In an environment where most of the users are standard users, you might not have numerous exe rules (because classic Windows apps require administrative privileges to install), but you might want to have more explicit policies for packaged apps.
|
||||
@ -48,7 +48,7 @@ You can use two methods to create an inventory of packaged apps on a computer: t
|
||||
|
||||
>**Note:** Not all packaged apps are listed in AppLocker’s application inventory wizard. Certain app packages are framework packages that are leveraged by other apps. By themselves, these packages cannot do anything, but blocking such packages can inadvertently cause failure for apps that you want to allow. Instead, you can create Allow or Deny rules for the packaged apps that use these framework packages. The AppLocker user interface deliberately filters out all the packages that are registered as framework packages. For info about how to create an inventory list, see [Create list of apps deployed to each business group](create-list-of-applications-deployed-to-each-business-group.md).
|
||||
|
||||
For info about how to use the **Get-AppxPackage** Windows PowerShell cmdlet, see the [AppLocker PowerShell Command Reference](http://technet.microsoft.com/library/hh847210.aspx).
|
||||
For info about how to use the **Get-AppxPackage** Windows PowerShell cmdlet, see the [AppLocker PowerShell Command Reference](https://technet.microsoft.com/library/hh847210.aspx).
|
||||
|
||||
For info about creating rules for Packaged apps, see [Create a rule for packaged apps](create-a-rule-for-packaged-apps.md).
|
||||
|
||||
@ -56,7 +56,7 @@ Consider the following info when you are designing and deploying apps:
|
||||
|
||||
- Because AppLocker supports only publisher rules for packaged apps, collecting the installation path information for packaged apps is not necessary.
|
||||
- You cannot create hash- or path-based rules for packaged apps because all packaged apps and packaged app installers are signed by the software publisher of the package. Classic Windows apps were not always consistently signed; therefore, AppLocker has to support hash- or path-based rules.
|
||||
- By default, if there are no rules in a particular rule collection, AppLocker allows every file that is included in that rule collection. For example, if there are no Windows Installer rules, AppLocker allows all .msi, .msp, and .mst files to run. An existing AppLocker policy that was targeted at computers running Windows Server 2008 R2 and Windows 7 would not have rules for Packaged apps. Therefore, when a computer running at least Windows Server 2012 or
|
||||
- By default, if there are no rules in a particular rule collection, AppLocker allows every file that is included in that rule collection. For example, if there are no Windows Installer rules, AppLocker allows all .msi, .msp, and .mst files to run. An existing AppLocker policy that was targeted at computers running Windows Server 2008 R2 and Windows 7 would not have rules for Packaged apps. Therefore, when a computer running at least Windows Server 2012 or
|
||||
Windows 8 joins a domain where an AppLocker policy is already configured, users would be allowed to run any packaged app. This might be contrary to your design.
|
||||
|
||||
To prevent all packaged apps from running on a newly domain-joined computer, by default AppLocker blocks all packaged apps on a computer running at least Windows Server 2012 or Windows 8 if the existing domain policy has rules configured in the exe rule collection. You must take explicit action to allow packaged apps in your enterprise. You can allow only a select set of packaged apps. Or if you want to allow all packaged apps, you can create a default rule for the packaged apps collection.
|
||||
@ -67,7 +67,7 @@ Just as there are differences in managing each rule collection, you need to mana
|
||||
|
||||
1. Gather information about which Packaged apps are running in your environment. For information about how to do this, see [Create list of apps deployed to each business group](create-list-of-applications-deployed-to-each-business-group.md).
|
||||
|
||||
2. Create AppLocker rules for specific packaged apps based on your policy strategies. For more information, see [Create a rule for packaged apps](create-a-rule-for-packaged-apps.md) and [Packaged Apps Default Rules in AppLocker](http://technet.microsoft.com/library/ee460941(WS.10).aspx).
|
||||
2. Create AppLocker rules for specific packaged apps based on your policy strategies. For more information, see [Create a rule for packaged apps](create-a-rule-for-packaged-apps.md) and [Packaged Apps Default Rules in AppLocker](https://technet.microsoft.com/library/ee460941(WS.10).aspx).
|
||||
|
||||
3. Continue to update the AppLocker policies as new package apps are introduced into your environment. To do this, see [Add rules for packaged apps to existing AppLocker rule-set](add-rules-for-packaged-apps-to-existing-applocker-rule-set.md).
