diff --git a/.openpublishing.redirection.windows-security.json b/.openpublishing.redirection.windows-security.json index d666189bcf..6b215db613 100644 --- a/.openpublishing.redirection.windows-security.json +++ b/.openpublishing.redirection.windows-security.json @@ -4560,6 +4560,11 @@ "redirect_url": "/windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-settings", "redirect_document_id": false }, + { + "source_path": "windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-settings.md", + "redirect_url": "/windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-overview", + "redirect_document_id": false + }, { "source_path": "windows/security/threat-protection/windows-defender-application-control/applocker/applocker-technical-reference.md", "redirect_url": "/windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-technical-reference", diff --git a/windows/security/application-security/application-control/windows-defender-application-control/TOC.yml b/windows/security/application-security/application-control/windows-defender-application-control/TOC.yml index 10c18ae319..c2302c6e47 100644 --- a/windows/security/application-security/application-control/windows-defender-application-control/TOC.yml +++ b/windows/security/application-security/application-control/windows-defender-application-control/TOC.yml @@ -309,5 +309,3 @@ items: - name: Using Event Viewer with AppLocker href: applocker\using-event-viewer-with-applocker.md - - name: AppLocker Settings - href: applocker\applocker-settings.md diff --git a/windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-settings.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-settings.md deleted file mode 100644 index 956c1904a8..0000000000 --- a/windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-settings.md +++ /dev/null @@ -1,30 +0,0 @@ ---- -title: AppLocker settings -description: This topic for the IT professional lists the settings used by AppLocker. -ms.localizationpriority: medium -ms.topic: conceptual -ms.date: 09/21/2017 ---- - -# AppLocker settings - ->[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). - -This topic for the IT professional lists the settings used by AppLocker. - -The following table describes the settings and values used by AppLocker. - -| Setting | Value | -| - | - | -| Registry path | Policies are stored in **HKEY_LOCAL_Machine\Software\Policies\Microsoft\Windows\SrpV2** | -| Firewall ports | Not applicable | -| Security policies | Custom created, no default | -| Group Policy settings | Custom created, no default | -| Network ports | Not applicable | -| Service accounts | Not applicable | -| Performance counters | Not applicable | - -## Related topics - -- [AppLocker technical reference](applocker-technical-reference.md) diff --git a/windows/security/application-security/application-control/windows-defender-application-control/applocker/tools-to-use-with-applocker.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/tools-to-use-with-applocker.md index a683153f73..38354ddb98 100644 --- a/windows/security/application-security/application-control/windows-defender-application-control/applocker/tools-to-use-with-applocker.md +++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/tools-to-use-with-applocker.md @@ -1,50 +1,47 @@ --- title: Tools to use with AppLocker -description: This topic for the IT professional describes the tools available to create and administer AppLocker policies. +description: This article for the IT professional describes the tools available to create and administer AppLocker policies. ms.localizationpriority: medium ms.topic: conceptual -ms.date: 09/21/2017 +ms.date: 12/23/2023 --- # Tools to use with AppLocker ->[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). - -This topic for the IT professional describes the tools available to create and administer AppLocker policies. +This article for the IT professional describes the tools available to create and administer AppLocker policies. The following tools can help you administer the application control policies created by using AppLocker on the local device or by using Group Policy. For info about the basic requirements for using AppLocker, see [Requirements to use AppLocker](requirements-to-use-applocker.md). -- **AppLocker Local Security Policy MMC snap-in** +- **AppLocker Local Security Policy MMC snap-in** The AppLocker rules can be maintained by using the Local Security Policy snap-in (secpol.msc) of the Microsoft Management Console (MMC). For procedures to create, modify, and delete AppLocker rules, see [Working with AppLocker rules](working-with-applocker-rules.md). -- **Generate Default Rules tool** +- **Generate Default Rules tool** AppLocker includes default rules for each rule collection accessed through the Local Security Policy snap-in. These rules are intended to help ensure that the files that are required for Windows to operate properly are allowed in an AppLocker rule collection. For info about how to use this tool, see [Create AppLocker default rules](create-applocker-default-rules.md). For a list of the default rules, see [AppLocker default rules](working-with-applocker-rules.md#applocker-default-rules). -- **Automatically Generate AppLocker Rules wizard** +- **Automatically Generate AppLocker Rules wizard** - By using the Local Security Policy snap-in, you can