Merge pull request #9243 from MicrosoftDocs/main

Publish main to live on 12/22 @ 10:30 am

.openpublishing.redirection.windows-security.json

@@ -4900,6 +4900,11 @@
       "redirect_url": "/windows/security/application-security/application-control/windows-defender-application-control/applocker/use-applocker-and-software-restriction-policies-in-the-same-domain",
       "redirect_document_id": false
     },
+    {
+      "source_path": "windows/security/application-security/application-control/windows-defender-application-control/applocker/use-applocker-and-software-restriction-policies-in-the-same-domain.md",
+      "redirect_url": "/windows/security/application-security/application-control/windows-defender-application-control/wdac",
+      "redirect_document_id": false
+    },
     {
       "source_path": "windows/security/threat-protection/windows-defender-application-control/applocker/use-the-applocker-windows-powershell-cmdlets.md",
       "redirect_url": "/windows/security/application-security/application-control/windows-defender-application-control/applocker/use-the-applocker-windows-powershell-cmdlets",
@@ -4915,6 +4920,11 @@
       "redirect_url": "/windows/security/application-security/application-control/windows-defender-application-control/applocker/using-software-restriction-policies-and-applocker-policies",
       "redirect_document_id": false
     },
+    {
+      "source_path": "windows/security/application-security/application-control/windows-defender-application-control/applocker/using-software-restriction-policies-and-applocker-policies.md",
+      "redirect_url": "/windows/security/application-security/application-control/windows-defender-application-control/wdac",
+      "redirect_document_id": false
+    },
     {
       "source_path": "windows/security/threat-protection/windows-defender-application-control/applocker/what-is-applocker.md",
       "redirect_url": "/windows/security/application-security/application-control/windows-defender-application-control/applocker/what-is-applocker",

windows/deployment/do/index.yml

@@ -15,7 +15,7 @@ metadata:
   author: aczechowski
   ms.author: aaroncz
   manager: aaroncz
-  ms.date: 03/07/2022 #Required; mm/dd/yyyy format.
+  ms.date: 12/22/2023 #Required; mm/dd/yyyy format.
   localization_priority: medium
     
 # linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | tutorial | video | whats-new

windows/deployment/do/waas-delivery-optimization-reference.md

@@ -161,7 +161,7 @@ Starting in Windows 10, version 1803, set this policy to restrict peer selection
 - 4 = DNS Suffix
 - 5 = Starting with Windows 10, version 1903, you can use the Microsoft Entra tenant ID as a means to define groups. To do this set the value for DOGroupIdSource to its new maximum value of 5.
 
-When set, the Group ID is assigned automatically from the selected source. If you set this policy, the GroupID policy is ignored. The default behavior, when the GroupID or GroupIDSource policies aren't set, is to determine the Group ID using AD Site (1), Authenticated domain SID (2) or Microsoft Entra tenant ID (5), in that order. If GroupIDSource is set to either DHCP Option ID (3) or DNS Suffix (4) and those methods fail, the default behavior is used instead. The option set in this policy only applies to Group (2) download mode. If Group (2) isn't set as Download mode, this policy will be ignored. If you set the value to anything other than 0-5, the policy is ignored.  
+When set, the Group ID will be assigned automatically from the selected source. This policy is ignored if the GroupID policy is also set. The default behavior, when the GroupID or GroupIDSource policies aren't set, is to determine the Group ID using AD Site (1), Authenticated domain SID (2) or Microsoft Entra tenant ID (5), in that order. If GroupIDSource is set to either DHCP Option ID (3) or DNS Suffix (4) and those methods fail, the default behavior is used instead. The option set in this policy only applies to Group (2) download mode. If Group (2) isn't set as Download mode, this policy will be ignored. If you set the value to anything other than 0-5, the policy is ignored.  
 
 ### Minimum RAM (inclusive) allowed to use Peer Caching  
 
@@ -335,7 +335,7 @@ The device can download from peers while on battery regardless of this policy.
 
 MDM Setting: **DOCacheHost**
 
-Set this policy to designate one or more Microsoft Connected Cache servers to be used by Delivery Optimization. You can set one or more FQDNs or IP Addresses that are comma-separated, for example: myhost.somerandomhost.com,myhost2.somerandomhost.com,10.10.1.7. **By default, this policy has no value.** Delivery Optimization client will connect to the listed Microsoft Connected Cache servers in the order as they are listed. When multiple FQDNs or IP Addresses are listed, the Microsoft Connected Cache server priority order is determined based on the order as they are listed. If the first server fails, it will move the the next one. When the last server fails, it will fallback to the CDN.
+Set this policy to designate one or more Microsoft Connected Cache servers to be used by Delivery Optimization. You can set one or more FQDNs or IP Addresses that are comma-separated, for example: myhost.somerandomhost.com,myhost2.somerandomhost.com,10.10.1.7. **By default, this policy has no value.** Delivery Optimization client will connect to the listed Microsoft Connected Cache servers in the order as they are listed. When multiple FQDNs or IP Addresses are listed, the Microsoft Connected Cache server priority order is determined based on the order as they are listed. If the first server fails, it will move the next one. When the last server fails, it will fallback to the CDN.
 
 >[!IMPORTANT]
 > Any value will signify that the policy is set. For example, an empty string ("") isn't considered empty.

windows/security/application-security/application-control/windows-defender-application-control/TOC.yml

@@ -146,8 +146,6 @@
           href: applocker\deploy-applocker-policies-by-using-the-enforce-rules-setting.md
         - name: Use the AppLocker Windows PowerShell cmdlets
           href: applocker\use-the-applocker-windows-powershell-cmdlets.md
-        - name: Use AppLocker and Software Restriction Policies in the same domain
-          href: applocker\use-applocker-and-software-restriction-policies-in-the-same-domain.md
         - name: Optimize AppLocker performance
           href: applocker\optimize-applocker-performance.md
         - name: Monitor app usage with AppLocker
@@ -243,8 +241,6 @@
           href: applocker\understand-the-applocker-policy-deployment-process.md
         - name: Requirements for Deploying AppLocker Policies
           href: applocker\requirements-for-deploying-applocker-policies.md
-        - name: Use Software Restriction Policies and AppLocker policies
-          href: applocker\using-software-restriction-policies-and-applocker-policies.md
         - name: Create Your AppLocker policies
           href: applocker\create-your-applocker-policies.md
           items:
@@ -278,6 +274,8 @@
               href: applocker\understanding-applocker-rule-exceptions.md
             - name: Understanding AppLocker rule collections
               href: applocker\understanding-applocker-rule-collections.md
+            - name: Understand AppLocker rule collection extensions
+              href: applocker\rule-collection-extensions.md
             - name: Understanding AppLocker allow and deny actions on rules
               href: applocker\understanding-applocker-allow-and-deny-actions-on-rules.md
             - name: Understanding AppLocker rule condition types

windows/security/application-security/application-control/windows-defender-application-control/applocker/administer-applocker.md

@@ -1,61 +1,56 @@
 ---
 title: Administer AppLocker
-description: This topic for IT professionals provides links to specific procedures to use when administering AppLocker policies.
+description: This article for IT professionals provides links to specific procedures to use when administering AppLocker policies.
 ms.localizationpriority: medium
 ms.topic: conceptual
-ms.date: 02/28/2019
+ms.date: 12/19/2023
 ---
 
 # Administer AppLocker
 
-> [!NOTE]
+This article for IT professionals provides links to specific procedures to use when administering AppLocker policies.
-> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
-
-This topic for IT professionals provides links to specific procedures to use when administering AppLocker policies.
 
 AppLocker helps administrators control how users can access and use files, such as executable files, packaged apps, scripts, Windows Installer files, and DLLs. Using AppLocker, you can:
 
 - Define rules based on file attributes derived from the digital signature, including the publisher, product name, file name, and file version. For example, you can create rules based on the publisher attribute that is persistent through updates, or you can create rules for a specific version of a file.
 - Assign a rule to a security group or an individual user.
 - Create exceptions to rules. For example, you can create a rule that allows all Windows processes to run, except Registry Editor (regedit.exe).
-- Use audit-only mode to deploy the policy and understand its impact before enforcing it.
+- Use audit-only mode to deploy the policy and understand its effect before enforcing it.
 - Import and export rules. The import and export affects the entire policy. For example, if you export a policy, all of the rules from all of the rule collections are exported, including the enforcement settings for the rule collections. If you import a policy, the existing policy is overwritten.
 - Simplify creating and managing AppLocker rules by using AppLocker PowerShell cmdlets.
-  > **Note**  For more info about enhanced capabilities of AppLocker to control Windows apps, see [Packaged apps and packaged app installer rules in AppLocker](packaged-apps-and-packaged-app-installer-rules-in-applocker.md).
 
 ## In this section
 
-| Topic | Description |
+| Article | Description |
 | - | - |
-| [Maintain AppLocker policies](maintain-applocker-policies.md) | This topic describes how to maintain rules within AppLocker policies. |
+| [Maintain AppLocker policies](maintain-applocker-policies.md) | This article describes how to maintain rules within AppLocker policies. |
-| [Edit an AppLocker policy](edit-an-applocker-policy.md) | This topic for IT professionals describes the steps required to modify an AppLocker policy. |
+| [Edit an AppLocker policy](edit-an-applocker-policy.md) | This article for IT professionals describes the steps required to modify an AppLocker policy. |
-| [Test and update an AppLocker policy](test-and-update-an-applocker-policy.md) | This topic discusses the steps required to test an AppLocker policy prior to deployment. |
+| [Test and update an AppLocker policy](test-and-update-an-applocker-policy.md) | This article discusses the steps required to test an AppLocker policy prior to deployment. |
-| [Deploy AppLocker policies by using the enforce rules setting](deploy-applocker-policies-by-using-the-enforce-rules-setting.md) | This topic for IT professionals describes the steps to deploy AppLocker policies by using the enforcement setting method. |
+| [Deploy AppLocker policies by using the enforce rules setting](deploy-applocker-policies-by-using-the-enforce-rules-setting.md) | This article for IT professionals describes the steps to deploy AppLocker policies by using the enforcement setting method. |
-| [Use the AppLocker Windows PowerShell cmdlets](use-the-applocker-windows-powershell-cmdlets.md) | This topic for IT professionals describes how each AppLocker Windows PowerShell cmdlet can help you administer your AppLocker application control policies. |
+| [Use the AppLocker Windows PowerShell cmdlets](use-the-applocker-windows-powershell-cmdlets.md) | This article for IT professionals describes how each AppLocker Windows PowerShell cmdlet can help you administer your AppLocker application control policies. |
-| [Use AppLocker and Software Restriction Policies in the same domain](use-applocker-and-software-restriction-policies-in-the-same-domain.md) | This topic for IT professionals describes concepts and procedures to help you manage your application control strategy using Software Restriction Policies and AppLocker. |
+| [Optimize AppLocker performance](optimize-applocker-performance.md) | This article for IT professionals describes how to optimize AppLocker policy enforcement. |
-| [Optimize AppLocker performance](optimize-applocker-performance.md) | This topic for IT professionals describes how to optimize AppLocker policy enforcement. |
+| [Monitor app usage with AppLocker](monitor-application-usage-with-applocker.md) | This article for IT professionals describes how to monitor app usage when AppLocker policies are applied. |
-| [Monitor app usage with AppLocker](monitor-application-usage-with-applocker.md) | This topic for IT professionals describes how to monitor app usage when AppLocker policies are applied. |
+| [Manage packaged apps with AppLocker](manage-packaged-apps-with-applocker.md) | This article for IT professionals describes concepts and lists procedures to help you manage Packaged apps with AppLocker as part of your overall application control strategy. |
-| [Manage packaged apps with AppLocker](manage-packaged-apps-with-applocker.md) | This topic for IT professionals describes concepts and lists procedures to help you manage Packaged apps with AppLocker as part of your overall application control strategy. |
+| [Working with AppLocker rules](working-with-applocker-rules.md) | This article for IT professionals describes AppLocker rule types and how to work with them for your application control policies. |
-| [Working with AppLocker rules](working-with-applocker-rules.md) | This topic for IT professionals describes AppLocker rule types and how to work with them for your application control policies. |
+| [Working with AppLocker policies](working-with-applocker-policies.md) | This article for IT professionals provides links to procedural articles about creating, maintaining, and testing AppLocker policies. |
-| [Working with AppLocker policies](working-with-applocker-policies.md) | This topic for IT professionals provides links to procedural topics about creating, maintaining, and testing AppLocker policies. |
 
-## <a href="" id="bkmk-using-snapins"></a>Using the MMC snap-ins to administer AppLocker
+## Using the MMC snap-ins to administer AppLocker
 
-You can administer AppLocker policies by using the Group Policy Management Console to create or edit a Group Policy Object (GPO), or to create or edit an AppLocker policy on a local computer by using the Local Group Policy Editor snap-in or the Local Security Policy snap-in (secpol.msc).
+You can administer AppLocker policies using the Group Policy Management Console to create or edit a Group Policy Object (GPO). To create or edit an AppLocker policy on a local computer, use the Local Group Policy Editor snap-in or the Local Security Policy snap-in (secpol.msc).
 
 ### Administer AppLocker using Group Policy
 
 You must have Edit Setting permission to edit a GPO. By default, members of the **Domain Admins** group, the **Enterprise Admins** group, and the **Group Policy Creator Owners** group have this permission. Also, the Group Policy Management feature must be installed on the computer.
 
 1. Open the Group Policy Management Console (GPMC).
-2.  Locate the GPO that contains the AppLocker policy to modify, right-click the GPO, and then click **Edit**.
+2. Locate the GPO that contains the AppLocker policy to modify, right-click the GPO, and then select **Edit**.
-3.  In the console tree, double-click **Application Control Policies**, double-click **AppLocker**, and then click the rule collection that you want to create the rule for.
+3. In the console tree, double-click **Application Control Policies**, double-click **AppLocker**, and then select the rule collection that you want to create the rule for.
 
 ### Administer AppLocker on the local PC
 
-1.  Click **Start**, type **local security policy**, and then click **Local Security Policy**.
+1. Select **Start**, type **local security policy**, and then select **Local Security Policy**.
-2.  If the **User Account Control** dialog box appears, confirm that the action it displays is what you want, and then click **Yes**.
+2. If the **User Account Control** dialog box appears, confirm that the action it displays is what you want, and then select **Yes**.
-3.  In the console tree of the snap-in, double-click **Application Control Policies**, double-click **AppLocker**, and then click the rule collection that you want to create the rule for.
+3. In the console tree of the snap-in, double-click **Application Control Policies**, double-click **AppLocker**, and then select the rule collection that you want to create the rule for.
 
 ## Using Windows PowerShell to administer AppLocker
 

windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-overview.md

@@ -6,41 +6,40 @@ ms.collection:
 - must-keep
 ms.topic: conceptual
 ms.localizationpriority: medium
-ms.date: 06/07/2023
+ms.date: 12/19/2023
 ---
 
 # AppLocker
 
-> [!NOTE]
+This article provides a description of AppLocker and can help you decide if your organization can benefit from deploying AppLocker application control policies. AppLocker helps you control which apps and files users can run. These include executable files, scripts, Windows Installer files, dynamic-link libraries (DLLs), packaged apps, and packaged app installers. AppLocker is also used by some features of Windows Defender Application Control.
-> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
-
-This article provides a description of AppLocker and can help you decide if your organization can benefit from deploying AppLocker application control policies. AppLocker helps you control which apps and files users can run. These include executable files, scripts, Windows Installer files, dynamic-link libraries (DLLs), packaged apps, and packaged app installers.
 
 > [!NOTE]
-> AppLocker is unable to control processes running under the system account on any operating system.
+> AppLocker is a defense-in-depth security feature and not considered a defensible Windows [security feature](https://www.microsoft.com/msrc/windows-security-servicing-criteria). [Windows Defender Application Control](/windows/security/threat-protection/windows-defender-application-control/wdac-and-applocker-overview) should be used when the goal is to provide robust protection against a threat and there are expected to be no by-design limitations that would prevent the security feature from achieving this goal.
+
+> [!NOTE]
+> By default, AppLocker policy only applies to code launched in a user's context. On Windows 10, Windows 11, and Windows Server 2016 or later, you can apply AppLocker policy to non-user processes, including those running as SYSTEM. For more information, see [AppLocker rule collection extensions](/windows/security/application-security/application-control/windows-defender-application-control/applocker/rule-collection-extensions#services-enforcement).
 
 AppLocker can help you:
 
 - Define rules based on file attributes that persist across app updates, such as the publisher name (derived from the digital signature), product name, file name, and file version. You can also create rules based on the file path and hash.
 - Assign a rule to a security group or an individual user.
 - Create exceptions to rules. For example, you can create a rule that allows all users to run all Windows binaries, except the Registry Editor (regedit.exe).
-- Use audit-only mode to deploy the policy and understand its impact before enforcing it.
+- Use audit-only mode to deploy the policy and understand its effect before enforcing it.
 - Create rules on a staging server, test them, then export them to your production environment and import them into a Group Policy Object.
-- Simplify creating and managing AppLocker rules by using Windows PowerShell.
+- Create and manage AppLocker rules by using Windows PowerShell.
 
-AppLocker helps reduce administrative overhead and helps reduce the organization's cost of managing computing resources by decreasing the number of Help Desk calls that result from users running unapproved apps. AppLocker addresses the following app security scenarios:
+AppLocker helps prevent users from running unapproved apps. AppLocker addresses the following app control scenarios:
 
-- **Application inventory**: AppLocker has the ability to enforce its policy in an audit-only mode where all app access activity is registered in event logs. These events can be collected for further analysis. Windows PowerShell cmdlets also help you analyze this data programmatically.
+- **Application inventory**: AppLocker has the ability to apply its policy in an audit-only mode where all app launch activity is allowed but registered in event logs. These events can be collected for further analysis. Windows PowerShell cmdlets also help you analyze this data programmatically.
 - **Protection against unwanted software**: AppLocker has the ability to deny apps from running when you exclude them from the list of allowed apps. When AppLocker rules are enforced in the production environment, any apps that aren't included in the allowed rules are blocked from running.
 - **Licensing conformance**: AppLocker can help you create rules that preclude unlicensed software from running and restrict licensed software to authorized users.
 - **Software standardization**: AppLocker policies can be configured to allow only supported or approved apps to run on computers within a business group. This configuration permits a more uniform app deployment.
-- **Manageability improvement**: AppLocker includes many improvements in manageability as compared to its predecessor Software Restriction Policies. Importing and exporting policies, automatic generation of rules from multiple files, audit-only mode deployment, and Windows PowerShell cmdlets are a few of the improvements over Software Restriction Policies.
 
 ## When to use AppLocker
 
 In many organizations, information is the most valuable asset, and ensuring that only approved users have access to that information is imperative. Access control technologies, such as Active Directory Rights Management Services (AD RMS) and access control lists (ACLs), help control what users are allowed to access.
 
-However, when a user runs a process, that process has the same level of access to data that the user has. As a result, sensitive information could easily be deleted or transmitted out of the organization if a user knowingly or unknowingly runs malicious software. AppLocker can help mitigate these types of security breaches by restricting the files that users or groups are allowed to run. Software publishers are beginning to create more apps that can be installed by non-administrative users. This privilege could jeopardize an organization's written security policy and circumvent traditional app control solutions that rely on the inability of users to install apps. AppLocker creates an allowed list of approved files and apps to help prevent such per-user apps from running. Because AppLocker can control DLLs, it's also useful to control who can install and run ActiveX controls.
+However, when a user runs a process, that process has the same level of access to data that the user has. As a result, sensitive information could easily be deleted or transmitted out of the organization if a user runs unauthorized software, including malware. AppLocker helps mitigate these types of security issues by restricting the files that users or groups are allowed to run. Because AppLocker can control DLLs and scripts, it's also useful to control who can install and run ActiveX controls.
 
 AppLocker is ideal for organizations that currently use Group Policy to manage their PCs.
 