|
||||
|
||||
|
||||
@ -13,14 +13,14 @@ ms.date: 09/21/2017
|
||||
# Merge AppLocker policies by using Set-ApplockerPolicy
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
- Windows 10
|
||||
- Windows Server
|
||||
|
||||
This topic for IT professionals describes the steps to merge AppLocker policies by using Windows PowerShell.
|
||||
|
||||
The **Set-AppLockerPolicy** cmdlet sets the specified Group Policy Object (GPO) to contain the specified AppLocker policy. If no Lightweight Directory Access Protocol (LDAP) is specified, the local GPO is the default. When the Merge parameter is used, rules in the specified AppLocker policy will be merged with the AppLocker rules in the target GPO specified in the LDAP path. The merging of policies will remove rules with duplicate rule IDs, and the enforcement setting specified by the AppLocker policy in the target GPO will be preserved. If the Merge parameter is not specified, then the new policy will overwrite the existing policy.
|
||||
|
||||
For info about using **Set-AppLockerPolicy**, including syntax descriptions and parameters, see [Set-AppLockerPolicy](http://technet.microsoft.com/library/hh847212.aspx).
|
||||
For info about using **Set-AppLockerPolicy**, including syntax descriptions and parameters, see [Set-AppLockerPolicy](https://technet.microsoft.com/library/hh847212.aspx).
|
||||
|
||||
For info about using Windows PowerShell for AppLocker, including how to import the AppLocker cmdlets into Windows PowerShell, see [Use the AppLocker Windows PowerShell cmdlets](use-the-applocker-windows-powershell-cmdlets.md).
|
||||
|
||||
|
||||
@ -14,7 +14,7 @@ ms.date: 09/21/2017
|
||||
# Requirements to use AppLocker
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
- Windows 10
|
||||
- Windows Server
|
||||
|
||||
This topic for the IT professional lists software requirements to use AppLocker on the supported Windows operating systems.
|
||||
@ -35,21 +35,21 @@ The following table show the on which operating systems AppLocker features are s
|
||||
|
||||
| Version | Can be configured | Can be enforced | Available rules | Notes |
|
||||
| - | - | - | - | - |
|
||||
| Windows 10| Yes| Yes| Packaged apps<br/>Executable<br/>Windows Installer<br/>Script<br/>DLL| You can use the [AppLocker CSP](http://msdn.microsoft.com/library/windows/hardware/dn920019.aspx) to configure AppLocker policies on any edition of Windows 10 supported by Mobile Device Management (MDM). You can only manage AppLocker with Group Policy on devices running Windows 10 Enterprise, Windows 10 Education, and Windows Server 2016. |
|
||||
| Windows Server 2016<br/>Windows Server 2012 R2<br/>Windows Server 2012| Yes| Yes| Packaged apps<br/>Executable<br/>Windows Installer<br/>Script<br/>DLL| |
|
||||
| Windows 10| Yes| Yes| Packaged apps<br/>Executable<br/>Windows Installer<br/>Script<br/>DLL| You can use the [AppLocker CSP](https://msdn.microsoft.com/library/windows/hardware/dn920019.aspx) to configure AppLocker policies on any edition of Windows 10 supported by Mobile Device Management (MDM). You can only manage AppLocker with Group Policy on devices running Windows 10 Enterprise, Windows 10 Education, and Windows Server 2016. |
|
||||
| Windows Server 2016<br/>Windows Server 2012 R2<br/>Windows Server 2012| Yes| Yes| Packaged apps<br/>Executable<br/>Windows Installer<br/>Script<br/>DLL| |
|
||||
| Windows 8.1 Pro| Yes| No| N/A||
|
||||
| Windows 8.1 Enterprise| Yes| Yes| Packaged apps<br/>Executable<br/>Windows Installer<br/>Script<br/>DLL| |
|
||||
| Windows RT 8.1| No| No| N/A||
|
||||
| Windows 8.1 Enterprise| Yes| Yes| Packaged apps<br/>Executable<br/>Windows Installer<br/>Script<br/>DLL| |
|
||||
| Windows RT 8.1| No| No| N/A||
|
||||
| Windows 8 Pro| Yes| No| N/A||
|
||||
| Windows 8 Enterprise| Yes| Yes| Packaged apps<br/>Executable<br/>Windows Installer<br/>Script<br/>DLL||
|
||||
| Windows RT| No| No| N/A| |
|
||||