automatically generate rules for all files within a folder. The wizard will scan the specified folder and create the condition types that you choose for each file in that folder. For info about how to use this wizard, see [Run the Automatically Generate Rules wizard](run-the-automatically-generate-rules-wizard.md). + By using the Local Security Policy snap-in, you can automatically generate rules for all files within a folder. The wizard scans the specified folder and creates the condition types that you choose for each file in that folder. For info about how to use this wizard, see [Run the Automatically Generate Rules wizard](run-the-automatically-generate-rules-wizard.md). -- **Group Policy** +- **Group Policy** You can edit an AppLocker policy by adding, changing, or removing rules by using the Group Policy Management Console (GPMC). If you want more features to manage AppLocker policies, such as version control, use Group Policy management software that allows you to create versions of Group Policy Objects (GPOs). An example of this type of software is the Advanced Group Policy Management feature from the Microsoft Desktop Optimization Pack. -- **Remote Server Administration Tools (RSAT)** +- **Remote Server Administration Tools (RSAT)** You can use a device with a supported operating system that has the Remote Server Administration Tools (RSAT) installed to create and maintain AppLocker policies. -- **Event Viewer** +- **Event Viewer** - The AppLocker log contains information about applications that are affected by AppLocker rules. For info about using Event Viewer to review the AppLocker logs, see [Using Event Viewer with AppLocker](using-event-viewer-with-applocker.md), and [Monitor app usage with AppLocker](monitor-application-usage-with-applocker.md). + The AppLocker log contains information about applications affected by AppLocker rules. For info about using Event Viewer to review the AppLocker logs, see [Using Event Viewer with AppLocker](using-event-viewer-with-applocker.md), and [Monitor app usage with AppLocker](monitor-application-usage-with-applocker.md). -- **AppLocker PowerShell cmdlets** +- **AppLocker PowerShell cmdlets** - The AppLocker Windows PowerShell cmdlets are designed to streamline the administration of AppLocker policy. They can be used to help create, test, maintain, and troubleshoot an AppLocker policy. The cmdlets are intended to be used in conjunction with the AppLocker user interface that is accessed through the Local Security Policy snap-in and the GPMC. For information about the cmdlets, see the [AppLocker PowerShell Command Reference](/powershell/module/applocker/). + The AppLocker Windows PowerShell cmdlets are designed to streamline the administration of AppLocker policy. They can be used to help create, test, maintain, and troubleshoot an AppLocker policy. The cmdlets are intended to be used with the AppLocker user interface that is accessed through the Local Security Policy snap-in and the GPMC. For information about the cmdlets, see the [AppLocker PowerShell Command Reference](/powershell/module/applocker/). -## Related topics +## Related articles - [AppLocker technical reference](applocker-technical-reference.md) diff --git a/windows/security/application-security/application-control/windows-defender-application-control/applocker/using-event-viewer-with-applocker.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/using-event-viewer-with-applocker.md index f237a5b23c..19b2256345 100644 --- a/windows/security/application-security/application-control/windows-defender-application-control/applocker/using-event-viewer-with-applocker.md +++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/using-event-viewer-with-applocker.md @@ -3,17 +3,16 @@ title: Using Event Viewer with AppLocker description: This article lists AppLocker events and describes how to use Event Viewer with AppLocker. ms.localizationpriority: medium ms.topic: conceptual -ms.date: 02/02/2023 +ms.date: 12/23/2023 --- + + # Using Event Viewer with AppLocker ->[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). - This article lists AppLocker events and describes how to use Event Viewer with AppLocker. -The AppLocker log contains information about applications that are affected by AppLocker rules. Each event in the log contains details such as the following information: +The AppLocker log contains information about applications affected by AppLocker rules. Each event in the log contains details such as the following information: - Which file is affected and the path of that file - Which packaged app is affected and the package identifier of the app @@ -22,53 +21,52 @@ The AppLocker log contains information about applications that are affected by A - The rule name - The security identifier (SID) for the user or group identified in the rule -Review the entries in the Event Viewer to determine if any applications aren't included in the rules that you automatically generated. For instance, some line-of-business apps are installed to non-standard locations, such as the root of the active drive (for example, `%SystemDrive%`). +Review the entries in the Event Viewer to determine if any applications aren't included in the rules that you automatically generated. For instance, some line-of-business apps are installed to nonstandard locations, such as the root of the active drive (for example, `%SystemDrive%`). For info about what to look for in the AppLocker event logs, see [Monitor app usage with AppLocker](monitor-application-usage-with-applocker.md). > [!NOTE] > The AppLocker event logs are very verbose and can result in a large number of events depending on the policies deployed, particularly in the *AppLocker - EXE and DLL* event log. If you're using an event forwarding and collection service, like LogAnalytics, you may want to adjust the configuration for that event log to only collect Error events or stop collecting events from that log altogether. -**To review the AppLocker log in Event Viewer** +## Review the AppLocker logs in Windows Event Viewer 1. Open Event Viewer. 