@@ -49,21 +48,18 @@ The following are examples of scenarios in which AppLocker can be used:
 - Your organization's security policy dictates the use of only licensed software, so you need to prevent users from running unlicensed software and also restrict the use of licensed software to authorized users.
 - An app is no longer supported by your organization, so you need to prevent it from being used by everyone.
 - The potential that unwanted software can be introduced in your environment is high, so you need to reduce this threat.
-- The license to an app has been revoked or it's expired in your organization, so you need to prevent it from being used by everyone.
+- The license to an app is revoked or expired in your organization, so you need to prevent it from being used by everyone.
 - A new app or a new version of an app is deployed, and you need to prevent users from running the old version.
 - Specific software tools aren't allowed within the organization, or only specific users should have access to those tools.
 - A single user or small group of users needs to use a specific app that is denied for all others.
-- Some computers in your organization are shared by people who have different software usage needs, and you need to protect specific apps.
+- Some people in your organization who require different software share a computer, and you need to protect specific apps.
 - In addition to other measures, you need to control the access to sensitive data through app usage.
 
-> [!NOTE]
-> AppLocker is a defense-in-depth security feature and not a [security boundary](https://www.microsoft.com/msrc/windows-security-servicing-criteria). [Windows Defender Application Control](/windows/security/threat-protection/windows-defender-application-control/wdac-and-applocker-overview) should be used when the goal is to provide robust protection against a threat and there are expected to be no by-design limitations that would prevent the security feature from achieving this goal.
-
 AppLocker can help you protect the digital assets within your organization, reduce the threat of malicious software being introduced into your environment, and improve the management of application control and the maintenance of application control policies.
 
 ## Installing AppLocker
 
-AppLocker is included with enterprise-level editions of Windows. You can author AppLocker rules for a single computer or for a group of computers. For a single computer, you can author the rules by using the Local Security Policy editor (secpol.msc). For a group of computers, you can author the rules within a Group Policy Object by using the Group Policy Management Console (GPMC).
+AppLocker is included with all editions of Windows except Windows 10 version 1809 or earlier. You can author AppLocker rules for a single computer or for a group of computers. For a single computer, you can author the rules by using the Local Security Policy editor (secpol.msc). For a group of computers, you can author the rules within a Group Policy Object by using the Group Policy Management Console (GPMC).
 
 > [!NOTE]
 > GPMC is available in client computers running Windows only by installing the Remote Server Administration Tools. On computer running Windows Server, you must install the Group Policy Management feature.
@@ -74,15 +70,15 @@ AppLocker on Server Core installations isn't supported.
 
 ### Virtualization considerations
 
-You can administer AppLocker policies by using a virtualized instance of Windows provided it meets all the system requirements listed previously. You can also run Group Policy in a virtualized instance. However, you do risk losing the policies that you created and maintain if the virtualized instance is removed or fails.
+You can administer AppLocker policies by using a virtualized instance of Windows provided it meets all the system requirements listed previously. You can also run Group Policy in a virtualized instance. However, you risk losing the policies that you create and maintain if the virtualized instance is removed or fails.
 
 ### Security considerations
 
 Application control policies specify which apps are allowed to run on the local computer. The variety of forms that malicious software can take make it difficult for users to know what is safe to run. When activated, malicious software can damage content on a hard disk drive, flood a network with requests to cause a denial-of-service (DoS) attack, send confidential information to the Internet, or compromise the security of a computer.
 
-The countermeasure is to create a sound design for your application control policies on PCs in your organization, and then thoroughly test the policies in a lab environment before you deploy them in a production environment. AppLocker can be part of your app control strategy because you can control what software is allowed to run on your computers.
+The countermeasure is to create a sound design for your application control policies on PCs in your organization. AppLocker can be part of your app control strategy because you can control what software is allowed to run on your computers.
 
-A flawed application control policy implementation can disable necessary applications or allow malicious or unintended software to run. Therefore, it's important that organizations dedicate sufficient resources to manage and troubleshoot the implementation of such policies.
+A flawed application control policy implementation can disable necessary applications or allow malicious or unintended software to run. You should thoroughly test the policies in a lab environment before you deploy them in production. It's also important that organizations dedicate sufficient resources to manage and troubleshoot the implementation of such policies.
 
 For more information about specific security issues, see [Security considerations for AppLocker](security-considerations-for-applocker.md). When you use AppLocker to create application control policies, you should be aware of the following security considerations:
 

windows/security/application-security/application-control/windows-defender-application-control/applocker/configure-an-applocker-policy-for-audit-only.md

@@ -1,27 +1,24 @@
 ---
 title: Configure an AppLocker policy for audit only
-description: This topic for IT professionals describes how to set AppLocker policies to Audit only within your IT environment by using AppLocker.
+description: This article for IT professionals describes how to set AppLocker policies to Audit only within your IT environment by using AppLocker.
 ms.localizationpriority: medium
 ms.topic: conceptual
-ms.date: 06/08/2018
+ms.date: 12/21/2023
 ---
 
 # Configure an AppLocker policy for audit only
 
->[!NOTE]
+This article for IT professionals describes how to set AppLocker policies to **Audit only** within your IT environment by using AppLocker.
->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
 
-This topic for IT professionals describes how to set AppLocker policies to **Audit only** within your IT environment by using AppLocker.
+After AppLocker rules are created within the rule collection, you can configure the enforcement mode setting to **Enforce rules** or **Audit only**.
 
-After AppLocker rules are created within the rule collection, you can configure the enforcement setting to **Enforce rules** or **Audit only**.
+When AppLocker policy enforcement mode is set to **Enforce rules**, rules are enforced for the rule collection and all events are logged to the AppLocker event logs for that rule collection. When AppLocker policy enforcement mode is set to **Audit only**, rules are only evaluated but all events generated from that evaluation are written to the AppLocker event logs.
 
-When AppLocker policy enforcement is set to **Enforce rules**, rules are enforced for the rule collection and all events are audited. When AppLocker policy enforcement is set to **Audit only**, rules are only evaluated but all events generated from that evaluation are written to the AppLocker log.
+To manage an AppLocker policy in a Group Policy Object (GPO), you can perform this task by using the Group Policy Management Console. To manage an AppLocker policy for the local computer or for use in a security template, use the Local Security Policy snap-in. For info how to use these MMC snap-ins to administer AppLocker, see [Administer AppLocker](administer-applocker.md#using-the-mmc-snap-ins-to-administer-applocker).
 
-You can perform this task by using the Group Policy Management Console for an AppLocker policy in a Group Policy Object (GPO) or by using the Local Security Policy snap-in for an AppLocker policy on a local computer or in a security template. For info how to use these MMC snap-ins to administer AppLocker, see [Administer AppLocker](administer-applocker.md#bkmk-using-snapins).
+## To audit rule collections
 
-**To audit rule collections**
+1. From the AppLocker console, right-click **AppLocker**, and then select **Properties**.
-
-1.  From the AppLocker console, right-click **AppLocker**, and then click **Properties**.
 2. On the **Enforcement** tab, select the **Configured** check box for the rule collection that you want to enforce, and then verify that **Audit only** is selected in the list for that rule collection.
-3.  Repeat the above step to configure the enforcement setting to **Audit only** for additional rule collections.
+3. Repeat the above step to configure the enforcement setting to **Audit only** for other rule collections.
-4.  Click **OK**.
+4. Select **OK**.

windows/security/application-security/application-control/windows-defender-application-control/applocker/configure-an-applocker-policy-for-enforce-rules.md

@@ -1,28 +1,26 @@
 ---
 title: Configure an AppLocker policy for enforce rules
-description: This topic for IT professionals describes the steps to enable the AppLocker policy enforcement setting.
+description: This article for IT professionals describes the steps to enable the AppLocker policy enforcement setting.
 ms.localizationpriority: medium
 ms.topic: conceptual
-ms.date: 09/21/2017
+ms.date: 12/21/2023
 ---
 
 # Configure an AppLocker policy for enforce rules
 
->[!NOTE]
+This article for IT professionals describes the steps to enable the AppLocker policy enforcement mode setting.
->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
 
-This topic for IT professionals describes the steps to enable the AppLocker policy enforcement setting.
+> [!NOTE]
-
+> When AppLocker policy enforcement is set to **Enforce rules**, rules are enforced for the rule collection and all events are logged to the AppLocker event logs.
->**Note:**  When AppLocker policy enforcement is set to **Enforce rules**, rules are enforced for the rule collection and all events are audited.
 
 For info about how AppLocker policies are applied within a GPO structure, see [Understand AppLocker rules and enforcement setting inheritance in Group Policy](understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md).
 
-You can perform this task by using the Group Policy Management Console for an AppLocker policy in a Group Policy Object (GPO) or by using the Local Security Policy snap-in for an AppLocker policy on a local computer or in a security template. For info how to use these MMC snap-ins to administer AppLocker, see [Administer AppLocker](administer-applocker.md#bkmk-using-snapins).
+To manage an AppLocker policy in a Group Policy Object (GPO), you can perform this task by using the Group Policy Management Console. To manage an AppLocker policy for the local computer or for use in a security template, use the Local Security Policy snap-in. For info how to use these MMC snap-ins to administer AppLocker, see [Administer AppLocker](administer-applocker.md#using-the-mmc-snap-ins-to-administer-applocker).
 
-**To enable the Enforce rules enforcement setting**
+## To enable the Enforce rules enforcement setting
 
-1.  From the AppLocker console, right-click **AppLocker**, and then click **Properties**.
+1. From the AppLocker console, right-click **AppLocker**, and then select **Properties**.
 2. On the **Enforcement** tab of the **AppLocker Properties** dialog box, select the **Configured** check box for the rule collection that you're editing, and then verify that **Enforce rules** is selected.
-3.  Click **OK**.
+3. Select **OK**.
 
 For info about viewing the events generated from rules enforcement, see [Monitor app usage with AppLocker](monitor-application-usage-with-applocker.md).

windows/security/application-security/application-control/windows-defender-application-control/applocker/configure-exceptions-for-an-applocker-rule.md

@@ -1,30 +1,27 @@
 ---
 title: Add exceptions for an AppLocker rule
-description: This topic for IT professionals describes the steps to specify which apps can or cannot run as exceptions to an AppLocker rule.
+description: This article for IT professionals describes the steps to specify which apps can or can't run as exceptions to an AppLocker rule.
 ms.localizationpriority: medium
 ms.topic: conceptual
-ms.date: 09/21/2017
+ms.date: 12/21/2023
 ---
 
 # Add exceptions for an AppLocker rule
 
->[!NOTE]
+This article for IT professionals describes the steps to specify which apps can or can't run as exceptions to an AppLocker rule.
->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
-
-This topic for IT professionals describes the steps to specify which apps can or cannot run as exceptions to an AppLocker rule.
 
 Rule exceptions allow you to specify files or folders to exclude from the rule. For more information about exceptions, see [Understanding AppLocker rule exceptions](understanding-applocker-rule-exceptions.md).
 
-You can perform this task by using the Group Policy Management Console for an AppLocker policy in a Group Policy Object (GPO) or by using the Local Security Policy snap-in for an AppLocker policy on a local computer or in a security template. For info how to use these MMC snap-ins to administer AppLocker, see [Administer AppLocker](administer-applocker.md#bkmk-using-snapins).
+To manage an AppLocker policy in a Group Policy Object (GPO), you can perform this task by using the Group Policy Management Console. To manage an AppLocker policy for the local computer or for use in a security template, use the Local Security Policy snap-in. For info how to use these MMC snap-ins to administer AppLocker, see [Administer AppLocker](administer-applocker.md#using-the-mmc-snap-ins-to-administer-applocker).
 
-**To configure exceptions for a rule**
+## To configure exceptions for a rule
 
 1. Open the AppLocker console.
-2.  Expand the rule collection, right-click the rule that you want to configure exceptions for, and then click **Properties**.
+2. Expand the rule collection, right-click the rule that you want to configure exceptions for, and then select **Properties**.
-3.  Click the **Exceptions** tab.
+3. Select the **Exceptions** tab.
-4.  In the **Add exception** box, select the rule type that you want to create, and then click **Add**.
+4. In the **Add exception** box, select the rule type that you want to create, and then select **Add**.
 
-    -   For a publisher exception, click **Browse**, select the file that contains the publisher to exclude, and then click **OK**.
+    - For a publisher exception, select **Browse**, select the file that contains the publisher to exclude, and then select **OK**.
-    -   For a path exception, choose the file or folder path to exclude, and then click **OK**.
+    - For a path exception, choose the file or folder path to exclude, and then select **OK**.
-    -   For a file hash exception, edit the file hash rule, and click **Remove**.
+    - For a file hash exception, edit the file hash rule, and select **Remove**.
-    -   For a packaged apps exception, click **Add** to create the exceptions based on reference app and rule scope.
+    - For a packaged apps exception, select **Add** to create the exceptions based on reference app and rule scope.

windows/security/application-security/application-control/windows-defender-application-control/applocker/create-a-rule-for-packaged-apps.md

@@ -3,29 +3,26 @@ title: Create a rule for packaged apps
 description: This article for IT professionals shows how to create an AppLocker rule for packaged apps with a publisher condition.
 ms.localizationpriority: medium
 ms.topic: conceptual
-ms.date: 09/21/2017
+ms.date: 12/21/2023
 ---
 
 # Create a rule for packaged apps
 
->[!NOTE]
->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
-
 This article for IT professionals shows how to create an AppLocker rule for packaged apps with a publisher condition.
 
-Packaged apps, also known as Universal Windows apps, are based on an app model that ensures that all the files within an app package share the same identity. Therefore, it's possible to control the entire app using a single AppLocker rule as opposed to the non-packaged apps where each file within the app could have a unique identity. Windows doesn't support unsigned packaged apps, which implies all packaged apps must be signed. AppLocker supports only publisher rules for packaged apps. A publisher rule for a packaged app is based on the following information:
+Packaged apps are based on an app model that ensures that all the files within an app package share the same identity. Therefore, it's possible to control the entire app using a single AppLocker rule as opposed to unpackaged apps where each file within the app could have a unique identity. All packaged apps must be signed. AppLocker supports only publisher rules for packaged apps. A publisher rule for a packaged app is based on the following information:
 
 - Publisher of the package
 - Package name
 - Package version
 
-All the files within a package and the package installers share these attributes. Therefore, an AppLocker rule for a packaged app controls both the installation and the running of the app. Otherwise, the publisher rules for packaged apps are no different than the rest of the rule collections; they support exceptions, can be increased or decreased in scope, and can be assigned to users and groups.
+All the files within a package and the package installers share these attributes. Therefore, an AppLocker rule for a packaged app controls both the installation and the running of the app. Otherwise, the publisher rules for packaged apps behave the same as in other rule collections.
 
 For info about the publisher condition, see [Understanding the publisher rule condition in AppLocker](understanding-the-publisher-rule-condition-in-applocker.md).
 
-You can perform this task by using the Group Policy Management Console for an AppLocker policy in a Group Policy Object (GPO) or by using the Local Security Policy snap-in for an AppLocker policy on a local computer or in a security template. For info how to use these MMC snap-ins to administer AppLocker, see [Administer AppLocker](administer-applocker.md#bkmk-using-snapins).
+To manage an AppLocker policy in a Group Policy Object (GPO), you can perform this task by using the Group Policy Management Console. To manage an AppLocker policy for the local computer or for use in a security template, use the Local Security Policy snap-in. For info how to use these MMC snap-ins to administer AppLocker, see [Administer AppLocker](administer-applocker.md#using-the-mmc-snap-ins-to-administer-applocker).
 
-**To create a packaged app rule**
+## To create a packaged app rule
 
 1. Open the AppLocker console.
 2. On the **Action** menu, or by right-clicking on **Packaged app Rules**, select **Create New Rule**.
@@ -33,20 +30,20 @@ You can perform this task by using the Group Policy Management Console for an Ap
 4. On the **Permissions** page, select the action (allow or deny) and the user or group that the rule should apply to, and then select **Next**.
 5. On the **Publisher** page, you can select a specific reference for the packaged app rule and set the scope for the rule. The following table describes the reference options.
 
-    |Selection|Description|Example|
+    | Selection | Description | Example |
-    |--- |--- |--- |
+    | --- | --- | --- |
-    |**Use an installed packaged app as a reference**|If selected, AppLocker requires you to choose an app that is already installed on which to base your new rule. AppLocker uses the publisher, package name and package version to define the rule.|You want the Sales group only to use the app named Microsoft.BingMaps for its outside sales calls. The Microsoft.BingMaps app is already installed on the device where you're creating the rule, so you choose this option, and select the app from the list of apps installed on the computer and create the rule using this app as a reference.|
+    | **Use an installed packaged app as a reference** | If selected, AppLocker requires you to choose an app that is already installed on which to base your new rule. AppLocker uses the publisher, package name and package version to define the rule. | You want the Sales group only to use the app named Microsoft.BingMaps for its outside sales calls. The Microsoft.BingMaps app is already installed on the device where you're creating the rule, so you choose this option. Then select the app from the list of apps installed on the computer and create the rule using this app as a reference. |
-    |**Use a packaged app installer as a reference**|If selected, AppLocker requires you to choose an app installer on which to base your new rule. A packaged app installer has the .appx extension. AppLocker uses the publisher, package name, and package version of the installer to define the rule.|Your company has developed many internal line-of-business packaged apps. The app installers are stored on a common file share. Employees can install the required apps from that file share. You want to allow all your employees to install the Payroll app from this share. So you choose this option from the wizard, browse to the file share, and choose the installer for the Payroll app as a reference to create your rule.|
+    | **Use a packaged app installer as a reference** | If selected, AppLocker requires you to choose an app installer on which to base your new rule. A packaged app installer has the .appx extension. AppLocker uses the publisher, package name, and package version of the installer to define the rule.|Your company develops many internal line-of-business packaged apps. The app installers are stored on a common file share. Employees can install the required apps from that file share. You want to allow all your employees to install the Payroll app from this share. So you choose this option from the wizard, browse to the file share, and choose the installer for the Payroll app as a reference to create your rule. |
 
     The following table describes setting the scope for the packaged app rule.
 
-    |Selection|Description|Example|
+    | Selection | Description | Example |
-    |--- |--- |--- |
+    | --- | --- | --- |
-    |Applies to **Any publisher**|This setting is the least restrictive scope condition for an **Allow** rule. It permits every packaged app to run or install. <br/><br/>Conversely, if this setting is a **Deny** rule, then this option is the most restrictive because it denies all apps from installing or running. | You want the Sales group to use any packaged app from any signed publisher. You set the permissions to allow the Sales group to be able to run any app.|
+    | Applies to **Any publisher** | This setting is the least restrictive scope condition for an **Allow** rule. It permits every packaged app to run or install. <br/><br/>Conversely, if this setting is a **Deny** rule, then this option is the most restrictive because it denies all apps from installing or running. | You want the Sales group to use any packaged app from any signed publisher. You set the permissions to allow the Sales group to be able to run any app. |
-    |Applies to a specific **Publisher** | This setting scopes the rule to all apps published by a particular publisher. | You want to allow all your users to install apps published by the publisher of Microsoft.BingMaps. You could select Microsoft.BingMaps as a reference and choose this rule scope. |
+    | Applies to a specific **Publisher** | This setting scopes the rule to all apps published by a particular publisher. | You want to allow all your users to install apps published by the publisher of Microsoft.BingMaps. You could select Microsoft.BingMaps as a reference and choose this rule scope. |
-    |Applies to a **Package name** | This setting scopes the rule to all packages that share the publisher name and package name as the reference file. | You want to allow your Sales group to install any version of the Microsoft.BingMaps app. You could select the Microsoft.BingMaps app as a reference and choose this rule scope. |
+    | Applies to a **Package name** | This setting scopes the rule to all packages that share the publisher name and package name as the reference file. | You want to allow your Sales group to install any version of the Microsoft.BingMaps app. You could select the Microsoft.BingMaps app as a reference and choose this rule scope. |
-    |Applies to a **Package version** | This setting scopes the rule to a particular version of the package. | You want to be selective in what you allow. You don't want to implicitly trust all future updates of the Microsoft.BingMaps app. You can limit the scope of your rule to the version of the app currently installed on your reference computer. |
+    | Applies to a **Package version** | This setting scopes the rule to a particular version of the package. | You want to be selective in what you allow. You don't want to implicitly trust all future updates of the Microsoft.BingMaps app. You can limit the scope of your rule to the version of the app currently installed on your reference computer. |
-    |Applying custom values to the rule | Selecting the **Use custom values** check box allows you to adjust the scope fields for your particular circumstance. | You want to allow users to install all *Microsoft.Bing* applications, which include Microsoft.BingMaps, Microsoft.BingWeather, Microsoft.BingMoney. You can choose the Microsoft.BingMaps as a reference, select the **Use custom values** check box and edit the package name field by adding "Microsoft.Bing*" as the Package name. |
+    | Applying custom values to the rule | Selecting the **Use custom values** check box allows you to adjust the scope fields for your particular circumstance. | You want to allow users to install all *Microsoft.Bing* applications, which include Microsoft.BingMaps, Microsoft.BingWeather, Microsoft.BingMoney. You can choose the Microsoft.BingMaps as a reference, select the **Use custom values** check box and edit the package name field by adding "Microsoft.Bing*" as the Package name. |
 
 6. Select **Next**.
 7. (Optional) On the **Exceptions** page, specify conditions by which to exclude files from being affected by the rule. These conditions allow you to add exceptions based on the same rule reference and rule scope as you set before. Select **Next**.

windows/security/application-security/application-control/windows-defender-application-control/applocker/create-a-rule-that-uses-a-file-hash-condition.md

@@ -1,35 +1,32 @@
 ---
 title: Create a rule that uses a file hash condition
-description: This topic for IT professionals shows how to create an AppLocker rule with a file hash condition.
+description: This article for IT professionals shows how to create an AppLocker rule with a file hash condition.
 ms.localizationpriority: medium
 ms.topic: conceptual
-ms.date: 09/21/2017
+ms.date: 12/21/2023
 ---
 
 # Create a rule that uses a file hash condition
 
->[!NOTE]
+This article for IT professionals shows how to create an AppLocker rule with a file hash condition.
->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
 
-This topic for IT professionals shows how to create an AppLocker rule with a file hash condition.
+File hash rules use a system-computed Authenticode cryptographic hash of the identified file.
-
-File hash rules use a system-computed cryptographic hash of the identified file.
 