| Windows 8 Enterprise| Yes| Yes| Packaged apps<br/>Executable<br/>Windows Installer<br/>Script<br/>DLL||
|
||||
| Windows RT| No| No| N/A| |
|
||||
| Windows Server 2008 R2 Standard| Yes| Yes| Executable<br/>Windows Installer<br/>Script<br/>DLL| Packaged app rules will not be enforced.|
|
||||
| Windows Server 2008 R2 Enterprise|Yes| Yes| Executable<br/>Windows Installer<br/>Script<br/>DLL| Packaged app rules will not be enforced.|
|
||||
| Windows Server 2008 R2 Datacenter| Yes| Yes| Executable<br/>Windows Installer<br/>Script<br/>DLL| Packaged app rules will not be enforced.|
|
||||
| Windows Server 2008 R2 for Itanium-Based Systems| Yes| Yes| Executable<br/>Windows Installer<br/>Script<br/>DLL| Packaged app rules will not be enforced.|
|
||||
| Windows Server 2008 R2 Datacenter| Yes| Yes| Executable<br/>Windows Installer<br/>Script<br/>DLL| Packaged app rules will not be enforced.|
|
||||
| Windows Server 2008 R2 for Itanium-Based Systems| Yes| Yes| Executable<br/>Windows Installer<br/>Script<br/>DLL| Packaged app rules will not be enforced.|
|
||||
| Windows 7 Ultimate| Yes| Yes| Executable<br/>Windows Installer<br/>Script<br/>DLL| Packaged app rules will not be enforced.|
|
||||
| Windows 7 Enterprise| Yes| Yes| Executable<br/>Windows Installer<br/>Script<br/>DLL| Packaged app rules will not be enforced.|
|
||||
| Windows 7 Professional| Yes| No| Executable<br/>Windows Installer<br/>Script<br/>DLL| No AppLocker rules are enforced.|
|
||||
| Windows 7 Enterprise| Yes| Yes| Executable<br/>Windows Installer<br/>Script<br/>DLL| Packaged app rules will not be enforced.|
|
||||
| Windows 7 Professional| Yes| No| Executable<br/>Windows Installer<br/>Script<br/>DLL| No AppLocker rules are enforced.|
|
||||
|
||||
|
||||
AppLocker is not supported on versions of the Windows operating system not listed above. Software Restriction Policies can be used with those versions. However, the SRP Basic User feature is not supported on the above operating systems.
|
||||
|
||||
@ -13,19 +13,19 @@ ms.date: 09/21/2017
|
||||
# Security considerations for AppLocker
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
- Windows 10
|
||||
- Windows Server
|
||||
|
||||
This topic for the IT professional describes the security considerations you need to address when implementing AppLocker.
|
||||
|
||||
The purpose of AppLocker is to restrict the access to software, and therefore, the data accessed by the software, to a specific group of users or within a defined business group. The following are security considerations for
|
||||
The purpose of AppLocker is to restrict the access to software, and therefore, the data accessed by the software, to a specific group of users or within a defined business group. The following are security considerations for
|
||||
AppLocker:
|
||||
|
||||
AppLocker is deployed within an enterprise and administered centrally by those in IT with trusted credentials. This makes its policy creation and deployment conform to similar policy deployment processes and security restrictions.
|
||||
|
||||
AppLocker policies are distributed through known processes and by known means within the domain through Group Policy. But AppLocker policies can also be set on individual computers if the person has administrator privileges, and those policies might be contrary to the organization's written security policy. The enforcement settings for local policies are overridden by the same AppLocker policies in a Group Policy Object (GPO). However, because AppLocker rules are additive, a local policy that is not in a GPO will still be evaluated for that computer.
|
||||
|
||||
Microsoft does not provide a way to develop any extensions to AppLocker. The interfaces are not public. A user with administrator credentials can automate some AppLocker processes by using Windows PowerShell cmdlets. For info about the Windows PowerShell cmdlets for AppLocker, see the [AppLocker Cmdlets in Windows PowerShell](http://technet.microsoft.com/library/ee460962.aspx).