2. In the console tree under **Application and Services Logs\\Microsoft\\Windows**, select **AppLocker**. -The following table contains information about the events that you can use to determine which apps are affected by AppLocker rules. +The following table contains information about the events that you can use to determine the apps affected by AppLocker rules. | Event ID | Level | Event message | Description | | --- | --- | --- | --- | -| 8000 | Error| AppID policy conversion failed. Status * <%1> *| Indicates that the policy wasn't applied correctly to the computer. The status message is provided for troubleshooting purposes.| -| 8001 | Information| The AppLocker policy was applied successfully to this computer.| Indicates that the AppLocker policy was successfully applied to the computer.| -| 8002 | Information| *<File name> * was allowed to run.| Specifies that the .exe or .dll file is allowed by an AppLocker rule.| -| 8003 | Warning| *<File name> * was allowed to run but would have been prevented from running if the AppLocker policy were enforced.| Applied only when the **Audit only** enforcement mode is enabled. Specifies that the .exe or .dll file would be blocked if the **Enforce rules** enforcement mode were enabled. | -| 8004 | Error| *<File name> * was prevented from running.| Access to *<file name>* is restricted by the administrator. Applied only when the **Enforce rules** enforcement mode is set either directly or indirectly through Group Policy inheritance. The .exe or .dll file can't run.| -| 8005| Information| *<File name> * was allowed to run.| Specifies that the script or .msi file is allowed by an AppLocker rule.| -| 8006 | Warning| *<File name> * was allowed to run but would have been prevented from running if the AppLocker policy were enforced.| Applied only when the **Audit only** enforcement mode is enabled. Specifies that the script or .msi file would be blocked if the **Enforce rules** enforcement mode were enabled. | -| 8007 | Error| *<File name> * was prevented from running.| Access to *<file name>* is restricted by the administrator. Applied only when the **Enforce rules** enforcement mode is set either directly or indirectly through Group Policy inheritance. The script or .msi file can't run.| -| 8008| Warning| *<File name> *: AppLocker component not available on this SKU.| Added in Windows Server 2012 and Windows 8.| -| 8020| Information| *<File name> * was allowed to run.| Added in Windows Server 2012 and Windows 8.| -| 8021| Warning| *<File name> * was allowed to run but would have been prevented from running if the AppLocker policy were enforced.| Added in Windows Server 2012 and Windows 8.| -| 8022| Error| *<File name> * was prevented from running.| Added in Windows Server 2012 and Windows 8.| -| 8023 | Information| *<File name> * was allowed to be installed.| Added in Windows Server 2012 and Windows 8.| -| 8024 | Warning| *<File name> * was allowed to run but would have been prevented from running if the AppLocker policy were enforced.| Added in Windows Server 2012 and Windows 8.| -| 8025 | Error| *<File name> * was prevented from running.| Added in Windows Server 2012 and Windows 8.| -| 8027 | Error| No packaged apps can be executed while Exe rules are being enforced and no Packaged app rules have been configured.| Added in Windows Server 2012 and Windows 8.| -| 8028 | Warning | *<File name> * was allowed to run but would have been prevented if the Config CI policy were enforced.| Added in Windows Server 2016 and Windows 10.| -| 8029 | Error | *<File name> * was prevented from running due to Config CI policy.| Added in Windows Server 2016 and Windows 10.| -| 8030 | Information | ManagedInstaller check SUCCEEDED during Appid verification of * | Added in Windows Server 2016 and Windows 10.| -| 8031 | Information | SmartlockerFilter detected file * being written by process * | Added in Windows Server 2016 and Windows 10.| -| 8032 | Error | ManagedInstaller check FAILED during Appid verification of * | Added in Windows Server 2016 and Windows 10.| -| 8033 | Warning | ManagedInstaller check FAILED during Appid verification of * . Allowed to run due to Audit AppLocker Policy. | Added in Windows Server 2016 and Windows 10.| -| 8034 | Information | ManagedInstaller Script check FAILED during Appid verification of * | Added in Windows Server 2016 and Windows 10.| -| 8035 | Error | ManagedInstaller Script check SUCCEEDED during Appid verification of * | Added in Windows Server 2016 and Windows 10.| -| 8036 | Error | * was prevented from running due to Config CI policy | Added in Windows Server 2016 and Windows 10.