 For info about the file hash condition, see [Understanding the File Hash Rule Condition in AppLocker](understanding-the-file-hash-rule-condition-in-applocker.md).
 
-You can perform this task by using the Group Policy Management Console for an AppLocker policy in a Group Policy Object (GPO) or by using the Local Security Policy snap-in for an AppLocker policy on a local computer or in a security template. For info how to use these MMC snap-ins to administer 
+To manage an AppLocker policy in a Group Policy Object (GPO), you can perform this task by using the Group Policy Management Console. To manage an AppLocker policy for the local computer or for use in a security template, use the Local Security Policy snap-in. For info how to use these MMC snap-ins to administer AppLocker, see [Administer AppLocker](administer-applocker.md#using-the-mmc-snap-ins-to-administer-applocker).
-AppLocker, see [Administer AppLocker](administer-applocker.md#bkmk-using-snapins).
 
-**To create a new rule with a file hash condition**
+## To create a new rule with a file hash condition
 
-1.  Open the AppLocker console, and then click the rule collection that you want to create the rule for.
+1. Open the AppLocker console, and then select the rule collection that you want to create the rule for.
-2.  On the **Action** menu, click **Create New Rule**.
+2. On the **Action** menu, select **Create New Rule**.
-3.  On the **Before You Begin** page, click **Next**.
+3. On the **Before You Begin** page, select **Next**.
-4.  On the **Permissions** page, select the action (allow or deny) and the user or group that the rule should apply to, and then click **Next**.
+4. On the **Permissions** page, select the action (allow or deny) and the user or group that the rule should apply to, and then select **Next**.
-5.  On the **Conditions** page, select the **File hash** rule condition, and then click **Next**.
+5. On the **Conditions** page, select the **File hash** rule condition, and then select **Next**.
 6. **Browse Files** to locate the targeted application file.
 
-    >**Note:**  You can also click **Browse Folders** which calculates the hash for all the appropriate files relative to the rule collection. To remove hashes individually, click the **Remove** button.
+  > [!NOTE]
+  > You can also select **Browse Folders** which calculates the hash for all the appropriate files relative to the rule collection. To remove hashes individually, select the **Remove** button.
 
-7.  Click **Next**.
+7. Select **Next**.
-8.  On the **Name** page, either accept the automatically generated rule name or type a new rule name, and then click **Create**.
+8. On the **Name** page, either accept the automatically generated rule name or type a new rule name, and then select **Create**.

windows/security/application-security/application-control/windows-defender-application-control/applocker/create-a-rule-that-uses-a-path-condition.md

@@ -1,37 +1,36 @@
 ---
 title: Create a rule that uses a path condition
-description: This topic for IT professionals shows how to create an AppLocker rule with a path condition.
+description: This article for IT professionals shows how to create an AppLocker rule with a path condition.
 ms.localizationpriority: medium
 ms.topic: conceptual
-ms.date: 09/21/2017
+ms.date: 12/21/2023
 ---
 
 # Create a rule that uses a path condition
 
->[!NOTE]
+This article for IT professionals shows how to create an AppLocker rule with a path condition.
->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
-
-This topic for IT professionals shows how to create an AppLocker rule with a path condition.
 
 The path condition identifies an app by its location in the file system of the computer or on the network.
 
->**Important:**  When creating a rule that uses a deny action, path conditions are less secure for preventing access to a file because a user could easily copy the file to a different location than what is specified in the rule. Because path rules correspond to locations within the file system, you should ensure that there are no subdirectories that are writable by non-administrators. For example, if you create a path rule for C:\\ with the allow action, any file within C:\\ will be allowed to run, including users' profiles.
+> [!IMPORTANT]
+> When creating Deny rules, path conditions are less effective for preventing access to a file because a user (or malware acting as the user) could easily copy the file to a different location than what is specified in the rule. Because path rules correspond to locations within the file system, you should ensure that there are no subdirectories that are writable by non-administrators. For example, if you create a path rule for C:\\ with the allow action, any file within C:\\ will be allowed to run, including users' profiles.
 
 For info about the path condition, see [Understanding the path rule condition in AppLocker](understanding-the-path-rule-condition-in-applocker.md).
 
-You can perform this task by using the Group Policy Management Console for an AppLocker policy in a Group Policy Object (GPO) or by using the Local Security Policy snap-in for an AppLocker policy on a local computer or in a security template. For information how to use these MMC snap-ins to administer AppLocker, see [Administer AppLocker](administer-applocker.md#bkmk-using-snapins).
+To manage an AppLocker policy in a Group Policy Object (GPO), you can perform this task by using the Group Policy Management Console. To manage an AppLocker policy for the local computer or for use in a security template, use the Local Security Policy snap-in. For info how to use these MMC snap-ins to administer AppLocker, see [Administer AppLocker](administer-applocker.md#using-the-mmc-snap-ins-to-administer-applocker).
 
-**To create a new rule with a path condition**
+## To create a new rule with a path condition
 
-1.  Open the AppLocker console, and then click the rule collection that you want to create the rule for.
+1. Open the AppLocker console, and then select the rule collection that you want to create the rule for.
-2.  On the **Action** menu, click **Create New Rule**.
+2. On the **Action** menu, select **Create New Rule**.
-3.  On the **Before You Begin** page, click **Next**.
+3. On the **Before You Begin** page, select **Next**.
-4.  On the **Permissions** page, select the action (allow or deny) and the user or group that the rule should apply to, and then click **Next**.
+4. On the **Permissions** page, select the action (allow or deny) and the user or group that the rule should apply to, and then select **Next**.
-5.  On the **Conditions** page, select the **Path** rule condition, and then click **Next**.
+5. On the **Conditions** page, select the **Path** rule condition, and then select **Next**.
-6.  Click **Browse Files** to locate the targeted folder for the app.
+6. Select **Browse Files** to locate the targeted folder for the app.
 
-    >**Note:**  When you browse to a file or folder location, the wizard automatically converts absolute file paths to use AppLocker path variables. You may edit the path after browsing to specify an absolute path, or you may type the path directly into the **Path** box. To learn more about AppLocker path variables, see [Understanding the path rule condition in AppLocker](understanding-the-path-rule-condition-in-applocker.md).
+  > [!NOTE]
+  > When you browse to a file or folder location, the wizard automatically converts absolute file paths to use AppLocker path variables. You may edit the path after browsing to specify an absolute path, or you may type the path directly into the **Path** box. To learn more about AppLocker path variables, see [Understanding the path rule condition in AppLocker](understanding-the-path-rule-condition-in-applocker.md).
 
-7.  Click **Next**.
+7. Select **Next**.
-8.  (Optional) On the **Exceptions** page, specify conditions by which to exclude files from being affected by the rule. Click **Next**.
+8. (Optional) On the **Exceptions** page, specify conditions by which to exclude files from being affected by the rule. Select **Next**.
-9.  On the **Name** page, either accept the automatically generated rule name or type a new rule name, and then click **Create**.
+9. On the **Name** page, either accept the automatically generated rule name or type a new rule name, and then select **Create**.

windows/security/application-security/application-control/windows-defender-application-control/applocker/create-a-rule-that-uses-a-publisher-condition.md

@@ -1,34 +1,31 @@
 ---
 title: Create a rule that uses a publisher condition
-description: This topic for IT professionals shows how to create an AppLocker rule with a publisher condition.
+description: This article for IT professionals shows how to create an AppLocker rule with a publisher condition.
 ms.localizationpriority: medium
 ms.topic: conceptual
-ms.date: 09/21/2017
+ms.date: 12/21/2023
 ---
 
 # Create a rule that uses a publisher condition
 
->[!NOTE]
+This article for IT professionals shows how to create an AppLocker rule with a publisher condition.
->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
 
-This topic for IT professionals shows how to create an AppLocker rule with a publisher condition.
+You can use publisher conditions only for files that are digitally signed. The publisher condition identifies an app based on its digital signature and extended attributes. The digital signature contains information about the company that created the app (the publisher). The extended attributes, which are obtained from the binary resource, might contain the name of the product and the version number of the app binary. The publisher might be a software development company, such as Microsoft, or the information technology department of your organization.
 
-You can use publisher conditions only for files that are digitally signed; the publisher condition identifies an app based on its digital signature and extended attributes. The digital signature contains information about the company that created the app (the publisher). The extended attributes, which are obtained from the binary resource, contain the name of the product that the file is part of and the version number of the application. The publisher may be a software development company, such as Microsoft, or the information technology department of your organization.
+Packaged app rules always use publisher conditions. For info about creating a packaged app rule, see [Create a rule for packaged apps](create-a-rule-for-packaged-apps.md).
-Packaged app rules are by definition rules that use publisher conditions. For info about creating a packaged app rule, see [Create a rule for packaged apps](create-a-rule-for-packaged-apps.md).
 
 For info about the publisher condition, see [Understanding the publisher rule condition in AppLocker](understanding-the-publisher-rule-condition-in-applocker.md).
 
-You can perform this task by using the Group Policy Management Console for an AppLocker policy in a Group Policy Object (GPO) or by using the Local Security Policy snap-in for an AppLocker policy on a local computer or in a security template. For info how to use these MMC snap-ins to administer 
+To manage an AppLocker policy in a Group Policy Object (GPO), you can perform this task by using the Group Policy Management Console. To manage an AppLocker policy for the local computer or for use in a security template, use the Local Security Policy snap-in. For info how to use these MMC snap-ins to administer AppLocker, see [Administer AppLocker](administer-applocker.md#using-the-mmc-snap-ins-to-administer-applocker).
-AppLocker, see [Administer AppLocker](administer-applocker.md#bkmk-using-snapins).
 
-**To create a new rule with a publisher condition**
+## To create a new rule with a publisher condition
 
-1.  Open the AppLocker console, and then click the rule collection that you want to create the rule for.
+1. Open the AppLocker console, and then select the rule collection that you want to create the rule for.
-2.  On the **Action** menu, click **Create New Rule**.
+2. On the **Action** menu, select **Create New Rule**.
-3.  On the **Before You Begin** page, click **Next**.
+3. On the **Before You Begin** page, select **Next**.
-4.  On the **Permissions** page, select the action (allow or deny) and the user or group that the rule should apply to, and then click **Next**.
+4. On the **Permissions** page, select the action (allow or deny) and the user or group that the rule should apply to, and then select **Next**.
-5.  On the **Conditions** page, select the **Publisher** rule condition, and then click **Next**.
+5. On the **Conditions** page, select the **Publisher** rule condition, and then select **Next**.
-6.  On the **Publisher** page, click **Browse** to select a signed file, and then use the slider to specify the scope of the rule. To use custom values in any of the fields or to specify a specific file version, select the **Use custom values** check box. For example, you can use the asterisk (\*) wildcard character within a publisher rule to specify that any value should be matched.
+6. On the **Publisher** page, select **Browse** to select a signed file, and then use the slider to specify the scope of the rule. To use custom values in any of the fields or to specify a specific file version, select the **Use custom values** check box. For example, you can use the asterisk (\*) wildcard character within a publisher rule to specify that any value should be matched.
-7.  Click **Next**.
+7. Select **Next**.
-8.  (Optional) On the **Exceptions** page, specify conditions by which to exclude files from being affected by the rule. Click **Next**.
+8. (Optional) On the **Exceptions** page, specify conditions by which to exclude files from being affected by the rule. Select **Next**.
-9.  On the **Name** page, either accept the automatically generated rule name or type a new rule name, and then click **Create**.
+9. On the **Name** page, either accept the automatically generated rule name or type a new rule name, and then select **Create**.

windows/security/application-security/application-control/windows-defender-application-control/applocker/create-applocker-default-rules.md

@@ -1,31 +1,28 @@
 ---
 title: Create AppLocker default rules
-description: This topic for IT professionals describes the steps to create a standard set of AppLocker rules that will allow Windows system files to run.
+description: This article for IT professionals describes the steps to create a standard set of AppLocker rules that allow Windows system files to run.
 ms.localizationpriority: medium
 ms.topic: conceptual
-ms.date: 09/21/2017
+ms.date: 12/21/2023
 ---
 
 # Create AppLocker default rules
 
->[!NOTE]
+This article for IT professionals describes the steps to create a standard set of AppLocker rules that allow Windows system files to run.
->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
 
-This topic for IT professionals describes the steps to create a standard set of AppLocker rules that will allow Windows system files to run.
+The AppLocker wizard can generate default rules for each rule collection. These rules are intended to help ensure that the files that are required for Windows to operate properly are allowed to run.
-
-AppLocker includes default rules for each rule collection. These rules are intended to help ensure that the files that are required for Windows to operate properly are allowed to run.
 
 > [!IMPORTANT]
 > You can use the default rules as a template when creating your own rules to allow files within the Windows folders to run. However, these rules are only meant to function as a starter policy when you are first testing AppLocker rules. The default rules can be modified in the same way as other AppLocker rule types.
 
-You can perform this task by using the Group Policy Management Console for an AppLocker policy in a Group Policy Object (GPO) or by using the Local Security Policy snap-in for an AppLocker policy on a local computer or in a security template. For information how to use these MMC snap-ins to administer AppLocker, see [Administer AppLocker](administer-applocker.md#bkmk-using-snapins).
+To manage an AppLocker policy in a Group Policy Object (GPO), you can perform this task by using the Group Policy Management Console. To manage an AppLocker policy for the local computer or for use in a security template, use the Local Security Policy snap-in. For info how to use these MMC snap-ins to administer AppLocker, see [Administer AppLocker](administer-applocker.md#using-the-mmc-snap-ins-to-administer-applocker).
 
-**To create default rules**
+## To create default rules
 
 1. Open the AppLocker console.
 2. Right-click the appropriate rule type for which you want to automatically generate default rules. You can automatically generate rules for executable, Windows Installer, script rules and Packaged app rules.
-3.  Click **Create Default Rules**.
+3. Select **Create Default Rules**.
 
-## Related topics
+## Related articles
 
 - [Understanding AppLocker default rules](understanding-applocker-default-rules.md)

windows/security/application-security/application-control/windows-defender-application-control/applocker/delete-an-applocker-rule.md

@@ -3,21 +3,18 @@ title: Delete an AppLocker rule
 description: This article for IT professionals describes the steps to delete an AppLocker rule.
 ms.localizationpriority: medium
 ms.topic: conceptual
-ms.date: 03/10/2023
+ms.date: 12/21/2023
 ---
 
 # Delete an AppLocker rule
 
->[!NOTE]
->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
-
 This article for IT professionals describes the steps to delete AppLocker rules.
 
 As older apps are retired and new apps are deployed in your organization, it's necessary to modify the application control policies. If an app is no longer supported by your organization, then deleting the rule or rules associated with that app prevents the app from running.
 
 For info about testing an AppLocker policy to see what rules affect which files or applications, see [Test an AppLocker policy by Using Test-AppLockerPolicy](test-an-applocker-policy-by-using-test-applockerpolicy.md).
 
-You can perform this task by using the Group Policy Management Console for an AppLocker policy in a Group Policy Object (GPO) or by using the Local Security Policy snap-in for an AppLocker policy on a local computer or in a security template. For info how to use these MMC snap-ins to administer AppLocker, see [Administer AppLocker](administer-applocker.md#bkmk-using-snapins).
+To manage an AppLocker policy in a Group Policy Object (GPO), you can perform this task by using the Group Policy Management Console. To manage an AppLocker policy for the local computer or for use in a security template, use the Local Security Policy snap-in. For info how to use these MMC snap-ins to administer AppLocker, see [Administer AppLocker](administer-applocker.md#using-the-mmc-snap-ins-to-administer-applocker).
 
 These steps apply only for locally managed devices. Any AppLocker policies delivered through MDM or Group Policy must be removed using those tools.
 

windows/security/application-security/application-control/windows-defender-application-control/applocker/deploy-applocker-policies-by-using-the-enforce-rules-setting.md

@@ -1,21 +1,18 @@
 ---
 title: Deploy AppLocker policies by using the enforce rules setting
-description: This topic for IT professionals describes the steps to deploy AppLocker policies by using the enforcement setting method.
+description: This article for IT professionals describes the steps to deploy AppLocker policies by using the enforcement setting method.
 ms.localizationpriority: medium
 ms.topic: conceptual
-ms.date: 09/21/2017
+ms.date: 12/19/2023
 ---
 
 # Deploy AppLocker policies by using the enforce rules setting
 
->[!NOTE]
+This article for IT professionals describes the steps to deploy AppLocker policies by using the enforcement setting method.
->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
-
-This topic for IT professionals describes the steps to deploy AppLocker policies by using the enforcement setting method.
 
 ## Background and prerequisites
 
-These procedures assume that you have already deployed AppLocker policies with the enforcement set to **Audit only**, and you have been collecting data through the AppLocker event logs and other channels to determine what effect these policies have on your environment and the policy's adherence to your application control design.
+These procedures assume that your AppLocker policies are deployed with the enforcement mode set to **Audit only**, and you have been collecting data through the AppLocker event logs and other channels to determine what effect these policies have on your environment and the policy's adherence to your application control design.
 
 For info about the AppLocker policy enforcement setting, see [Understand AppLocker enforcement settings](understand-applocker-enforcement-settings.md).
 
@@ -23,18 +20,18 @@ For info about how to plan an AppLocker policy deployment, see [AppLocker Design
 
 ## Step 1: Retrieve the AppLocker policy
 
-Updating an AppLocker policy that is currently enforced in your production environment can have unintended results. Using Group Policy, you can export the policy from the Group Policy Object (GPO) and then update the rule or rules by using AppLocker on your AppLocker reference or test PC. For the procedure to do these tasks, see [Export an AppLocker policy from a GPO](export-an-applocker-policy-from-a-gpo.md) and [Import an AppLocker policy into a GPO](import-an-applocker-policy-into-a-gpo.md). For local AppLocker policies, you can update the rule or rules by using the Local Security policy snap-in (secpol.msc) on your AppLocker reference or test PC. For the procedures to do this task, see [Export an AppLocker policy to an XML file](export-an-applocker-policy-to-an-xml-file.md) and [Import an AppLocker policy from another computer](import-an-applocker-policy-from-another-computer.md).
+Updating an AppLocker policy that is currently enforced in your production environment can cause unintended results. Using Group Policy, you can export the policy from the Group Policy Object (GPO) and then update the rule or rules by using AppLocker on a reference or test PC. For the procedure to do these tasks, see [Export an AppLocker policy from a GPO](export-an-applocker-policy-from-a-gpo.md) and [Import an AppLocker policy into a GPO](import-an-applocker-policy-into-a-gpo.md). For local AppLocker policies, you can update the rule or rules by using the Local Security policy snap-in (secpol.msc) on your AppLocker reference or test PC. For the procedures to do this task, see [Export an AppLocker policy to an XML file](export-an-applocker-policy-to-an-xml-file.md) and [Import an AppLocker policy from another computer](import-an-applocker-policy-from-another-computer.md).
 