|
||||
Microsoft does not provide a way to develop any extensions to AppLocker. The interfaces are not public. A user with administrator credentials can automate some AppLocker processes by using Windows PowerShell cmdlets. For info about the Windows PowerShell cmdlets for AppLocker, see the [AppLocker Cmdlets in Windows PowerShell](https://technet.microsoft.com/library/ee460962.aspx).
|
||||
|
||||
AppLocker runs in the context of Administrator or LocalSystem, which is the highest privilege set. This security context has the potential of misuse. If a user with administrative credentials makes changes to an AppLocker policy on a local device that is joined to a domain, those changes could be overwritten or disallowed by the GPO that contains the AppLocker rule for the same file (or path) that was changed on the local device. However, because AppLocker rules are additive, a local policy that is not in a GPO will still be evaluated for that computer. If the local computer is not joined to a domain and is not administered by Group Policy, a person with administrative credentials can alter the AppLocker policy.
|
||||
|
||||
|
||||
@ -14,7 +14,7 @@ ms.date: 09/21/2017
|
||||
# Use a reference device to create and maintain AppLocker policies
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
- Windows 10
|
||||
- Windows Server
|
||||
|
||||
This topic for the IT professional describes the steps to create and maintain AppLocker policies by using a reference computer.
|
||||
@ -58,8 +58,8 @@ If AppLocker policies are currently running in your production environment, expo
|
||||
|
||||
You should test each set of rules to ensure that they perform as intended. The **Test-AppLockerPolicy** Windows PowerShell cmdlet can be used to determine whether any of the rules in your rule collection will be blocked on your reference device. Perform the steps on each reference device that you used to define the AppLocker policy. Ensure that the reference device is joined to the domain and that it is receiving the AppLocker policy from the appropriate GPO. Because AppLocker rules are inherited from linked GPOs, you should deploy all of the rules to simultaneously test all of your test GPOs. Use the following procedures to complete this step:
|
||||
|
||||
- [Test an AppLocker Policy with Test-AppLockerPolicy](http://technet.microsoft.com/library/ee791772(WS.10).aspx)
|
||||
- [Discover the Effect of an AppLocker Policy](http://technet.microsoft.com/library/ee791823(WS.10).aspx)
|
||||
- [Test an AppLocker Policy with Test-AppLockerPolicy](https://technet.microsoft.com/library/ee791772(WS.10).aspx)
|
||||
- [Discover the Effect of an AppLocker Policy](https://technet.microsoft.com/library/ee791823(WS.10).aspx)
|
||||
|
||||
>**Caution:** If you have set the enforcement setting on the rule collection to **Enforce rules** or you have not configured the rule collection, the policy will be implemented when the GPO is updated in the next step. If you have set the enforcement setting on the rule collection to **Audit only**, application access events are written to the AppLocker log, and the policy will not take effect.
|
||||
|
||||
@ -69,7 +69,7 @@ When the AppLocker policy has been tested successfully, it can be imported into
|
||||
|
||||
- [Export an AppLocker policy to an XML file](export-an-applocker-policy-to-an-xml-file.md)
|
||||
- [Import an AppLocker policy into a GPO](import-an-applocker-policy-into-a-gpo.md) or
|
||||
- [Discover the Effect of an AppLocker Policy](http://technet.microsoft.com/library/ee791823(WS.10).aspx)
|
||||
- [Discover the Effect of an AppLocker Policy](https://technet.microsoft.com/library/ee791823(WS.10).aspx)
|
||||
|
||||
If the AppLocker policy enforcement setting is **Audit only** and you are satisfied that the policy is fulfilling your intent, you can change it to **Enforce rules**. For info about how to change the enforcement setting, see [Configure an AppLocker policy for enforce rules](configure-an-applocker-policy-for-enforce-rules.md).
|
||||
|
||||
|
||||
@ -13,41 +13,41 @@ ms.date: 09/21/2017
|
||||
# Use the AppLocker Windows PowerShell cmdlets
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
- Windows 10
|
||||
- Windows Server
|
||||
|
||||
This topic for IT professionals describes how each AppLocker Windows PowerShell cmdlet can help you administer your AppLocker application control policies.