| -| 8037 | Information | * passed Config CI policy and was allowed to run.| Added in Windows Server 2016 and Windows 10.| -| 8038 | Information | Publisher info: Subject: * Issuer: * Signature index * (* total) | Added in Windows Server 2016 and Windows 10.| -| 8039 | Warning | Package family name * version * was allowed to install or update but would have been prevented if the Config CI policy | Added in Windows Server 2016 and Windows 10.| -| 8040 | Error | Package family name * version * was prevented from installing or updating due to Config CI policy | Added in Windows Server 2016 and Windows 10.| +| 8000 | Error | AppID policy conversion failed. Status * <%1> * | Indicates that the policy wasn't applied correctly to the computer. The status message is provided for troubleshooting purposes. | +| 8001 | Information | The AppLocker policy was applied successfully to this computer. | Indicates that the AppLocker policy was successfully applied to the computer. | +| 8002 | Information | *<File name> * was allowed to run. | Indicates an AppLocker rule allowed the .exe or .dll file. | +| 8003 | Warning | *<File name> * was allowed to run but would have been prevented from running if the AppLocker policy were enforced. | Shown only when the **Audit only** enforcement mode is enabled. Indicates that the AppLocker policy would block the .exe or .dll file if the enforcement mode setting was **Enforce rules**. | +| 8004 | Error | *<File name> * was prevented from running. | AppLocker blocked the named EXE or DLL file. Shown only when the **Enforce rules** enforcement mode is enabled. | +| 8005| Information | *<File name> * was allowed to run. | Indicates an AppLocker rule allowed the script or .msi file. | +| 8006 | Warning | *<File name> * was allowed to run but would have been prevented from running if the AppLocker policy were enforced. | Shown only when the **Audit only** enforcement mode is enabled. Indicates that the AppLocker policy would block the script or .msi file if the **Enforce rules** enforcement mode was enabled. | +| 8007 | Error | *<File name> * was prevented from running. | AppLocker blocked the named Script or MSI. Shown only when the **Enforce rules** enforcement mode is enabled. | +| 8008| Warning | *<File name> *: AppLocker component not available on this SKU. | Indicates an edition of Windows that doesn't support AppLocker. | +| 8020| Information | *<File name> * was allowed to run. | Added in Windows Server 2012 and Windows 8. | +| 8021| Warning | *<File name> * was allowed to run but would have been prevented from running if the AppLocker policy were enforced. | Added in Windows Server 2012 and Windows 8. | +| 8022| Error | *<File name> * was prevented from running. | Added in Windows Server 2012 and Windows 8. | +| 8023 | Information | *<File name> * was allowed to be installed. | Added in Windows Server 2012 and Windows 8. | +| 8024 | Warning | *<File name> * was allowed to run but would have been prevented from running if the AppLocker policy were enforced. | Added in Windows Server 2012 and Windows 8. | +| 8025 | Error | *<File name> * was prevented from running. | Added in Windows Server 2012 and Windows 8. | +| 8027 | Error | No packaged apps can be executed while Exe rules are being enforced and no Packaged app rules have been configured. | Added in Windows Server 2012 and Windows 8. | +| 8028 | Warning | *<File name> * was allowed to run but would have been prevented if the Config CI policy were enforced. | Added in Windows Server 2016 and Windows 10. | +| 8029 | Error | *<File name> * was prevented from running due to Config CI policy. | Added in Windows Server 2016 and Windows 10. | +| 8030 | Information | ManagedInstaller check SUCCEEDED during Appid verification of * | Added in Windows Server 2016 and Windows 10. | +| 8031 | Information | SmartlockerFilter detected file * being written by process * | Added in Windows Server 2016 and Windows 10. | +| 8032 | Error | ManagedInstaller check FAILED during Appid verification of * | Added in Windows Server 2016 and Windows 10. | +| 8033 | Warning | ManagedInstaller check FAILED during Appid verification of * . Allowed to run due to Audit AppLocker Policy. | Added in Windows Server 2016 and Windows 10. | +| 8034 | Information | ManagedInstaller Script check FAILED during Appid verification of * | Added in Windows Server 2016 and Windows 10. | +| 8035 | Error | ManagedInstaller Script check SUCCEEDED during Appid verification of * | Added in Windows Server 2016 and Windows 10. | +| 8036 | Error | * was prevented from running due to Config CI policy | Added in Windows Server 2016 and Windows 10. | +| 8037 | Information | * passed Config CI policy and was allowed to run. | Added in Windows Server 2016 and Windows 10. | +| 8038 | Information | Publisher info: Subject: * Issuer: * Signature index * (* total) | Added in Windows Server 2016 and Windows 10. | +| 8039 | Warning | Package family name * version * was allowed to install or update but would have been prevented if the Config CI policy | Added in Windows Server 2016 and Windows 10. | +| 8040 | Error | Package family name * version * was prevented from installing or updating due to Config CI policy | Added in Windows Server 2016 and Windows 10. | - ## Related articles - [Tools to use with AppLocker](tools-to-use-with-applocker.md)