 ## Step 2: Alter the enforcement setting
 
-Rule enforcement is applied only to a collection of rules, not to individual rules. AppLocker divides the rules into collections: executable files, Windows Installer files, packaged apps, scripts, and DLL files. By default, if enforcement isn't configured and rules are present in a rule collection, those rules are enforced. For information about the enforcement setting, see [Understand AppLocker Enforcement Settings](understand-applocker-enforcement-settings.md). For the procedure to alter the enforcement setting, see [Configure an AppLocker policy for audit only](configure-an-applocker-policy-for-audit-only.md).
+Rule enforcement is applied to all rules within a rule collection, not to individual rules. AppLocker divides the rules into collections: executable files, Windows Installer files, packaged apps, scripts, and DLL files. For information about the enforcement mode setting, see [Understand AppLocker Enforcement Settings](understand-applocker-enforcement-settings.md). For the procedure to alter the enforcement mode setting, see [Configure an AppLocker policy for audit only](configure-an-applocker-policy-for-audit-only.md).
 
 ## Step 3: Update the policy
 
 You can edit an AppLocker policy by adding, changing, or removing rules. However, you can't specify a version for the AppLocker policy by importing more rules. To ensure version control when modifying an AppLocker policy, use Group Policy management software that allows you to create versions of GPOs. An example of this type of software is the [Advanced Group Policy Management](/microsoft-desktop-optimization-pack/agpm/) feature from the Microsoft Desktop Optimization Pack.
 
 > [!CAUTION]
-> You should not edit an AppLocker rule collection while it is being enforced in Group Policy. Because AppLocker controls what files are allowed to run, making changes to a live policy can create unexpected behavior.
+> You should not edit an AppLocker rule collection while it is being enforced in Group Policy. Because AppLocker controls what files are allowed to run, making changes to a live policy can cause unexpected behavior.
 
 For the procedure to update the GPO, see [Import an AppLocker policy into a GPO](import-an-applocker-policy-into-a-gpo.md).
 

windows/security/application-security/application-control/windows-defender-application-control/applocker/edit-an-applocker-policy.md

@@ -1,32 +1,30 @@
 ---
 title: Edit an AppLocker policy
-description: This topic for IT professionals describes the steps required to modify an AppLocker policy.
+description: This article for IT professionals describes the steps required to modify an AppLocker policy.
 ms.localizationpriority: medium
 ms.topic: conceptual
-ms.date: 09/21/2017
+ms.date: 12/19/2023
 ---
 
 # Edit an AppLocker policy
 
->[!NOTE]
+This article for IT professionals describes the steps required to modify an AppLocker policy.
->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
 
-This topic for IT professionals describes the steps required to modify an AppLocker policy.
+You can edit an AppLocker policy by adding, changing, or removing rules. However, you can't create a new version of the policy by importing more rules. To modify an AppLocker policy that is in production, you should use Group Policy management software that allows you to version Group Policy Objects (GPOs). If you want to merge multiple AppLocker policies into a single one, you can either manually merge the policies or use the Windows PowerShell cmdlets for AppLocker. You can't automatically merge policies by using the AppLocker snap-in. You must create one rule collection from two or more policies. The AppLocker policy is saved in XML format, and the exported policy can be edited with any text or XML editor. For info about merging policies, see [Merge AppLocker policies manually](merge-applocker-policies-manually.md) or [Merge AppLocker policies by using Set-ApplockerPolicy](merge-applocker-policies-by-using-set-applockerpolicy.md).
-
-You can edit an AppLocker policy by adding, changing, or removing rules. However, you can't create a new version of the policy by importing more rules. To modify an AppLocker policy that is in production, you should use Group Policy management software that allows you to version Group Policy Objects (GPOs). If you have created multiple AppLocker policies and need to merge them to create one AppLocker policy, you can either manually merge the policies or use the Windows PowerShell cmdlets for AppLocker. You can't automatically merge policies by using the AppLocker snap-in. You must create one rule collection from two or more policies. The AppLocker policy is saved in XML format, and the exported policy can be edited with any text or XML editor. For info about merging policies, see [Merge AppLocker policies manually](merge-applocker-policies-manually.md) or [Merge AppLocker policies by using Set-ApplockerPolicy](merge-applocker-policies-by-using-set-applockerpolicy.md).
 
 There are three methods you can use to edit an AppLocker policy:
 
--   [Editing an AppLocker policy by using Mobile Device Management (MDM)](#bkmk-editapppolinmdm)
+- [Editing an AppLocker policy by using Mobile Device Management (MDM)](#editing-an-applocker-policy-by-using-mobile-device-management-mdm)
--   [Editing an AppLocker policy by using Group Policy](#bkmk-editapppolingpo)
+- [Editing an AppLocker policy by using Group Policy](#editing-an-applocker-policy-by-using-group-policy)
--   [Editing an AppLocker policy by using the Local Security Policy snap-in](#bkmk-editapplolnotingpo)
+- [Editing an AppLocker policy by using the Local Security Policy snap-in](#editing-an-applocker-policy-by-using-the-local-security-policy-snap-in)
 
-## <a href="" id="bkmk-editapppolinmdm"></a>Editing an AppLocker policy by using Mobile Device Management (MDM)
+## Editing an AppLocker policy by using Mobile Device Management (MDM)
-If you deployed the AppLocker policy using the AppLocker configuration service provider, you can edit the policies in your MDM solution by altering the content in the string value of the policy node.
+
+To edit an AppLocker policy deployed using the AppLocker configuration service provider (CSP), update the content in the string value of the CSP's policy node.
 
 For more information, see the [AppLocker CSP](/windows/client-management/mdm/applocker-csp).
 
-## <a href="" id="bkmk-editapppolingpo"></a>Editing an AppLocker policy by using Group Policy
+## Editing an AppLocker policy by using Group Policy
 
 The steps to edit an AppLocker policy distributed by Group Policy include:
 
@@ -38,7 +36,8 @@ AppLocker provides a feature to export and import AppLocker policies as an XML f
 
 After exporting the AppLocker policy to an XML file, you should import the XML file onto a reference PC so that you can edit the policy. For information on the procedure to import an AppLocker policy, see [Import an AppLocker policy from another computer](import-an-applocker-policy-from-another-computer.md).
 
->**Caution:**  Importing a policy onto another PC will overwrite the existing policy on that PC.
+> [!IMPORTANT]
+> Importing a policy onto another PC will overwrite the existing policy on that PC.
 
 ### Step 3: Use AppLocker to modify and test the rule
 
@@ -47,12 +46,10 @@ AppLocker provides ways to modify, delete, or add rules to a policy by modifying
 - For information on the procedure to modify a rule, see [Edit AppLocker rules](edit-applocker-rules.md).
 - For information on the procedure to delete a rule, see [Delete an AppLocker rule](delete-an-applocker-rule.md).
 - For procedures to create rules, see:
-
   - [Create a rule that uses a publisher condition](create-a-rule-that-uses-a-publisher-condition.md)
   - [Create a rule that uses a path condition](create-a-rule-that-uses-a-path-condition.md)
   - [Create a rule that uses a file hash condition](create-a-rule-that-uses-a-file-hash-condition.md)
   - [Enable the DLL rule collection](enable-the-dll-rule-collection.md)
-
 - For information on the steps to test an AppLocker policy, see [Test and update an AppLocker policy](test-and-update-an-applocker-policy.md).
 - For procedures to export the updated policy from the reference computer back into the GPO, see [Export an AppLocker policy to an XML file](export-an-applocker-policy-to-an-xml-file.md) and [Import an AppLocker policy into a GPO](import-an-applocker-policy-into-a-gpo.md).
 
@@ -60,11 +57,13 @@ AppLocker provides ways to modify, delete, or add rules to a policy by modifying
 
 For procedures to export the updated policy from the reference computer back into the GPO, see [Export an AppLocker policy to an XML file](export-an-applocker-policy-to-an-xml-file.md) and [Import an AppLocker policy into a GPO](import-an-applocker-policy-into-a-gpo.md).
 
->**Caution:**  You should never edit an AppLocker rule collection while it is being enforced in Group Policy. Because AppLocker controls what files are allowed run, making changes to a live policy can create unexpected behavior. For info about testing policies, see [Test and update an AppLocker policy](test-and-update-an-applocker-policy.md).
+> [!IMPORTANT]
+> You should avoid editing an AppLocker rule collection while it is being enforced in Group Policy. Because AppLocker controls what files are allowed to run, making changes to a live policy can cause unexpected behavior. For info about testing policies, see [Test and update an AppLocker policy](test-and-update-an-applocker-policy.md).
 
->**Note:**  If you are performing these steps by using Microsoft Advanced Group Policy Management (AGPM), check out the GPO before exporting the policy.
+> [!NOTE]
+> If you are performing these steps by using Microsoft Advanced Group Policy Management (AGPM), check out the GPO before exporting the policy.
 
-## <a href="" id="bkmk-editapplolnotingpo"></a>Editing an AppLocker policy by using the Local Security Policy snap-in
+## Editing an AppLocker policy by using the Local Security Policy snap-in
 
 The steps to edit an AppLocker policy distributed by using the Local Security Policy snap-in (secpol.msc) include the following tasks.
 
@@ -74,7 +73,8 @@ On the PC where you maintain policies, open the AppLocker snap-in from the Local
 
 After exporting the AppLocker policy to an XML file, you should import the XML file onto a reference PC so that you can edit the policy. For information on the procedure to import an AppLocker policy, see [Import an AppLocker policy from another computer](import-an-applocker-policy-from-another-computer.md).
 
->**Caution:**  Importing a policy onto another PC will overwrite the existing policy on that PC.
+> [!IMPORTANT]
+> Importing a policy onto another PC will overwrite the existing policy on that PC.
 
 ### Step 2: Identify and modify the rule to change, delete, or add
 
@@ -83,7 +83,6 @@ AppLocker provides ways to modify, delete, or add rules to a policy by modifying
 - For information on the procedure to modify a rule, see [Edit AppLocker rules](edit-applocker-rules.md).
 - For information on the procedure to delete a rule, see [Delete an AppLocker rule](delete-an-applocker-rule.md).
 - For procedures to create rules, see:
-
   - [Create a rule that uses a publisher condition](create-a-rule-that-uses-a-publisher-condition.md)
   - [Create a rule that uses a path condition](create-a-rule-that-uses-a-path-condition.md)
   - [Create a rule that uses a file hash condition](create-a-rule-that-uses-a-file-hash-condition.md)

windows/security/application-security/application-control/windows-defender-application-control/applocker/edit-applocker-rules.md

@@ -1,52 +1,49 @@
 ---
 title: Edit AppLocker rules
-description: This topic for IT professionals describes the steps to edit a publisher rule, path rule, and file hash rule in AppLocker.
+description: This article for IT professionals describes the steps to edit a publisher rule, path rule, and file hash rule in AppLocker.
 ms.localizationpriority: medium
 ms.topic: conceptual
-ms.date: 09/21/2017
+ms.date: 12/21/2023
 ---
 
 # Edit AppLocker rules
 
->[!NOTE]
+This article for IT professionals describes the steps to edit a publisher rule, path rule, and file hash rule in AppLocker.
->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
-
-This topic for IT professionals describes the steps to edit a publisher rule, path rule, and file hash rule in AppLocker.
 
 For more info about these rule types, see [Understanding AppLocker rule condition types](understanding-applocker-rule-condition-types.md).
 
-You can perform this task by using the Group Policy Management Console for an AppLocker policy in a Group Policy Object (GPO) or by using the Local Security Policy snap-in for an AppLocker policy on a local computer or in a security template. For info how to use these MMC snap-ins to administer AppLocker, see [Administer AppLocker](administer-applocker.md#bkmk-using-snapins).
+To manage an AppLocker policy in a Group Policy Object (GPO), you can perform this task by using the Group Policy Management Console. To manage an AppLocker policy for the local computer or for use in a security template, use the Local Security Policy snap-in. For info how to use these MMC snap-ins to administer AppLocker, see [Administer AppLocker](administer-applocker.md#using-the-mmc-snap-ins-to-administer-applocker).
 
-**To edit a publisher rule**
+## To edit a publisher rule
 
-1.  Open the AppLocker console, and then click the appropriate rule collection.
+1. Open the AppLocker console, and then select the appropriate rule collection.
-2.  In the **Action** pane, right-click the publisher rule, and then click **Properties**.
+2. In the **Action** pane, right-click the publisher rule, and then select **Properties**.
-3.  Click the appropriate tab to edit the rule properties.
+3. Select the appropriate tab to edit the rule properties.
 
-    -   Click the **General** tab to change the rule name, add a rule description, configure whether the rule is used to allow or deny applications, and set the security group for which this rule should apply.
+    - Select the **General** tab to change the rule name, add a rule description, configure whether the rule is used to allow or deny applications, and set the security group for which this rule should apply.
-    -   Click the **Publisher** tab to configure the certificate's common name, the product name, the file name, or file version of the publisher.
+    - Select the **Publisher** tab to configure the certificate's common name, the product name, the file name, or file version of the publisher.
-    -   Click the **Exceptions** tab to create or edit exceptions.
+    - Select the **Exceptions** tab to create or edit exceptions.
-    -   When you finish updating the rule, click **OK**.
+    - When you finish updating the rule, select **OK**.
 
-**To edit a file hash rule**
+## To edit a file hash rule
 
-1.  Open the AppLocker console, and then click the appropriate rule collection.
+1. Open the AppLocker console, and then select the appropriate rule collection.
 2. Choose the appropriate rule collection.
-3.  In the **Action** pane, right-click the file hash rule, and then click **Properties**.
+3. In the **Action** pane, right-click the file hash rule, and then select **Properties**.
-4.  Click the appropriate tab to edit the rule properties.
+4. Select the appropriate tab to edit the rule properties.
 
-    -   Click the **General** tab to change the rule name, add a rule description, configure whether the rule is used to allow or deny applications, and set the security group in which this rule should apply.
+    - Select the **General** tab to change the rule name, add a rule description, configure whether the rule is used to allow or deny applications, and set the security group in which this rule should apply.
-    -   Click the **File Hash** tab to configure the files that should be used to enforce the rule. You can click **Browse Files** to add a specific file or click **Browse Folders** to add all files in a specified folder. To remove hashes individually, click **Remove**.
+    - Select the **File Hash** tab to configure the files that should be used to enforce the rule. You can select **Browse Files** to add a specific file or select **Browse Folders** to add all files in a specified folder. To remove hashes individually, select **Remove**.
-    -   When you finish updating the rule, click **OK**.
+    - When you finish updating the rule, select **OK**.
 
-**To edit a path rule**
+## To edit a path rule
 
-1.  Open the AppLocker console, and then click the appropriate rule collection.
+1. Open the AppLocker console, and then select the appropriate rule collection.
 2. Choose the appropriate rule collection.
-3.  In the **Action** pane, right-click the path rule, and then click **Properties**.
+3. In the **Action** pane, right-click the path rule, and then select **Properties**.
-4.  Click the appropriate tab to edit the rule properties.
+4. Select the appropriate tab to edit the rule properties.
 
-    -   Click the **General** tab to change the rule name, add a rule description, configure whether the rule is used to allow or deny applications, and set the security group in which this rule should apply.
+    - Select the **General** tab to change the rule name, add a rule description, configure whether the rule is used to allow or deny applications, and set the security group in which this rule should apply.
-    -   Click the **Path** tab to configure the path on the computer in which the rule should be enforced.
+    - Select the **Path** tab to configure the path on the computer in which the rule should be enforced.
-    -   Click the **Exceptions** tab to create exceptions for specific files in a folder.
+    - Select the **Exceptions** tab to create exceptions for specific files in a folder.
-    -   When you finish updating the rule, click **OK**.
+    - When you finish updating the rule, select **OK**.

windows/security/application-security/application-control/windows-defender-application-control/applocker/enable-the-dll-rule-collection.md

@@ -1,27 +1,25 @@
 ---
 title: Enable the DLL rule collection
-description: This topic for IT professionals describes the steps to enable the DLL rule collection feature for AppLocker.
+description: This article for IT professionals describes the steps to enable the DLL rule collection feature for AppLocker.
 ms.localizationpriority: medium
 ms.topic: conceptual
-ms.date: 09/21/2017
+ms.date: 12/21/2023
 ---
 
 # Enable the DLL rule collection
 
->[!NOTE]
+This article for IT professionals describes the steps to enable the DLL rule collection feature for AppLocker.
->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
-
-This topic for IT professionals describes the steps to enable the DLL rule collection feature for AppLocker.
 
 The DLL rule collection includes the .dll and .ocx file formats.
 
 For info about these rules, see [DLL rules in AppLocker](dll-rules-in-applocker.md).
 
-You can perform this task by using the Group Policy Management Console for an AppLocker policy in a Group Policy Object (GPO) or by using the Local Security Policy snap-in for an AppLocker policy on a local computer or in a security template. For info how to use these MMC snap-ins to administer 
+To manage an AppLocker policy in a Group Policy Object (GPO), you can perform this task by using the Group Policy Management Console. To manage an AppLocker policy for the local computer or for use in a security template, use the Local Security Policy snap-in. For info how to use these MMC snap-ins to administer AppLocker, see [Administer AppLocker](administer-applocker.md#using-the-mmc-snap-ins-to-administer-applocker).
-AppLocker, see [Administer AppLocker](administer-applocker.md#bkmk-using-snapins).
 
-**To enable the DLL rule collection**
+## To enable the DLL rule collection
-1.  From the AppLocker console, right-click **AppLocker**, and then click **Properties.**
-2.  Click the **Advanced** tab, select the **Enable the DLL rule collection** check box, and then click **OK**.
 
-    >**Important:**  Before you enforce DLL rules, make sure that there are allow rules for each DLL that is used by any of the allowed apps.
+1. From the AppLocker console, right-click **AppLocker**, and then select **Properties.**
+2. Select the **Advanced** tab, select the **Enable the DLL rule collection** check box, and then select **OK**.
+
+    > [!IMPORTANT]
+    > Before you enforce DLL rules, make sure that there are allow rules for each DLL that is used by any of the allowed apps.

windows/security/application-security/application-control/windows-defender-application-control/applocker/maintain-applocker-policies.md

@@ -3,15 +3,12 @@ title: Maintain AppLocker policies
 description: Learn how to maintain rules within AppLocker policies. View common AppLocker maintenance scenarios and see the methods to use to maintain AppLocker policies.
 ms.localizationpriority: medium
 ms.topic: conceptual
-ms.date: 12/31/2017
+ms.date: 12/19/2023
 ---
 
 # Maintain AppLocker policies
 
->[!NOTE]
+This article describes how to maintain rules within AppLocker policies.
->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
-
-This topic describes how to maintain rules within AppLocker policies.
 
 Common AppLocker maintenance scenarios include:
 
@@ -24,27 +21,28 @@ Common AppLocker maintenance scenarios include:
 
 There are three methods you can use to maintain AppLocker policies:
 
--   [Maintaining AppLocker policies by using Mobile Device Management (MDM)](#bkmk-applkr-use-mdm)
+- [Maintaining AppLocker policies by using Mobile Device Management (MDM)](#maintaining-applocker-policies-by-using-mobile-device-management-mdm)
--   [Maintaining AppLocker policies by using Group Policy](#bkmk-applkr-use-gp)
+- [Maintaining AppLocker policies by using Group Policy](#maintaining-applocker-policies-by-using-group-policy)
--   [Maintaining AppLocker policies on the local computer](#bkmk-applkr-use-locsnapin)
+- [Maintaining AppLocker policies on the local computer](#maintaining-applocker-policies-by-using-the-local-security-policy-snap-in)
+
+## Maintaining AppLocker policies by using Mobile Device Management (MDM)
 
-## <a href="" id="bkmk-applkr-use-mdm"></a>Maintaining AppLocker policies by using Mobile Device Management (MDM)
 Using the AppLocker configuration service provider, you can select which apps are allowed or blocked from running. Using the CSP, you can configure app restrictions based on grouping (such as EXE, MSI, DLL, Store apps and more) and then chose how to enforce different policies for different apps.
 
