From 7e01e64958bd8f2d8e9579e0581fef73a739a6f3 Mon Sep 17 00:00:00 2001 From: LucasArona Date: Thu, 4 Jan 2018 00:05:20 +0100 Subject: [PATCH] Update understanding-applocker-rule-exceptions.md --- .../applocker/understanding-applocker-rule-exceptions.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/device-security/applocker/understanding-applocker-rule-exceptions.md b/windows/device-security/applocker/understanding-applocker-rule-exceptions.md index e4f75155ca..c7817633da 100644 --- a/windows/device-security/applocker/understanding-applocker-rule-exceptions.md +++ b/windows/device-security/applocker/understanding-applocker-rule-exceptions.md @@ -20,8 +20,8 @@ This topic describes the result of applying AppLocker rule exceptions to rule co You can apply AppLocker rules to individual users or a group of users. If you apply a rule to a group of users, all users in that group are affected by that rule. If you need to allow a subset of a user group to use an app, you can create a special rule for that subset. -For example, the rule "Allow Everyone to run Windows except Registry Editor" allows Everyone to run Windows binaries, but does not allow anyone to run Registry Editor (by adding %WINDIR%\regedit.exe as a Path Exception of the rule). -The effect of this rule would prevent users such as Helpdesk personnel from running the Registry Editor, a program that is necessary for their support tasks. +For example, the rule "Allow Everyone to run Windows except Registry Editor" allows Everyone to run Windows binaries, but does not allow anyone to run Registry Editor (by adding %WINDIR%\regedit.exe as a Path Exception of the rule). +The effect of this rule would prevent users such as Helpdesk personnel from running the Registry Editor, a program that is necessary for their support tasks. To resolve this problem, create a second rule that applies to the Helpdesk user group: "Allow Helpdesk to run Registry Editor" and add %WINDIR%\regedit.exe as an allowed path. If you create a deny rule that does not allow any users to run Registry Editor, the deny rule will override the second rule that allows the Helpdesk user group to run Registry Editor. ## Related topics