|
||||
|
||||
## AppLocker Windows PowerShell cmdlets
|
||||
|
||||
The five AppLocker cmdlets are designed to streamline the administration of an AppLocker policy. They can be used to help create, test, maintain, and troubleshoot an AppLocker policy. The cmdlets are intended to be used in conjunction with the AppLocker user interface that is accessed through the
|
||||
The five AppLocker cmdlets are designed to streamline the administration of an AppLocker policy. They can be used to help create, test, maintain, and troubleshoot an AppLocker policy. The cmdlets are intended to be used in conjunction with the AppLocker user interface that is accessed through the
|
||||
Microsoft Management Console (MMC) snap-in extension to the Local Security Policy snap-in and Group Policy Management Console.
|
||||
|
||||
To edit or update a Group Policy Object (GPO) by using the AppLocker cmdlets, you must have Edit Setting permission. By default, members of the **Domain Admins** group, the **Enterprise Admins** group, and the **Group Policy Creator Owners** group have this permission. To perform tasks by using the
|
||||
To edit or update a Group Policy Object (GPO) by using the AppLocker cmdlets, you must have Edit Setting permission. By default, members of the **Domain Admins** group, the **Enterprise Admins** group, and the **Group Policy Creator Owners** group have this permission. To perform tasks by using the
|
||||
Local Security policy snap-in, you must be a member of the local **Administrators** group, or equivalent, on the computer.
|
||||
|
||||
### Retrieve application information
|
||||
|
||||
The [Get-AppLockerFileInformation](http://technet.microsoft.com/library/hh847209.aspx) cmdlet retrieves the AppLocker file information from a list of files or from an event log. File information that is retrieved can include publisher information, file hash information, and file path information.
|
||||
The [Get-AppLockerFileInformation](https://technet.microsoft.com/library/hh847209.aspx) cmdlet retrieves the AppLocker file information from a list of files or from an event log. File information that is retrieved can include publisher information, file hash information, and file path information.
|
||||
|
||||
File information from an event log may not contain all of these fields. Files that are not signed do not have any publisher information.
|
||||
|
||||
### Set AppLocker policy
|
||||
|
||||
The [Set-AppLockerPolicy](http://technet.microsoft.com/library/hh847212.aspx) cmdlet sets the specified GPO to contain the specified AppLocker policy. If no Lightweight Directory Access Protocol (LDAP) is specified, the local GPO is the default.
|
||||
The [Set-AppLockerPolicy](https://technet.microsoft.com/library/hh847212.aspx) cmdlet sets the specified GPO to contain the specified AppLocker policy. If no Lightweight Directory Access Protocol (LDAP) is specified, the local GPO is the default.
|
||||
|
||||
### Retrieve an AppLocker policy
|
||||
|
||||
The [Get-AppLockerPolicy](http://technet.microsoft.com/library/hh847214.aspx) cmdlet gets the AppLocker policy from the local GPO, from a specified GPO, or from the effective AppLocker policy on the device. The output of the AppLocker policy is an AppLockerPolicy object or an XML-formatted string.
|
||||
The [Get-AppLockerPolicy](https://technet.microsoft.com/library/hh847214.aspx) cmdlet gets the AppLocker policy from the local GPO, from a specified GPO, or from the effective AppLocker policy on the device. The output of the AppLocker policy is an AppLockerPolicy object or an XML-formatted string.
|
||||
|
||||
### Generate rules for a given user or group
|
||||
|
||||
The [New-AppLockerPolicy](http://technet.microsoft.com/library/hh847211.aspx) cmdlet uses a list of file information to automatically generate rules for a given user or group. It can generate rules based on publisher, hash, or path information. Use **Get-AppLockerFileInformation** to create the
|
||||
The [New-AppLockerPolicy](https://technet.microsoft.com/library/hh847211.aspx) cmdlet uses a list of file information to automatically generate rules for a given user or group. It can generate rules based on publisher, hash, or path information. Use **Get-AppLockerFileInformation** to create the
|
||||
list of file information.
|
||||
|
||||
### Test the AppLocker Policy against a file set
|
||||
|
||||
The [Test-AppLockerPolicy](http://technet.microsoft.com/library/hh847213.aspx) cmdlet uses the specified AppLocker policy to test whether a specified list of files are allowed to run or not on the local device for a specific user.
|
||||
The [Test-AppLockerPolicy](https://technet.microsoft.com/library/hh847213.aspx) cmdlet uses the specified AppLocker policy to test whether a specified list of files are allowed to run or not on the local device for a specific user.
|
||||
|
||||
## Additional resources
|
||||
|
||||
|
||||
Reference in New Issue
Block a user