 For more information, see the [AppLocker CSP](/windows/client-management/mdm/applocker-csp).
 
-## <a href="" id="bkmk-applkr-use-gp"></a>Maintaining AppLocker policies by using Group Policy
+## Maintaining AppLocker policies by using Group Policy
 
 For every scenario, the steps to maintain an AppLocker policy distributed by Group Policy include the following tasks.
 
-As new apps are deployed or existing apps are removed by your organization or updated by the software publisher, you might need to make revisions to your rules and update the Group Policy Object (GPO) to ensure that your policy is current.
+As new apps are deployed, and existing apps are updated or retired, you might need to update the rules in the Group Policy Object (GPO) to keep your policy current.
 
-You can edit an AppLocker policy by adding, changing, or removing rules. However, you can't specify a version for the AppLocker policy by importing more rules. To ensure version control when modifying an AppLocker policy, use Group Policy management software that allows you to create 
+You can edit an AppLocker policy by adding, changing, or removing rules. However, you can't specify a version for the AppLocker policy by importing more rules. To ensure version control when modifying an AppLocker policy, use Group Policy management software that allows you to create versions of GPOs.
-versions of GPOs.
 
->**Caution:**  You should not edit an AppLocker rule collection while it is being enforced in Group Policy. Because AppLocker controls what files are allowed to run, making changes to a live policy can create unexpected behavior.
+> [!IMPORTANT]
+> You should avoid editing an AppLocker rule collection while it is being enforced in Group Policy. Because AppLocker controls what files are allowed to run, making changes to a live policy can cause unexpected behavior.
 
-### Step 1: Understand the current behavior of the policy
+### Step 1: Understand the current behavior of the policy from the GPO
 
 Before modifying a policy, evaluate how the policy is currently implemented. For example, if a new version of the application is deployed, you can use **Test-AppLockerPolicy** to verify the effectiveness of your current policy for that app.
 
@@ -54,7 +52,7 @@ Updating an AppLocker policy that is currently enforced in your production envir
 
 ### Step 3: Update the AppLocker policy by editing the appropriate AppLocker rule
 
-After the AppLocker policy has been exported from the GPO into the AppLocker reference or test computer, or has been accessed on the local computer, the specific rules can be modified as required.
+After you export the AppLocker policy from the GPO into the AppLocker reference or test computer, or access the policy on the local computer, the rules can be modified as required.
 
 To modify AppLocker rules, see the following articles:
 
@@ -72,9 +70,11 @@ You should test each collection of rules to ensure that the rules perform as int
 After testing, import the AppLocker policy back into the GPO for implementation. To update the GPO with a modified AppLocker policy, see [Import an AppLocker policy into a GPO](import-an-applocker-policy-into-a-gpo.md).
 
 ### Step 6: Monitor the resulting policy behavior
+
 After deploying a policy, evaluate the policy's effectiveness.
 
-## <a href="" id="bkmk-applkr-use-locsnapin"></a>Maintaining AppLocker policies by using the Local Security Policy snap-in
+## Maintaining AppLocker policies by using the Local Security Policy snap-in
+
 For every scenario, the steps to maintain an AppLocker policy by using the Local Group Policy Editor or the Local Security Policy snap-in include the following tasks.
 
 ### Step 1: Understand the current behavior of the policy
@@ -85,7 +85,7 @@ Before modifying a policy, evaluate how the policy is currently implemented.
 
 Rules are grouped into a collection, which can have the policy enforcement setting applied to it. By default, AppLocker rules don't allow users to open or run any files that aren't allowed.
 
-To modify AppLocker rules, see the appropriate topic listed on [Administer AppLocker](administer-applocker.md).
+To modify AppLocker rules, see the appropriate article listed on [Administer AppLocker](administer-applocker.md).
 
 ### Step 3: Test the AppLocker policy
 

windows/security/application-security/application-control/windows-defender-application-control/applocker/manage-packaged-apps-with-applocker.md

@@ -3,34 +3,28 @@ title: Manage packaged apps with AppLocker
 description: Learn concepts and lists procedures to help you manage packaged apps with AppLocker as part of your overall application control strategy.
 ms.localizationpriority: medium
 ms.topic: conceptual
-ms.date: 09/21/2017
+ms.date: 12/20/2023
 ---
 
 # Manage packaged apps with AppLocker
 
->[!NOTE]
+This article for IT professionals describes concepts and lists procedures to help you manage Packaged apps with AppLocker as part of your overall application control strategy.
->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
-
-This topic for IT professionals describes concepts and lists procedures to help you manage Packaged apps with AppLocker as part of your overall application control strategy.
 
 ## Understanding Packaged apps and Packaged app installers for AppLocker
 
-Packaged apps, also known as Universal Windows apps, are based on a model that ensures all the files within an app package share the same identity. With classic Windows apps, each file within the app could have a unique identity.
+Packaged apps are based on a model that ensures all the files within an app package share the same identity. With classic Windows apps, each file within the app could have a unique identity. With packaged apps, it's possible to control the entire app by using a single AppLocker rule.
-With packaged apps, it's possible to control the entire app by using a single AppLocker rule.
 
 > [!NOTE]
 > AppLocker supports only publisher rules for packaged apps. All packaged apps must be signed by the software publisher because Windows does not support unsigned packaged apps.
 
 Typically, an app consists of multiple components: the installer that is used to install the app, and one or more exes, dlls, or scripts. With classic Windows apps, not all these components always share common attributes such as the software's publisher name, product name, and product version. Therefore, AppLocker controls each of these components separately through different rule collections, such as exe, dll, script, and Windows Installer rules. In contrast, all the components of a packaged app share the same publisher name, package name, and package version attributes. Therefore, you can control an entire app with a single rule.
 
-### <a href="" id="bkmk-compareclassicmetro"></a>Comparing classic Windows apps and packaged apps
+### Comparing classic Windows apps and packaged apps
 
-AppLocker policies for packaged apps can only be applied to apps installed on computers running at least Windows Server 2012 or Windows 8, but classic Windows apps can be controlled on devices running at least Windows Server
+The rules for classic Windows apps and packaged apps can be enforced in tandem. The differences between packaged apps and classic Windows apps that you should consider include:
-2008 R2 or Windows 7. The rules for classic Windows apps and packaged apps can be enforced in tandem. The differences between packaged apps and classic Windows apps that you should consider include:
 
--   **Installing the apps**   All packaged apps can be installed by a standard user, whereas many classic Windows apps require administrative privileges to install. In an environment where most of the users are standard users, you might not have numerous exe rules (because classic Windows apps require administrative privileges to install), but you might want to have more explicit policies for packaged apps.
+- **Installing the apps** - All packaged apps can be installed by a standard user, whereas many classic Windows apps require administrative privileges to install. In an environment where most of the users are standard users, you might need fewer exe rules (because classic Windows apps require administrative privileges to install), but you might need more rules for packaged apps.
--   **Changing the system state**   Classic Windows apps can be written to change the system state if they're run with administrative privileges. Most packaged apps can't change the system state because they run with limited privileges. When you design your AppLocker policies, it's important to understand whether an app that you're allowing can make system-wide changes.
+- **Changing the system state** - Classic Windows apps can be written to change the system state if they're run with administrative privileges. Most packaged apps can't change the system state because they run with limited privileges. When you design your AppLocker policies, it's important to understand whether an app that you're allowing can make system-wide changes.
--   **Acquiring the apps**   Packaged apps can be acquired through the Store, or by loading using Windows PowerShell cmdlets (which requires a special enterprise license). Classic Windows apps can be acquired through traditional means.
 
 AppLocker uses different rule collections to control packaged apps and classic Windows apps. You have the choice to control one type, the other type, or both.
 
@@ -52,11 +46,11 @@ For info about creating rules for Packaged apps, see [Create a rule for packaged
 Consider the following info when you're designing and deploying apps:
 
 - Because AppLocker supports only publisher rules for packaged apps, collecting the installation path information for packaged apps isn't necessary.
--   You can't create hash- or path-based rules for packaged apps because all packaged apps and packaged app installers are signed by the software publisher of the package. Classic Windows apps weren't always consistently signed; therefore, AppLocker has to support hash- or path-based rules.
+- You don't need to create hash- or path-based rules for packaged apps because the software publisher must sign all packaged apps and packaged app installers. Classic Windows apps weren't always consistently signed; therefore, AppLocker has to support hash- or path-based rules.
--   By default, if there are no rules in a particular rule collection, AppLocker allows every file that is included in that rule collection. For example, if there are no Windows Installer rules, AppLocker allows all .msi, .msp, and .mst files to run. An existing AppLocker policy that was targeted at computers running Windows Server 2008 R2 and Windows 7 wouldn't have rules for Packaged apps. Therefore, when a computer running at least Windows Server 2012 or
+- By default, if there are no rules in a particular rule collection, AppLocker allows every file that is included in that rule collection. For example, if there are no Windows Installer rules, AppLocker allows all .msi, .msp, and .mst files to run.
-Windows 8 joins a domain where an AppLocker policy is already configured, users would be allowed to run any packaged app, which is contrary to your design.
 
-    To prevent all packaged apps from running on a newly domain-joined computer, by default AppLocker blocks all packaged apps on a computer running at least Windows Server 2012 or Windows 8 if the existing domain policy has rules configured in the exe rule collection. You must take explicit action to allow packaged apps in your enterprise. You can allow only a select set of packaged apps. Or if you want to allow all packaged apps, you can create a default rule for the packaged apps collection.
+> [!NOTE]
+> By default AppLocker blocks all packaged apps if the existing domain policy has rules configured in the exe rule collection. You must take explicit action to allow packaged apps in your enterprise. You can allow only a select set of packaged apps. Or if you want to allow all packaged apps, you can create a default rule for the packaged apps collection.
 
 ## Using AppLocker to manage packaged apps
 

windows/security/application-security/application-control/windows-defender-application-control/applocker/monitor-application-usage-with-applocker.md

@@ -1,29 +1,26 @@
 ---
 title: Monitor app usage with AppLocker
-description: This topic for IT professionals describes how to monitor app usage when AppLocker policies are applied.
+description: This article for IT professionals describes how to monitor app usage when AppLocker policies are applied.
 ms.localizationpriority: medium
 ms.topic: conceptual
-ms.date: 09/21/2017
+ms.date: 12/19/2023
 ---
 
 # Monitor app usage with AppLocker
 
->[!NOTE]
+This article for IT professionals describes how to monitor app usage when AppLocker policies are applied.
->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
 
-This topic for IT professionals describes how to monitor app usage when AppLocker policies are applied.
+After you deploy AppLocker policies, monitor its effect on devices to ensure the results are what you expected.
 
-Once you set rules and deploy the AppLocker policies, it's a good practice to determine if the policy implementation is what you expected.
+## Discover the effect of an AppLocker policy
 
-### <a href="" id="bkmk-applkr-disc-effect-pol"></a>Discover the effect of an AppLocker policy
+You can evaluate how the AppLocker policy is currently implemented for documentation or audit purposes, or before you modify the policy. Updating your AppLocker Policy Deployment Planning document helps you track your findings. You can perform one or more of the following steps to understand what application controls are currently enforced through AppLocker rules.
-
-You can evaluate how the AppLocker policy is currently implemented for documentation or audit purposes, or before you modify the policy. Updating your AppLocker Policy Deployment Planning document will help you track your findings. You can perform one or more of the following steps to understand what application controls are currently enforced through AppLocker rules.
 
 - **Analyze the AppLocker logs in Event Viewer**
 
-    When AppLocker policy enforcement is set to **Enforce rules**, rules are enforced for the rule collection and all events are audited. When AppLocker policy enforcement is set to **Audit only**, rules aren't enforced but are still evaluated to generate audit event data that is written to the AppLocker logs.
+    When AppLocker policy enforcement is set to **Enforce rules**, any files that aren't allowed by your policy are blocked. In that case, an event is raised in the AppLocker event log for the rule collection. When AppLocker policy enforcement is set to **Audit only**, rules aren't enforced but are still evaluated to generate audit event data that is written to the AppLocker logs.
 
-    For more information on the procedure to access the log, see [View the AppLocker Log in Event Viewer](#bkmk-applkr-view-log).
+    For more information on the procedure to access the log, see [View the AppLocker Log in Event Viewer](#view-the-applocker-log-in-event-viewer).
 
 - **Enable the Audit only AppLocker enforcement setting**
 
@@ -33,54 +30,53 @@ You can evaluate how the AppLocker policy is currently implemented for documenta
 
 - **Review AppLocker events with Get-AppLockerFileInformation**
 
-    For both event subscriptions and local events, you can use the **Get-AppLockerFileInformation** Windows PowerShell cmdlet to determine which files have been blocked or would have been blocked (if you're using the audit-only enforcement mode) and how many times the event has occurred for each file.
+    For both event subscriptions and local events, you can use the **Get-AppLockerFileInformation** Windows PowerShell cmdlet to determine which files were blocked or would be blocked (if you're using the audit-only enforcement mode) and how many times the block event occurred for each file.
 
-    For more information on the procedure to do this verification, see [Review AppLocker Events with Get-AppLockerFileInformation](#bkmk-applkr-review-events).
+    For more information on the procedure to do this verification, see [Review AppLocker Events with Get-AppLockerFileInformation](#review-applocker-events-with-get-applockerfileinformation).
 
 - **Review AppLocker events with Test-AppLockerPolicy**
 
-    You can use the **Test-AppLockerPolicy** Windows PowerShell cmdlet to determine whether any of the rules in your rule collections will be blocked on your reference device or the device on which you maintain policies.
+    You can use the **Test-AppLockerPolicy** Windows PowerShell cmdlet to determine whether any of the rules in your rule collections affect files run on your reference device or the device on which you maintain policies.
 
     For more information on the procedure to do this testing, see [Test an AppLocker policy by using Test-AppLockerPolicy](test-an-applocker-policy-by-using-test-applockerpolicy.md).
 
-### <a href="" id="bkmk-applkr-review-events"></a>Review AppLocker events with Get-AppLockerFileInformation
+## Review AppLocker events with Get-AppLockerFileInformation
 
-For both event subscriptions and local events, you can use the **Get-AppLockerFileInformation** Windows PowerShell cmdlet to determine which files have been blocked or would have been blocked (if the **Audit only** enforcement setting is applied) and how many times the event has occurred for each file.
+For both event subscriptions and local events, you can use the **Get-AppLockerFileInformation** Windows PowerShell cmdlet to determine which files were blocked or would be blocked (if the **Audit only** enforcement setting is applied) and how many times the block event occurred for each file.
 
 Membership in the local **Administrators** group, or equivalent, is the minimum required to complete this procedure.
 
 > [!NOTE]
 > If the AppLocker logs are not on your local device, you will need permission to view the logs. If the output is saved to a file, you will need permission to read that file.
 
-**To review AppLocker events with Get-AppLockerFileInformation**
+### To review AppLocker events with Get-AppLockerFileInformation
 
-1.  At the command prompt, type **PowerShell**, and then press ENTER.
+1. At the command prompt, type **PowerShell**, and then select ENTER.
-2.  Run the following command to review how many times a file would have been blocked from running if rules were enforced:
+2. Run the following command to review how many times your AppLocker policy didn't allow a file:
 
     ```powershell
     Get-AppLockerFileInformation -EventLog -EventType Audited -Statistics
     ```
 
-3.  Run the following command to review how many times a file has been allowed to run or prevented from running:
+3. Run the following command to review how many times a file was allowed to run or prevented from running:
 
     ```powershell
     Get-AppLockerFileInformation -EventLog -EventType Allowed -Statistics
     ```
 
-### <a href="" id="bkmk-applkr-view-log"></a>View the AppLocker Log in Event Viewer
+## View the AppLocker Log in Event Viewer
 
-When AppLocker policy enforcement is set to **Enforce rules**, rules are enforced for the rule collection and all events are audited. When AppLocker policy enforcement is set to **Audit only**, rules are only evaluated but all events generated from that evaluation are written to the AppLocker log.
+When AppLocker policy enforcement is set to **Enforce rules**, any files that aren't allowed by your policy are blocked. In that case, an event is raised in the AppLocker event log for the rule collection. When AppLocker policy enforcement is set to **Audit only**, rules aren't enforced but are still evaluated to generate audit event data that is written to the AppLocker logs.
 
 Membership in the local **Administrators** group, or equivalent, is the minimum required to complete this procedure.
 
-**To view events in the AppLocker log by using Event Viewer**
+### To view events in the AppLocker log by using Event Viewer
 
 1. To open Event Viewer, go to the **Start** menu, type **eventvwr.msc**, and then select ENTER.
 2. In the console tree under **Application and Services Logs\\Microsoft\\Windows**, double-click **AppLocker**.
 
-AppLocker events are listed in either the **EXE and DLL** log, the **MSI and Script** log, or the **Packaged app-Deployment** or **Packaged app-Execution** log. Event information includes the enforcement setting, file name, date and time, and user name. The logs can be exported to other file 
+AppLocker events are listed in either the **EXE and DLL** log, the **MSI and Script** log, or the **Packaged app-Deployment** or **Packaged app-Execution** log. Event information includes the enforcement setting, file name, date and time, and user name. The logs can be exported to other file formats for further analysis.
-formats for further analysis.
 
-## Related topics
+## Related articles
 
 - [AppLocker](applocker-overview.md)

windows/security/application-security/application-control/windows-defender-application-control/applocker/optimize-applocker-performance.md

@@ -1,28 +1,24 @@
 ---
 title: Optimize AppLocker performance
-description: This topic for IT professionals describes how to optimize AppLocker policy enforcement.
+description: This article for IT professionals describes how to optimize AppLocker policy enforcement.
 ms.localizationpriority: medium
 ms.topic: conceptual
-ms.date: 09/21/2017
+ms.date: 12/19/2023
 ---
 
 # Optimize AppLocker performance
 
->[!NOTE]
+This article for IT professionals describes how to optimize AppLocker policy enforcement.
->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
-
-This topic for IT professionals describes how to optimize AppLocker policy enforcement.
 
 ## Optimization of Group Policy
 
-AppLocker policies can be implemented by organization unit (OU) using Group Policy. If so, your Group Policy infrastructure should be optimized and retested for performance when AppLocker policies are added to existing Group Policy Objects (GPOs) or new GPOs are created, as you do with adding any policies to your GPOs.
+You can implement AppLocker policies by organization unit (OU) using Group Policy. When adding policies to Group Policy Objects (GPO), including AppLocker policies, you should retest and optimize for performance if needed.
 
 For more info, see the [Optimizing Group Policy Performance](/previous-versions/technet-magazine/cc137720(v=msdn.10)) article in TechNet Magazine.
 
 ### AppLocker rule limitations
 
-The more rules per GPO, the longer AppLocker requires for evaluation. There is no set limitation on the number of rules per GPO, but the number of rules that can fit into a 100 MB GPO varies based on the complexity of the rule, such as the number of file hashes included in a single file hash 
+The more rules per GPO, the longer AppLocker requires for evaluation. Although there's no set limitation on the number of AppLocker rules per GPO, the size of your GPOs can vary based on the types of rules you create. For example, a policy consisting mainly of file hash rules requires many more rules than ones that use signature-based rules where possible.
-condition.
 
 ### Using the DLL rule collection
 

windows/security/application-security/application-control/windows-defender-application-control/applocker/rule-collection-extensions.md

@@ -0,0 +1,38 @@
+---
+title: AppLocker rule collection extensions
+description: This article describes the RuleCollectionExtensions added in Windows 10.
+ms.collection:
+- tier3
+- must-keep
+ms.topic: conceptual
+ms.localizationpriority: medium
+ms.date: 12/19/2023
+---
+
+# AppLocker rule collection extensions
+
+This article describes the rule collection extensions added in Windows 10 or later. Rule collection extensions are optional features available only for the EXE and DLL rule collections. Configure rule collection extensions by directly editing your AppLocker policy XML as shown in the following XML fragment.
+
+```xml
+<RuleCollectionExtensions>
+    <ThresholdExtensions>
+        <Services EnforcementMode="Enabled"/>
+    </ThresholdExtensions>
+    <RedstoneExtensions>
+        <SystemApps Allow="Enabled"/>
+    </RedstoneExtensions>
+</RuleCollectionExtensions>
+```
+
+> [!IMPORTANT]
+> When adding any rule collection extensions to your AppLocker policy, you must include both the *ThresholdExtensions* and *RedstoneExtensions* or your policy will cause unexpected behavior.
+
+## Services enforcement
+
+By default, AppLocker policy only applies to code running in a user's context. On Windows 10, Windows 11, and Windows Server 2016 or later, you can apply AppLocker policy to nonuser processes, including services running as SYSTEM. You must enable services enforcement when using AppLocker with Windows Defender Application Control's (WDAC) [managed installer](/windows/security/application-security/application-control/windows-defender-application-control/design/configure-authorized-apps-deployed-with-a-managed-installer) feature.
+
+To apply AppLocker policy to nonuser processes, set ``<Services EnforcementMode="Enabled"/>`` in the ``<ThresholdExtensions>`` section as shown in the preceding XML fragment.
+
+## System apps
+
+When using AppLocker to control nonuser processes, your policy must allow all Windows system code or your device night behave unexpectedly. To automatically allow all system code that is part of Windows, set ``<SystemApps Allow="Enabled"/>`` in the ``<RedstoneExtensions>`` section as shown in the preceding XML fragment.

windows/security/application-security/application-control/windows-defender-application-control/applocker/run-the-automatically-generate-rules-wizard.md

@@ -1,38 +1,37 @@
 ---
 title: Run the Automatically Generate Rules wizard
-description: This topic for IT professionals describes steps to run the wizard to create AppLocker rules on a reference device.
+description: This article for IT professionals describes steps to run the wizard to create AppLocker rules on a reference device.
 ms.localizationpriority: medium
 ms.topic: conceptual
-ms.date: 09/21/2017
+ms.date: 12/21/2023
 ---
 
 # Run the Automatically Generate Rules wizard
 
->[!NOTE]
+This article for IT professionals describes steps to run the wizard to create AppLocker rules on a reference device.
->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
 
-This topic for IT professionals describes steps to run the wizard to create AppLocker rules on a reference device.
+AppLocker allows you to automatically generate rules for all files within a folder. It scans the specified folder and create the condition types that you choose for each file in that folder.
 
-AppLocker allows you to automatically generate rules for all files within a folder. It will scan the specified folder and create the condition types that you choose for each file in that folder.
+To manage an AppLocker policy in a Group Policy Object (GPO), you can perform this task by using the Group Policy Management Console. To manage an AppLocker policy for the local computer or for use in a security template, use the Local Security Policy snap-in. For info how to use these MMC snap-ins to administer AppLocker, see [Administer AppLocker](administer-applocker.md#using-the-mmc-snap-ins-to-administer-applocker).
 
-You can perform this task by using the Group Policy Management Console for an AppLocker policy in a Group Policy Object (GPO) or by using the Local Security Policy snap-in for an AppLocker policy on a local device or in a security template. For info how to use these MMC snap-ins to administer AppLocker, see [Administer AppLocker](administer-applocker.md#bkmk-using-snapins).
+## To automatically generate rules
-
-**To automatically generate rules**
 
 1. Open the AppLocker console.
 2. Right-click the appropriate rule type for which you want to automatically generate rules. You can automatically generate rules for executable, Windows Installer, script and packaged app rules.
-3. Click **Automatically Generate Rules**.
+3. Select **Automatically Generate Rules**.
-4. On the **Folder and Permissions** page, click **Browse** to choose the folder to be analyzed. By default, this folder is the Program Files folder.
+4. On the **Folder and Permissions** page, select **Browse** to choose the folder to be analyzed. By default, this folder is the Program Files folder.
-5. Click **Select** to choose the security group in which the default rules should be applied. By default, this group is the **Everyone** group.
+5. Select **Select** to choose the security group in which the default rules should be applied. By default, this group is the **Everyone** group.
-6. The wizard provides a name in the **Name to identify this set of rules** box based on the name of the folder that you've selected. Accept the provided name or type a different name, and then click **Next**.
+6. The wizard provides a name in the **Name to identify this set of rules** box based on the name of the folder selected. Accept the provided name or type a different name, and then select **Next**.
-7. On the **Rule Preferences** page, choose the conditions that you want the wizard to use while creating rules, and then click **Next**. For more info about rule conditions, see [Understanding AppLocker rule condition types](understanding-applocker-rule-condition-types.md).
+7. On the **Rule Preferences** page, choose the conditions that you want the wizard to use while creating rules, and then select **Next**. For more info about rule conditions, see [Understanding AppLocker rule condition types](understanding-applocker-rule-condition-types.md).
 
-   >**Note:**  The **Reduce the number of rules created by grouping similar files** check box is selected by default. This helps you organize AppLocker rules and reduce the number of rules that you create by performing the following operations for the rule condition that you select:
+   > [!NOTE]
+   > The **Reduce the number of rules created by grouping similar files** check box is selected by default. This helps you organize AppLocker rules and reduce the number of rules that you create by performing the following operations for the rule condition that you select:
 
    - One publisher condition is created for all files that have the same publisher and product name.
    - One path condition is created for the folder that you select. For example, if you select *C:\\Program Files\\ProgramName\\* and the files in that folder aren't signed, the wizard creates a rule for *%programfiles%\\ProgramName\\\**.
    - One file hash condition is created that contains all of the file hashes. When rule grouping is disabled, the wizard creates a file hash rule for each file.
 
-8. Review the files that were analyzed and the rules that will be automatically created. To make changes, click **Previous** to return to the page where you can change your selections. After reviewing the rules, click **Create**.
+8. Review the files that were analyzed and the rules created. To make changes, select **Previous** to return to the page where you can change your selections. After reviewing the rules, select **Create**.
 
->**Note:**  If you are running the wizard to create your first rules for a GPO, you will be prompted to create the default rules, which allow critical system files to run, after completing the wizard. You may edit the default rules at any time. If your organization has decided to edit the default rules or create custom rules to allow the Windows system files to run, ensure that you delete the default rules after replacing them with your custom rules.
+> [!NOTE]
+> If you are running the wizard to create your first rules for a GPO, you will be prompted to create the default rules which allow critical system files to run, after completing the wizard. You may edit the default rules at any time. If your organization has decided to edit the default rules or create custom rules to allow the Windows system files to run, ensure that you delete the default rules after replacing them with your custom rules.

windows/security/application-security/application-control/windows-defender-application-control/applocker/test-and-update-an-applocker-policy.md

@@ -1,52 +1,50 @@
 ---
 title: Test and update an AppLocker policy
-description: This topic discusses the steps required to test an AppLocker policy prior to deployment.
+description: This article discusses the steps required to test an AppLocker policy prior to deployment.
 ms.localizationpriority: medium
 ms.topic: conceptual
-ms.date: 09/21/2017
+ms.date: 12/19/2023
 ---
 
 # Test and update an AppLocker policy
 
->[!NOTE]
+This article discusses the steps required to test an AppLocker policy prior to deployment.
->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
 
-This topic discusses the steps required to test an AppLocker policy prior to deployment.
+You should test each set of rules to ensure that the rules perform as intended. If you use Group Policy to manage AppLocker policies, complete the following steps for each Group Policy Object (GPO) containing AppLocker rules. Because AppLocker rules are inherited from linked GPOs, you should deploy all of the rules for simultaneous testing in all of your test GPOs.
-
-You should test each set of rules to ensure that the rules perform as intended. If you use Group Policy to manage AppLocker policies, complete the following steps for each Group Policy Object (GPO) where you have created AppLocker rules. Because AppLocker rules are inherited from linked GPOs, you should deploy all of the rules for simultaneous testing in all of your test GPOs.
 
 ## Step 1: Enable the Audit only enforcement setting
 
-By using the **Audit only** enforcement setting, you can ensure that the AppLocker rules that you have created are properly configured for your organization. This setting can be enabled on the **Enforcement** tab of the **AppLocker Properties** dialog box. For information on the procedure to do this configuration, see [Configure an AppLocker policy for audit only](configure-an-applocker-policy-for-audit-only.md).
+Use the **Audit only** enforcement mode setting to verify your AppLocker rules are properly configured for your organization without blocking any code. This setting can be enabled on the **Enforcement** tab of the **AppLocker Properties** dialog box. For information on the procedure to do this configuration, see [Configure an AppLocker policy for audit only](configure-an-applocker-policy-for-audit-only.md).
 
 ## Step 2: Configure the Application Identity service to start automatically
 
-Because AppLocker uses the Application Identity service to verify the attributes of a file, you must configure it to start automatically in any one GPO that applies AppLocker rules. For information on the procedure to do this configuration, see [Configure the Application Identity Service](configure-the-application-identity-service.md). For AppLocker policies that aren't managed by a GPO, you must ensure that the service is running on each PC in order for the policies to be applied.
+Because AppLocker uses the Application Identity service to verify the attributes of a file, you must configure it to start automatically in any one GPO that applies AppLocker rules. For more information, see [Configure the Application Identity Service](configure-the-application-identity-service.md). If you don't deploy your AppLocker policies using a GPO, you must ensure that the service is running on each PC in order for the policies to apply.
 
 ## Step 3: Test the policy
 
-Test the AppLocker policy to determine if your rule collection needs to be modified. Because you have created AppLocker rules, enabled the Application Identity service, and enabled the **Audit only** enforcement setting, the AppLocker policy should be present on all client PCs that are configured to receive your AppLocker policy.
+Test the AppLocker policy to determine if your rule collection needs to be modified. Your AppLocker policy should be active in audit mode only on all client PCs configured to receive your AppLocker policy.
 
-The **Test-AppLockerPolicy** Windows PowerShell cmdlet can be used to determine whether any of the rules in your rule collection will be blocked on your reference PCs. For information on the procedure to do this testing, see [Test an AppLocker policy by using Test-AppLockerPolicy](test-an-applocker-policy-by-using-test-applockerpolicy.md).
+The **Test-AppLockerPolicy** Windows PowerShell cmdlet can be used to determine whether any of the code run on your reference PCs is blocked by the rules in your rule collection. For information on the procedure to do this testing, see [Test an AppLocker policy by using Test-AppLockerPolicy](test-an-applocker-policy-by-using-test-applockerpolicy.md).
 
 ## Step 4: Analyze AppLocker events
+
 You can either manually analyze AppLocker events or use the **Get-AppLockerFileInformation** Windows PowerShell cmdlet to automate the analysis.
 
-**To manually analyze AppLocker events**
+### To manually analyze AppLocker events
 
-You can view the events either in Event Viewer or a text editor and then sort those events to perform an analysis, such as looking for patterns in application usage events, access frequencies, or access by user groups. If you haven't configured an event subscription, then you'll have to review the logs on a sampling of computers in your organization. For more information about using Event Viewer, see [Monitor application usage with AppLocker](monitor-application-usage-with-applocker.md).
+Use Event Viewer or a text editor to view and sort your AppLocker events for analysis. You might look for patterns in application usage events, access frequencies, or access by user groups. If you don't have an event subscription configured, you can review the logs on a sampling of computers in your organization. For more information about using Event Viewer, see [Monitor application usage with AppLocker](monitor-application-usage-with-applocker.md).
 
-**To analyze AppLocker events by using Get-AppLockerFileInformation**
+### To analyze AppLocker events by using Get-AppLockerFileInformation
 
 You can use the **Get-AppLockerFileInformation** Windows PowerShell cmdlet to analyze AppLocker events from a remote computer. If an app is being blocked and should be allowed, you can use the AppLocker cmdlets to help troubleshoot the problem.
 
-For both event subscriptions and local events, you can use the **Get-AppLockerFileInformation** cmdlet to determine which files have been blocked or would have been blocked (if you're using the **Audit only** enforcement mode) and how many times the event has occurred for each file. For information on the procedure to do this monitoring, see [Monitor Application Usage with AppLocker](monitor-application-usage-with-applocker.md).
+For both event subscriptions and local events, you can use the **Get-AppLockerFileInformation** cmdlet to determine which files weren't allowed by your policy and how many times the event occurred for each file. For information on the procedure to do this monitoring, see [Monitor Application Usage with AppLocker](monitor-application-usage-with-applocker.md).
 
-After using **Get-AppLockerFileInformation** to determine how many times that a file would have been blocked from running, you should review your rule list to determine whether a new rule should be created for the blocked file or whether an existing rule is too strictly defined. Ensure that you check which GPO is currently preventing the file from running. To determine this blocker GPO, you can use the Group Policy Results Wizard to view rule names.
+Next, you should review your rule list to determine whether a new rule should be created for the blocked file or whether an existing rule is too strictly defined. Ensure that you check which GPO is currently preventing the file from running. To determine this blocker GPO, you can use the Group Policy Results Wizard to view rule names.
 
 ## Step 5: Modify the AppLocker policy
 
-After you've identified which rules need to be edited or added to the policy, you can use the Group Policy Management Console to modify the AppLocker rules in the relevant GPOs. For AppLocker policies that aren't managed by a GPO, you can use the Local Security Policy snap-in (secpol.msc). For info how to modify an AppLocker policy, see, [Edit an AppLocker policy](edit-an-applocker-policy.md).
+Once you know what rules you want to edit or add to the policy, use the Group Policy Management Console to modify the AppLocker rules in the relevant GPOs. If you don't manage your AppLocker policies by a GPO, you can use the Local Security Policy snap-in (secpol.msc). For info how to modify an AppLocker policy, see, [Edit an AppLocker policy](edit-an-applocker-policy.md).
 
 ## Step 6: Repeat policy testing, analysis, and policy modification
 

windows/security/application-security/application-control/windows-defender-application-control/applocker/use-applocker-and-software-restriction-policies-in-the-same-domain.md

@@ -1,39 +0,0 @@
----
-title: Use AppLocker and Software Restriction Policies in the same domain
-description: This article for IT professionals describes concepts and procedures to help you manage your application control strategy using Software Restriction Policies and AppLocker.
-ms.localizationpriority: medium
-ms.topic: conceptual
-ms.date: 11/07/2022
----
-
-# Use AppLocker and Software Restriction Policies in the same domain
-
-This article for IT professionals describes concepts and procedures to help you manage your application control strategy using Software Restriction Policies and AppLocker.
-
-> [!IMPORTANT]
-> Software Restriction Policies were deprecated beginning with Windows 10 build 1803 and above, and also applies to Windows Server 2019 and above. You should use Windows Defender Application Control (WDAC) or AppLocker to control what software runs.
-
-## Using AppLocker and Software Restriction Policies in the same domain
-
-AppLocker is supported on systems running Windows 8.1. Software Restriction Policies (SRP) is supported on systems running Windows Vista or earlier. You can continue to use SRP for application control on your pre-Windows 7 computers, but use AppLocker for computers running Windows Server 2008 R2, Windows 7 and later. It's recommended that you author AppLocker and SRP rules in separate GPOs and target the GPO with SRP policies to systems running Windows Vista or earlier. When both SRP and AppLocker policies are applied to computers running Windows Server 2008 R2, Windows 7 and later, the SRP policies are ignored.
-
-The following table compares the features and functions of Software Restriction Policies (SRP) and AppLocker.
-
-|Application control function|SRP|AppLocker|
-|--- |--- |--- |
-|Scope|SRP policies can be applied to all Windows operating systems beginning with Windows XP and Windows Server 2003.|AppLocker policies apply only to Windows Server 2008 R2, Windows 7, and later.|
-|Policy creation|SRP policies are maintained through Group Policy and only the administrator of the GPO can update the SRP policy. The administrator on the local computer can modify the SRP policies defined in the local GPO.|AppLocker policies are maintained through Group Policy and only the administrator of the GPO can update the policy. The administrator on the local computer can modify the AppLocker policies defined in the local GPO.<br/><br/>AppLocker permits customization of error messages to direct users to a Web page for help.|
-|Policy maintenance|SRP policies must be updated by using the Local Security Policy snap-in (if the policies are created locally) or the Group Policy Management Console (GPMC).|AppLocker policies can be updated by using the Local Security Policy snap-in (if the policies are created locally), or the GPMC, or the Windows PowerShell AppLocker cmdlets.|
-|Policy application|SRP policies are distributed through Group Policy.|AppLocker policies are distributed through Group Policy.|
-|Enforcement mode|SRP works in the "blocklist mode" where administrators can create rules for files that they don't want to allow in this Enterprise whereas the rest of the file is allowed to run by default.<br/><br/>SRP can also be configured in the "allowlist mode" so that by default all files are blocked. In "allowlist mode", administrators need to create allow rules for files that they want to run.|AppLocker by default works in the "allowlist mode" where only those files are allowed to run for which there's a matching allow rule.|
-|File types that can be controlled|SRP can control the following file types:<li>Executables<li>Dlls<li>Scripts<li>Windows Installers<br/><br/>SRP can't control each file type separately. All SRP rules are in a single rule collection.|AppLocker can control the following file types:<li>Executables<li>Dlls<li>Scripts<li>Windows Installers<li>Packaged apps and installers<br/><br/>AppLocker maintains a separate rule collection for each of the five file types.|
-|Designated file types|SRP supports an extensible list of file types that are considered executable. Administrators can add extensions for files that should be considered executable.|AppLocker currently supports the following file extensions:<li>Executables (.exe, .com)<li>Dlls (.ocx, .dll)<li>Scripts (.vbs, .js, .ps1, .cmd, .bat)<li>Windows Installers (.msi, .mst, .msp)<li>Packaged app installers (.appx)|
-|Rule types|SRP supports four types of rules:<li>Hash<li>Path<li>Signature<li>Internet zone|AppLocker supports three types of rules:<li>File hash<li>Path<li>Publisher|
-|Editing the hash value|In Windows XP, you could use SRP to provide custom hash values.<br/><br/>Beginning with Windows 7 and Windows Server 2008 R2, you can only select the file to hash, and not provide the hash value.|AppLocker computes the hash value itself. Internally, it uses the SHA2 Authenticode hash for Portable Executables (exe and dll) and Windows Installers and an SHA2 flat file hash for the rest.|
-|Support for different security levels|With SRP, you can specify the permissions with which an app can run. So, you can configure a rule such that Notepad always runs with restricted permissions and never with administrative privileges.<br/><br/>SRP on Windows Vista and earlier supported multiple security levels. On Windows 7, that list was restricted to just two levels: Disallowed and Unrestricted (Basic User translates to Disallowed).|AppLocker doesn't support security levels.|
-|Manage Packaged apps and Packaged app installers.|Not supported|.appx is a valid file type which AppLocker can manage.|
-|Targeting a rule to a user or a group of users|SRP rules apply to all users on a particular computer.|AppLocker rules can be targeted to a specific user or a group of users.|
-|Support for rule exceptions|SRP doesn't support rule exceptions.|AppLocker rules can have exceptions, which allow you to create rules such as "Allow everything from Windows except for regedit.exe".|
-|Support for audit mode|SRP doesn't support audit mode. The only way to test SRP policies is to set up a test environment and run a few experiments.|AppLocker supports audit mode, which allows you to test the effect of their policy in the real production environment without impacting the user experience. Once you're satisfied with the results, you can start enforcing the policy.|
-|Support for exporting and importing policies|SRP doesn't support policy import/export.|AppLocker supports the importing and exporting of policies. This support by AppLocker allows you to create AppLocker policy on a sample device, test it out and then export that policy and import it back into the desired GPO.|
-|Rule enforcement|Internally, SRP rules enforcement happens in the user-mode, which is less secure.|Internally, AppLocker rules for .exe and .dll files are enforced in the kernel-mode, which is more secure than enforcing them in the user-mode.|

windows/security/application-security/application-control/windows-defender-application-control/applocker/use-the-applocker-windows-powershell-cmdlets.md

@@ -1,31 +1,26 @@
 ---
 title: Use the AppLocker Windows PowerShell cmdlets
-description: This topic for IT professionals describes how each AppLocker Windows PowerShell cmdlet can help you administer your AppLocker application control policies.
+description: This article for IT professionals describes how each AppLocker Windows PowerShell cmdlet can help you administer your AppLocker application control policies.
 ms.localizationpriority: medium
 ms.topic: conceptual
-ms.date: 09/21/2017
+ms.date: 12/19/2023
 ---
 
 # Use the AppLocker Windows PowerShell cmdlets
 
->[!NOTE]
+This article for IT professionals describes how each AppLocker Windows PowerShell cmdlet can help you administer your AppLocker application control policies.
->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
-
-This topic for IT professionals describes how each AppLocker Windows PowerShell cmdlet can help you administer your AppLocker application control policies.
 
 ## AppLocker Windows PowerShell cmdlets
 
-The five AppLocker cmdlets are designed to streamline the administration of an AppLocker policy. They can be used to help create, test, maintain, and troubleshoot an AppLocker policy. The cmdlets are intended to be used in conjunction with the AppLocker user interface that is accessed through the
+The five AppLocker cmdlets are designed to streamline the administration of an AppLocker policy. They can be used to help create, test, maintain, and troubleshoot an AppLocker policy. The cmdlets are intended to be used along with the AppLocker user interface that is accessed through the Microsoft Management Console (MMC) snap-in extension to the Local Security Policy snap-in and Group Policy Management Console.
-Microsoft Management Console (MMC) snap-in extension to the Local Security Policy snap-in and Group Policy Management Console.
 
-To edit or update a Group Policy Object (GPO) by using the AppLocker cmdlets, you must have Edit Setting permission. By default, members of the **Domain Admins** group, the **Enterprise Admins** group, and the **Group Policy Creator Owners** group have this permission. To perform tasks by using the
+To edit or update a Group Policy Object (GPO) by using the AppLocker cmdlets, you must have Edit Setting permission. By default, members of the **Domain Admins** group, the **Enterprise Admins** group, and the **Group Policy Creator Owners** group have this permission. To perform tasks by using the Local Security policy snap-in, you must be a member of the local **Administrators** group, or equivalent, on the computer.
-Local Security policy snap-in, you must be a member of the local **Administrators** group, or equivalent, on the computer.
 
 ### Retrieve application information
 
 The [Get-AppLockerFileInformation](/powershell/module/applocker/get-applockerfileinformation) cmdlet retrieves the AppLocker file information from a list of files or from an event log. File information that is retrieved can include publisher information, file hash information, and file path information.
 
-File information from an event log may not contain all of these fields. Files that aren't signed don't have any publisher information.
+File information from an event log might not contain all of these fields. Files that aren't signed don't have any publisher information.
 
 ### Set AppLocker policy
 
@@ -37,8 +32,7 @@ The [Get-AppLockerPolicy](/powershell/module/applocker/get-applockerpolicy) cmdl
 
 ### Generate rules for a given user or group
 
-The [New-AppLockerPolicy](/powershell/module/applocker/new-applockerpolicy) cmdlet uses a list of file information to automatically generate rules for a given user or group. It can generate rules based on publisher, hash, or path information. Use **Get-AppLockerFileInformation** to create the
+The [New-AppLockerPolicy](/powershell/module/applocker/new-applockerpolicy) cmdlet uses a list of file information to automatically generate rules for a given user or group. It can generate rules based on publisher, hash, or path information. Use **Get-AppLockerFileInformation** to create the list of file information.
-list of file information.
 
 ### Test the AppLocker Policy against a file set
 

windows/security/application-security/application-control/windows-defender-application-control/applocker/using-software-restriction-policies-and-applocker-policies.md

@@ -1,58 +0,0 @@
----
-title: Use Software Restriction Policies and AppLocker policies
-description: This topic for the IT professional describes how to use Software Restriction Policies (SRP) and AppLocker policies in the same Windows deployment.
-ms.localizationpriority: medium
-ms.topic: conceptual
-ms.date: 09/21/2017
----
-
-# Use Software Restriction Policies and AppLocker policies
-
->[!NOTE]
->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
-
-This topic for the IT professional describes how to use Software Restriction Policies (SRP) and AppLocker policies in the same Windows deployment.
-
-## Understand the difference between SRP and AppLocker
-
-You might want to deploy application control policies in Windows operating systems earlier than Windows Server 2008 R2 or Windows 7. You can use AppLocker policies only on the supported versions and editions of Windows as listed in [Requirements to use AppLocker](requirements-to-use-applocker.md). However, you can use SRP on those supported editions of Windows plus Windows Server 2003 and Windows XP. To compare features and functions in SRP and AppLocker so that you can determine when to use each technology to meet your application control objectives, see [Determine your application control objectives](determine-your-application-control-objectives.md).
-
-## Use SRP and AppLocker in the same domain
-
-SRP and AppLocker use Group Policy for domain management. However, when policies are generated by SRP and AppLocker exist in the same domain, and they're applied through Group Policy, AppLocker policies take precedence over policies generated by SRP on computers that are running an operating system that supports AppLocker. For info about how inheritance in Group Policy applies to AppLocker policies and policies generated by SRP, see [Understand AppLocker rules and enforcement setting inheritance in Group Policy](understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md).
-
->**Important:**  As a best practice, use separate Group Policy Objects to implement your SRP and AppLocker policies. To reduce troubleshooting issues, do not combine them in the same GPO.
- 
-The following scenario provides an example of how each type of policy would affect a bank teller software app, where the app is deployed on different Windows desktop operating systems and managed by the Tellers GPO.
-
-| Operating system | Tellers GPO with AppLocker policy | Tellers GPO with SRP | Tellers GPO with AppLocker policy and SRP |
-| - | - | - | - |
-| Windows 10, Windows 8.1, Windows 8, and Windows 7 | AppLocker policies in the GPO are applied, and they supersede any local AppLocker policies.| Local AppLocker policies supersede policies generated by SRP that are applied through the GPO. | AppLocker policies in the GPO are applied, and they supersede the policies generated by SRP in the GPO and local AppLocker policies or policies generated by SRP.| 
-| Windows Vista| AppLocker policies aren't applied.| Policies generated by SRP in the GPO are applied, and they supersede local policies generated by SRP.AppLocker policies aren't applied.| Policies generated by SRP in the GPO are applied, and they supersede local policies generated by SRP. AppLocker policies not applied.| 
-| Windows XP| AppLocker policies aren't applied.| Policies generated by SRP in the GPO are applied, and they supersede local policies generated by SRP. AppLocker policies aren't applied.| Policies generated by SRP in the GPO are applied, and they supersede local policies generated by SRP. AppLocker policies not applied.| 
- 
->**Note:**  For info about supported versions and editions of the Windows operating system, see [Requirements to use AppLocker](requirements-to-use-applocker.md).
- 
-## Test and validate SRPs and AppLocker policies that are deployed in the same environment
-
-Because SRPs and AppLocker policies function differently, they shouldn't be implemented in the same GPO. This rule, when implemented, makes testing the result of the policy straightforward, which is critical to successfully controlling application usage in the organization. Configuring a testing and policy distribution system can help you understand the result of a policy. The effects of policies generated by SRP and AppLocker policies need to be tested separately and by using different tools.
-
-### Step 1: Test the effect of SRPs
-
-You can use the Group Policy Management Console (GPMC) or the Resultant Set of Policy (RSoP) snap-in to determine the effect of applying SRPs by using GPOs.
-
-### Step 2: Test the effect of AppLocker policies
-
-You can test AppLocker policies by using Windows PowerShell cmdlets. For info about investigating the result of a policy, see:
-
--   [Test an AppLocker policy by using Test-AppLockerPolicy](test-an-applocker-policy-by-using-test-applockerpolicy.md)
--   [Monitor app usage with AppLocker](monitor-application-usage-with-applocker.md)
-
-Another method to use when determining the result of a policy is to set the enforcement mode to **Audit only**. When the policy is deployed, events will be written to the AppLocker logs as if the policy was enforced. For info about using the **Audit only** mode, see:
-
-- [Understand AppLocker enforcement settings](understand-applocker-enforcement-settings.md)
-- [Configure an AppLocker policy for audit only](configure-an-applocker-policy-for-audit-only.md)
-
-## See also
-
-- [AppLocker deployment guide](applocker-policies-deployment-guide.md)

windows/security/application-security/application-control/windows-defender-application-control/applocker/working-with-applocker-rules.md

@@ -1,83 +1,71 @@
 ---
 title: Working with AppLocker rules
-description: This topic for IT professionals describes AppLocker rule types and how to work with them for your application control policies.
+description: This article for IT professionals describes AppLocker rule types and how to work with them for your application control policies.
 ms.localizationpriority: medium
-msauthor: v-anbic
+msauthor: jsuther
-ms.date: 08/27/2018
+ms.date: 12/21/2023
 ms.topic: conceptual
 ---
 
 # Working with AppLocker rules
 
->[!NOTE]
+This article for IT professionals describes AppLocker rule types and how to work with them for your application control policies.
->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
 
-This topic for IT professionals describes AppLocker rule types and how to work with them for your application control policies.
-
-## In this section
-
-| Topic | Description |
-| - | - |
-| [Create a rule that uses a file hash condition](create-a-rule-that-uses-a-file-hash-condition.md) | This topic for IT professionals shows how to create an AppLocker rule with a file hash condition.| 
-| [Create a rule that uses a path condition](create-a-rule-that-uses-a-path-condition.md) | This topic for IT professionals shows how to create an AppLocker rule with a path condition.| 
-| [Create a rule that uses a publisher condition](create-a-rule-that-uses-a-publisher-condition.md) | This topic for IT professionals shows how to create an AppLocker rule with a publisher condition.| 
-| [Create AppLocker default rules](create-applocker-default-rules.md) | This topic for IT professionals describes the steps to create a standard set of AppLocker rules that will allow Windows system files to run.| 
-| [Add exceptions for an AppLocker rule](configure-exceptions-for-an-applocker-rule.md) | This topic for IT professionals describes the steps to specify which apps can or can't run as exceptions to an AppLocker rule.| 
-| [Create a rule for packaged apps](create-a-rule-for-packaged-apps.md) | This topic for IT professionals shows how to create an AppLocker rule for packaged apps with a publisher condition.| 
-| [Delete an AppLocker rule](delete-an-applocker-rule.md) | This topic for IT professionals describes the steps to delete an AppLocker rule.| 
-| [Edit AppLocker rules](edit-applocker-rules.md) | This topic for IT professionals describes the steps to edit a publisher rule, path rule, and file hash rule in AppLocker.| 
-| [Enable the DLL rule collection](enable-the-dll-rule-collection.md) | This topic for IT professionals describes the steps to enable the DLL rule collection feature for AppLocker.| 
-| [Enforce AppLocker rules](enforce-applocker-rules.md) | This topic for IT professionals describes how to enforce application control rules by using AppLocker.| 
-| [Run the Automatically Generate Rules wizard](run-the-automatically-generate-rules-wizard.md) | This topic for IT professionals describes steps to run the wizard to create AppLocker rules on a reference device.| 
- 
-The three AppLocker enforcement modes are described in the following table. The enforcement mode setting defined here can be overwritten by the setting derived from a linked Group Policy Object (GPO) with a higher precedence.
-
-| Enforcement mode | Description |
-| - | - |
-| **Not configured** | This is the default setting, which means that the rules defined here will be enforced unless a linked GPO with a higher precedence has a different value for this setting.| 
-| **Enforce rules** | Rules are enforced.| 
-| **Audit only** | Rules are audited but not enforced. When a user runs an app that is affected by an AppLocker rule, the app is allowed to run and the info about the app is added to the AppLocker event log. The Audit-only enforcement mode helps you determine which apps will be affected by the policy before the policy is enforced. When the AppLocker policy for a rule collection is set to **Audit only**, rules for that rule collection aren't enforced| 
-
-When AppLocker policies from various GPOs are merged, the rules from all the GPOs are merged, and the enforcement mode setting of the winning GPO is applied.
 ## Rule collections
 
-The AppLocker console is organized into rule collections, which are executable files, scripts, Windows Installer files, packaged apps and packaged app installers, and DLL files. These collections give you an easy way to differentiate the rules for different types of apps. The following table lists the file formats that are included in each rule collection.
+AppLocker policies are organized into rule collections, including executable files, scripts, Windows Installer files, packaged apps and packaged app installers, and DLL files. These collections give you an easy way to differentiate the rules for different types of apps. The following table lists the file formats that are included in each rule collection.
 
 | Rule collection | Associated file formats |
 | - | - |
-| Executable files | .exe<br/>.com| 
+| Executable files | .exe <br/> .com |
-| Scripts| .ps1<br/>.bat<br/>.cmd<br/>.vbs<br/>.js| 
+| Scripts| .ps1 <br/> .bat <br/> .cmd <br/> .vbs <br/> .js |
-| Windows Installer files | .msi<br/>.msp<br/>.mst| 
+| Windows Installer files | .msi <br/> .msp <br/> .mst |
-| Packaged apps and packaged app installers | .appx| 
+| Packaged apps and packaged app installers | .appx |
-| DLL files | .dll<br/>.ocx| 
+| DLL files | .dll <br/> .ocx |
 
->**Important:**  If you use DLL rules, you need to create an allow rule for each DLL that is used by all of the allowed apps.
+> [!NOTE]
+> AppLocker rules for executable files actually apply to all portable executable (PE) files, regardless of the file's extension which attackers can easily change. The file extension information listed in the preceding table for executable files is illustrative only.
 
-When DLL rules are used, AppLocker must check each DLL that an application loads. Therefore, users may experience a reduction in performance if DLL rules are used.
+The DLL rule collection isn't enabled by default. To learn how to enable the DLL rule collection, see [DLL rule collections](#dll-rule-collection).
 
-The DLL rule collection isn't enabled by default. To learn how to enable the DLL rule collection, see [DLL rule collections](#bkmk-dllrulecollections).
+> [!Important]
+> If you use DLL rules, you need to create an allow rule that covers every DLL used by all allowed apps.
+>
+> When DLL rules are used, AppLocker must check each DLL that an application loads. Therefore, users may experience a reduction in performance if DLL rules are used. However, this performance impact is usually imperceptible unless a device is already resource constrained.
 
-EXE rules apply to portable executable (PE) files. AppLocker checks whether a file is a valid PE file, rather than just applying rules based on file extension, which attackers can easily change. Regardless of the file extension, the AppLocker EXE rule collection will work on a file as long as it's a valid PE file.
+## Enforcement modes
+
+AppLocker policies set an **enforcement mode** for each rule collection included in the policy. These enforcement modes are described in the following table. 
+
+| Enforcement mode | Description |
+| - | - |
+| **Not configured** | Despite the name, this enforcement mode **doesn't** mean the rules are ignored. On the contrary, if any rules exist in a rule collection that is "not configured", the rules **will be enforced** unless a policy with a higher precedence changes the enforcement mode to Audit only. Since this enforcement mode can be confusing for policy authors, you should avoid using this value in your AppLocker policies. Instead, you should choose explicitly between the remaining two options. |
+| **Enforce rules** | Rules are enforced. When a user runs an app affected by an AppLocker rule, the app binary is blocked. Info about the binary is added to the AppLocker event log. |
+| **Audit only** | Rules are audited but not enforced. When a user runs an app affected by an AppLocker rule, the app binary is allowed to run. However, the info about the binary is added to the AppLocker event log. The Audit-only enforcement mode helps you identify the apps affected by the policy before the policy is enforced. |
+
+When AppLocker policies are merged, the rules from all the policies are added to the effective policy and a single enforcement mode is selected for each rule collection. If multiple AppLocker policies are applied to a device through Group Policy, the enforcement mode setting applied is selected based on Group Policy precedence. If you apply an AppLocker policy locally using the Set-AppLockerPolicy PowerShell cmdlet with the *-merge* option, the more restrictive enforcement mode is chosen between the existing local policy and the policy being merged.
 
 ## Rule conditions
 
 Rule conditions are criteria that help AppLocker identify the apps to which the rule applies. The three primary rule conditions are publisher, path, and file hash.
 
--   [Publisher](#bkmk-publisher): Identifies an app based on its digital signature
+- [Publisher](#publisher): Identifies an app based on its digital signature
--   [Path](#bkmk-path): Identifies an app by its location in the file system of the computer or on the network
+- [Path](#path): Identifies an app by its location in the file system of the computer or on the network
--   [File hash](#bkmk-filehash): Represents the system computed cryptographic hash of the identified file
+- [File hash](#file-hash): Represents the system computed cryptographic Authenticode hash of the identified file
 
-### <a href="" id="bkmk-publisher"></a>Publisher
+### Publisher
 
-This condition identifies an app based on its digital signature and extended attributes when available. The digital signature contains info about the company that created the app (the publisher). Executable files, dlls, Windows installers, packaged apps and packaged app installers also have extended attributes, which are obtained from the binary resource. If there's executable files, dlls and Windows installers, these attributes contain the name of the product that the file is a part of, the original name of the file as supplied by the publisher, and the version number of the file. If there are packaged apps and packaged app installers, these extended attributes contain the name and the version of the app package.
+This condition identifies an app based on its digital signature and extended attributes when available. The digital signature contains info about the company that created the app (the publisher). Executable files, dlls, Windows installers, packaged apps and packaged app installers also include extended attributes, which are obtained from the binary resource. These attributes often include the name of the product, the original file name, and the version number of the file as defined by the publisher. If there are packaged apps and packaged app installers, these extended attributes contain the name and the version of the app package.
 
-> **Note:**  Rules created in the packaged apps and packaged app installers rule collection can only have publisher conditions since Windows does not support unsigned packaged apps and packaged app installers.
+> [!NOTE]
+> Rules created in the packaged apps and packaged app installers rule collection can only have publisher conditions since Windows does not support unsigned packaged apps and packaged app installers.
 >
-> **Note:**  Use a publisher rule condition when possible because they can survive app updates as well as a change in the location of files.
+> Use a publisher rule condition when possible because they are more resilient to app updates as well as a change in the location of files.
 
 When you select a reference file for a publisher condition, the wizard creates a rule that specifies the publisher, product, file name, and version number. You can make the rule more generic by moving up the slider or by using a wildcard character (\*) in the product, file name, or version number fields.
 
->**Note:**  To enter custom values for any of the fields of a publisher rule condition in the Create Rules Wizard, you must select the **Use custom values** check box. When this check box is selected, you cannot use the slider.
+> [!NOTE]
+> To enter custom values for any of the fields of a publisher rule condition in the Create Rules Wizard, you must select the **Use custom values** check box. When this check box is selected, you cannot use the slider.
 
 The **File version** and **Package version** control whether a user can run a specific version, earlier versions, or later versions of the app. You can choose a version number and then configure the following options:
 
@@ -89,16 +77,16 @@ The following table describes how a publisher condition is applied.
 
 | Option | The publisher condition allows or denies... |
 |---|---|
-| **All signed files** | All files that are signed by any publisher.| 
+| **All signed files** | All files signed by any publisher. |
-| **Publisher only**| All files that are signed by the named publisher.| 
+| **Publisher only** | All files signed by the named publisher. |
-| **Publisher and product name**| All files for the specified product that are signed by the named publisher.| 
+| **Publisher and product name** | All files for the specified product signed by the named publisher. |
-| **Publisher and product name, and file name**| Any version of the named file or package for the named product that is signed by the publisher.| 
+| **Publisher and product name, and file name** | Any version of the named file or package for the named product signed by the publisher. |
-| **Publisher, product name, file name, and file version**| **Exactly**<br/>The specified version of the named file or package for the named product that is signed by the publisher.| 
+| **Publisher, product name, file name, and file version** | **Exactly**<br/>The specified version of the named file or package for the named product signed by the publisher. |
-| **Publisher, product name, file name, and file version**| **And above**<br/>The specified version of the named file or package and any new releases for the product that are signed by the publisher.| 
+| **Publisher, product name, file name, and file version** | **And above**<br/>The specified version of the named file or package and any new releases for the product signed by the publisher. |
-| **Publisher, product name, file name, and file version**| **And below**<br/>The specified version of the named file or package and any earlier versions for the product that are signed by the publisher.| 
+| **Publisher, product name, file name, and file version** | **And below**<br/>The specified version of the named file or package and any earlier versions for the product signed by the publisher. |
-| **Custom**| You can edit the **Publisher**, **Product name**, **File name**, **Version** **Package name**, and **Package version** fields to create a custom rule.| 
+| **Custom** | You can edit the **Publisher**, **Product name**, **File name**, **Version** **Package name**, and **Package version** fields to create a custom rule. |
 
-### <a href="" id="bkmk-path"></a>Path
+### Path
 
 This rule condition identifies an application by its location in the file system of the computer or on the network.
 
@@ -107,23 +95,24 @@ AppLocker uses custom path variables for well-known paths, such as Program Files
 The following table details these path variables.
 
 | Windows directory or disk | AppLocker path variable | Windows environment variable |
-| - | - | - |
+| --- | --- | --- |
-| Windows| %WINDIR%| %SystemRoot%| 
+| Windows | %WINDIR%| %SystemRoot%|
-| System32 and SysWOW64| %SYSTEM32%| %SystemDirectory%| 
+| System32 and SysWOW64 | %SYSTEM32%| %SystemDirectory%|
-| Windows installation directory| %OSDRIVE%| %SystemDrive%| 
+| Windows installation directory | %OSDRIVE%| %SystemDrive%|
-| Program Files| %PROGRAMFILES%| %ProgramFiles% and %ProgramFiles(x86)% | 
+| Program Files | %PROGRAMFILES% | %ProgramFiles% and %ProgramFiles(x86)% |
-| Removable media (for example, a CD or DVD)| %REMOVABLE%| |
+| Removable media (for example, a CD or DVD) | %REMOVABLE% | |
-| Removable storage device (for example, a USB flash drive)| %HOT% | |
+| Removable storage device (for example, a USB flash drive) | %HOT% | |
 
->**Important:**  Because a path rule condition can be configured to include a large number of folders and files, path conditions should be carefully planned. For example, if an allow rule with a path condition includes a folder location that non-administrators are allowed to write data into, a user can copy unapproved files into that location and run the files. For this reason, it is a best practice to not create path conditions for standard user writable locations, such as a user profile.
+> [!IMPORTANT]
+> Because a path rule condition can be configured to include a large number of folders and files, path conditions should be carefully planned. For example, if a path rule includes a folder location that lets non-administrators write data, a user (or malware running as a standard user) can copy unapproved files into that location and run the files. For this reason, you should avoid creating path conditions for standard user writable locations, such as a user profile.
 
-### <a href="" id="bkmk-filehash"></a>File hash
+### File hash
 
-When you choose the file hash rule condition, the system computes a cryptographic hash of the identified file. The advantage of this rule condition is that because each file has a unique hash, a file hash rule condition applies to only one file. The disadvantage is that each time the file is updated (such as a security update or upgrade) the file's hash will change. As a result, you must manually update file hash rules.
+When you choose the file hash rule condition, the system computes the Authenticode cryptographic hash of the identified file. The advantage of this rule condition is that because each file has a unique hash, a file hash rule condition applies to only one file. The disadvantage is that each time the file is updated (such as a security update or upgrade) the file's hash changes. As a result, you must manually update file hash rules.
 
 ## AppLocker default rules
 
-AppLocker includes default rules, which are intended to help ensure that the files that are required for Windows to operate properly are allowed in an AppLocker rule collection. For background, see [Understanding AppLocker default rules](understanding-applocker-default-rules.md), and for steps, see [Create AppLocker default rules](create-applocker-default-rules.md).
+AppLocker policies created using the AppLocker Group Policy editor can include default rules. Default rules are intended to help ensure that the files that are required for Windows to operate properly are allowed in an AppLocker rule collection. For background, see [Understanding AppLocker default rules](understanding-applocker-default-rules.md), and for steps, see [Create AppLocker default rules](create-applocker-default-rules.md).
 
 Executable default rule types include:
 
@@ -155,58 +144,67 @@ Packaged apps default rule types:
 
 ## AppLocker rule behavior
 
-If no AppLocker rules for a specific rule collection exist, all files with that file format are allowed to run. However, when an AppLocker rule for a specific rule collection is created, only the files explicitly allowed in a rule are permitted to run. For example, if you create an executable rule that allows .exe files in *%SystemDrive%\\FilePath* to run, only executable files located in that path are allowed to run.
+If no AppLocker rules are defined for a specific rule collection, all files covered by that rule collection are allowed to run. However, if any rule exists for a specific rule collection, then *only* those files matching at least one allow rule and not matching any deny rules run. For example, if you create an executable rule that allows .exe files in *%SystemDrive%\\FilePath* to run, only executable files located in that path are allowed to run.
 
 A rule can be configured to use allow or deny actions:
 
 - **Allow.** You can specify which files are allowed to run in your environment, and for which users or groups of users. You can also configure exceptions to identify files that are excluded from the rule.
--   **Deny.** You can specify which files are *not* allowed to run in your environment, and for which users or groups of users. You can also configure exceptions to identify files that are excluded from the rule.
+- **Deny.** You can specify which files *aren't* allowed to run in your environment, and for which users or groups of users. You can also configure exceptions to identify files that are excluded from the rule.
 
-> **Important:**  For a best practice, use allow actions with exceptions. You can use a combination of allow and deny actions but understand that deny actions override allow actions in all cases, and can be circumvented.
+For a best practice, use allow actions with exceptions. Although you can use a combination of allow and deny actions, deny actions always win. You can't use any other rule to allow a file that matches a deny rule.
-> 
-> **Important:**  If you join a computer running at least Windows Server 2012 or Windows 8 to a domain that already enforces AppLocker rules for executable files, users will not be able to run any packaged apps unless you also create rules for packaged apps. If you want to allow any packaged apps in your environment while continuing to control executable files, you should create the default rules for packaged apps and set the enforcement mode to Audit-only for the packaged apps rule collection.
 
 ## Rule exceptions
 
-You can apply AppLocker rules to individual users or to a group of users. If you apply a rule to a group of users, all users in that group are affected by that rule. If you need to allow a subset of a user group to use an app, you can create a special rule for that subset. For example, the rule "Allow everyone to run Windows except Registry Editor" allows everyone in the organization to run the Windows operating system, but it doesn't allow anyone to run Registry Editor.
+You can apply AppLocker rules to individual users or to a group of users. If you apply a rule to a group of users, the rule affects all users in that group. If you need to allow a subset of a user group to use an app, you can create a special rule for that subset. For example, the rule "Allow everyone to run Windows except Registry Editor" allows everyone in the organization to run the Windows operating system, but it doesn't allow anyone to run Registry Editor.
 
-The effect of this rule would prevent users such as Help Desk personnel from running a program that is necessary for their support tasks. To resolve this problem, create a second rule that applies to the Help Desk user group: "Allow Help Desk to run Registry Editor." If you create a deny rule that doesn't allow any users to run Registry Editor, the deny rule will override the second rule that allows the Help Desk user group to run Registry Editor.
+The effect of this rule would prevent users such as Help Desk personnel from running a program that is necessary for their support tasks. To resolve this problem, create a second rule that applies to the Help Desk user group: "Allow Help Desk to run Registry Editor." If you instead used a deny rule that blocks all users from running Registry Editor, the second rule wouldn't actually let the help desk users run Registry Editor.
 
-## <a href="" id="bkmk-dllrulecollections"></a>DLL rule collection
+## DLL rule collection
 
 Because the DLL rule collection isn't enabled by default, you must perform the following procedure before you can create and enforce DLL rules.
 
 Membership in the local **Administrators** group, or equivalent, is the minimum required to complete this procedure.
 
-**To enable the DLL rule collection**
+### To enable the DLL rule collection
 
-1.  Click **Start**, type **secpol.msc**, and then press ENTER.
+1. Select **Start**, type **secpol.msc**, and then select ENTER.
-2.  If the **User Account Control** dialog box appears, confirm that the action it displays is what you want, and then click **Yes**.
+2. If the **User Account Control** dialog box appears, confirm that the action it displays is what you want, and then select **Yes**.
-3.  In the console tree, double-click **Application Control Policies**, right-click **AppLocker**, and then click **Properties**.
+3. In the console tree, double-click **Application Control Policies**, right-click **AppLocker**, and then select **Properties**.
-4.  Click the **Advanced** tab, select the **Enable the DLL rule collection** check box, and then click **OK**.
+4. Select the **Advanced** tab, select the **Enable the DLL rule collection** check box, and then select **OK**.
 
-    >**Important:**  Before you enforce DLL rules, make sure that there are allow rules for each DLL that is used by any of the allowed apps.
+  > [!IMPORTANT]
+  > Before you enforce DLL rules, make sure that there are allow rules for every DLL that is needed by all allowed apps.
 
 ## AppLocker wizards
 
 You can create rules by using two AppLocker wizards:
 
 1. The Create Rules Wizard enables you to create one rule at a time.
-2.  The Automatically Generate Rules Wizard allows you to create multiple rules at one time. You can either select a folder and let the wizard create rules for the relevant files within that folder or if there are packaged apps let the wizard create rules for all packaged apps installed on the computer. You can also specify the user or group to which to apply the rules. This wizard automatically generates allow rules only.
+2. The Automatically Generate Rules Wizard allows you to create multiple rules at one time. You can select a folder and let the wizard create rules for any relevant files found. Or, for packaged apps, let the wizard create rules for all packaged apps installed on the computer. You can also specify the user or group to which to apply the rules. This wizard automatically generates allow rules only.
 
 ## Other considerations
 
 - By default, AppLocker rules don't allow users to open or run any files that aren't allowed. Administrators should maintain an up-to-date list of allowed applications.
 - There are two types of AppLocker conditions that don't persist following an update of an app:
-
+  - **A file hash condition** File hash rule conditions can be used with any app because a cryptographic hash value of the app file is generated at the time the rule is created. However, the hash value is specific to that exact version of the file. If you need to allow multiple versions of the file, you need individual file hash conditions for each version of the file.
-    -   **A file hash condition** File hash rule conditions can be used with any app because a cryptographic hash value of the app is generated at the time the rule is created. However, the hash value is specific to that exact version of the app. If there are several versions of the application in use within the organization, you need to create file hash conditions for each version in use and for any new versions that are released.
-
   - **A publisher condition with a specific product version set** If you create a publisher rule condition that uses the **Exactly** version option, the rule can't persist if a new version of the app is installed. A new publisher condition must be created, or the version must be edited in the rule to be made less specific.
-
 - If an app isn't digitally signed, you can't use a publisher rule condition for that app.
--   AppLocker rules can't be used to manage computers running a Windows operating system earlier than Windows Server 2008 R2 or Windows 7. Software Restriction Policies must be used instead. If AppLocker rules are defined in a Group Policy Object (GPO), only those rules are applied. To ensure interoperability between Software Restriction Policies rules and AppLocker rules, define Software Restriction Policies rules and AppLocker rules in different GPOs.
+- If any rules are enforced for the EXE rule collection, you must create rules in the packaged apps and packaged app installers rule collection. Otherwise, all packaged apps and packaged app installers are blocked.
--   The packaged apps and packaged apps installer rule collection is available on devices running at least Windows Server 2012 and Windows 8.
--   When the rules for the executable rule collection are enforced and the packaged apps and packaged app installers rule collection doesn't contain any rules, no packaged apps and packaged app installers are allowed to run. In order to allow any packaged apps and packaged app installers, you must create rules for the packaged apps and packaged app installers rule collection.
--   When an AppLocker rule collection is set to **Audit only**, the rules aren't enforced. When a user runs an application that is included in the rule, the app is opened and runs normally, and information about that app is added to the AppLocker event log.
 - A custom configured URL can be included in the message that is displayed when an app is blocked.
--   Expect an increase in the number of Help Desk calls initially because of blocked apps until users understand that they can't run apps that aren't allowed.
+- Expect an increase in the number of Help Desk calls when users encounter apps that aren't allowed.
+
+## In this section
+
+| Article | Description |
+| - | - |
+| [Create a rule that uses a file hash condition](create-a-rule-that-uses-a-file-hash-condition.md) | This article for IT professionals shows how to create an AppLocker rule with a file hash condition.|
+| [Create a rule that uses a path condition](create-a-rule-that-uses-a-path-condition.md) | This article for IT professionals shows how to create an AppLocker rule with a path condition.|
+| [Create a rule that uses a publisher condition](create-a-rule-that-uses-a-publisher-condition.md) | This article for IT professionals shows how to create an AppLocker rule with a publisher condition.|
+| [Create AppLocker default rules](create-applocker-default-rules.md) | This article for IT professionals describes the steps to create a standard set of AppLocker rules that allow Windows system files to run.|
+| [Add exceptions for an AppLocker rule](configure-exceptions-for-an-applocker-rule.md) | This article for IT professionals describes the steps to specify which apps can or can't run as exceptions to an AppLocker rule.|
+| [Create a rule for packaged apps](create-a-rule-for-packaged-apps.md) | This article for IT professionals shows how to create an AppLocker rule for packaged apps with a publisher condition.|
+| [Delete an AppLocker rule](delete-an-applocker-rule.md) | This article for IT professionals describes the steps to delete an AppLocker rule.|
+| [Edit AppLocker rules](edit-applocker-rules.md) | This article for IT professionals describes the steps to edit a publisher rule, path rule, and file hash rule in AppLocker.|
+| [Enable the DLL rule collection](enable-the-dll-rule-collection.md) | This article for IT professionals describes the steps to enable the DLL rule collection feature for AppLocker.|
+| [Enforce AppLocker rules](enforce-applocker-rules.md) | This article for IT professionals describes how to enforce application control rules by using AppLocker.|
+| [Run the Automatically Generate Rules wizard](run-the-automatically-generate-rules-wizard.md) | This article for IT professionals describes steps to run the wizard to create AppLocker rules on a reference device.|

windows/security/application-security/application-control/windows-defender-application-control/feature-availability.md

@@ -2,29 +2,29 @@
 title: Windows Defender Application Control feature availability
 description: Compare Windows Defender Application Control (WDAC) and AppLocker feature availability.
 ms.localizationpriority: medium
-ms.date: 05/26/2023
+ms.date: 12/21/2023
 ms.topic: overview
 ---
 
 # Windows Defender Application Control and AppLocker feature availability
 
 > [!NOTE]
-> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. See below to learn more.
+> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Review the following table to learn more.
 
 | Capability  | Windows Defender Application Control | AppLocker   |
 |-------------|------|-------------|
 | Platform support    | Available on Windows 10, Windows 11, and Windows Server 2016 or later.  | Available on Windows 8 or later.   |
-| SKU availability     | Available on Windows 10, Windows 11, and Windows Server 2016 or later. <br> WDAC PowerShell cmdlets aren't available on Home edition, but policies are effective on all editions. | Policies are supported on all editions Windows 10 version 2004 and newer with [KB 5024351](https://support.microsoft.com/help/5024351).<br><br>Windows versions older than version 2004, including Windows Server 2019:<br><ul><li>Policies deployed through GP are only supported on Enterprise and Server editions.</li><li>Policies deployed through MDM are supported on all editions.</li></ul>|
+| Edition availability     | Available on Windows 10, Windows 11, and Windows Server 2016 or later. <br> WDAC PowerShell cmdlets aren't available on Home edition, but policies are effective on all editions. | Policies are supported on all editions Windows 10 version 2004 and newer with [KB 5024351](https://support.microsoft.com/help/5024351).<br><br>Windows versions older than version 2004, including Windows Server 2019:<br><ul><li>Policies deployed through GP are only supported on Enterprise and Server editions.</li><li>Policies deployed through MDM are supported on all editions.</li></ul>|
 | Management solutions   | <ul><li>[Intune](deployment/deploy-wdac-policies-using-intune.md)</li><li>[Microsoft Configuration Manager](/configmgr/protect/deploy-use/use-device-guard-with-configuration-manager) (limited built-in policies or custom policy deployment via software distribution)</li><li>[Group policy](deployment/deploy-wdac-policies-using-group-policy.md) </li><li>[Script](/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script)</li></ul>  | <ul><li>[Intune](/windows/client-management/mdm/applocker-csp) (custom policy deployment via OMA-URI only)</li><li>Configuration Manager (custom policy deployment via software distribution only)</li><li>[Group Policy](applocker/determine-group-policy-structure-and-rule-enforcement.md)</li><li>PowerShell</li><ul> |
-| Per-User and Per-User group rules | Not available (policies are device-wide).  | Available on Windows 8+.  |
+| Per-user and Per-user group rules | Not available (policies are device-wide).  | Available on Windows 8+.  |
 | Kernel mode policies  | Available on Windows 10, Windows 11, and Windows Server 2016 or later. | Not available. |
-| [Rule option 11 - Disabled:Script Enforcement](/windows/security/threat-protection/windows-defender-application-control/design/script-enforcement)  | Available on all versions of Windows 10 except 1607 LTSB, Windows 11, and Windows Server 2019 and above. **Disabled:Script Enforcement** is not supported on **Windows Server 2016** or on **Windows 10 1607 LTSB** and should not be used on those platforms. Doing so will result in unexpected script enforcement behaviors. | MSI and Script rule collection is separately configurable. |
+| [Rule option 11 - Disabled:Script Enforcement](/windows/security/threat-protection/windows-defender-application-control/design/script-enforcement)  | Available on all versions of Windows 10 except 1607 LTSB, Windows 11, and Windows Server 2019 and above. **Disabled:Script Enforcement** isn't supported on **Windows Server 2016** or on **Windows 10 1607 LTSB** and shouldn't be used on those platforms. Doing so results in unexpected script enforcement behaviors. | MSI and Script rule collection is separately configurable. |
 | [Per-app rules](/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules)  | Available on Windows 10, Windows 11, and Windows Server 2019 or later.  | Not available. |
 | [Managed Installer (MI)](/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer)  | Available on Windows 10, Windows 11, and Windows Server 2019 or later. | Not available. |
 | [Reputation-Based intelligence](/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph)     | Available on Windows 10, Windows 11, and Windows Server 2019 or later.  | Not available. |
 | [Multiple policy support](/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies) | Available on Windows 10, version 1903 and above, Windows 11, and Windows Server 2022.  | Not available.  |
-| [Path-based rules](/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create) | Available on Windows 10, version 1903 and above, Windows 11, and Windows Server 2019 or later. Exclusions aren't supported. Runtime user-writeability checks enforced by default.  | Available on Windows 8+. Exclusions are supported. No runtime user-writeability check. |
+| [Path-based rules](/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create) | Available on Windows 10, version 1903 and above, Windows 11, and Windows Server 2022 or later. Exclusions aren't supported. Runtime user-writeability checks enforced by default.  | Available on Windows 8+. Exclusions are supported. No runtime user-writeability check. |
 | [COM object allowlisting](/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy) | Available on Windows 10, Windows 11, and Windows Server 2019 or later. | Not available. |
 | [Packaged app rules](/windows/security/threat-protection/windows-defender-application-control/manage-packaged-apps-with-windows-defender-application-control) | Available on Windows 10, Windows 11, and Windows Server 2019 or later.  | Available on Windows 8+. |
 | Enforceable file types | <ul><li>Driver files: .sys</li><li>Executable files: .exe and .com</li><li>DLLs: .dll and .ocx</li><li>Windows Installer files: .msi, .mst, and .msp</li><li>Scripts: .ps1, .vbs, and .js</li><li>Packaged apps and packaged app installers: .appx</li></ul>| <ul><li>Executable files: .exe and .com</li><li>[Optional] DLLs: .dll, .rll and .ocx</li><li>Windows Installer files: .msi, .mst, and .msp</li><li>Scripts: .ps1, .bat, .cmd, .vbs, and .js</li><li>Packaged apps and packaged app installers: .appx</li></ul>|
-| [Application ID (AppId) Tagging](/windows/security/threat-protection/windows-defender-application-control/AppIdTagging/windows-defender-application-control-appid-tagging-guide) | Available on Windows 10, version 20H1 and above, and Windows 11. | Not available. |
+| [Application ID (AppId) Tagging](/windows/security/threat-protection/windows-defender-application-control/AppIdTagging/windows-defender-application-control-appid-tagging-guide) | Available on Windows 10, version 20H1 and later, and Windows 11. | Not available. |

windows/security/application-security/application-control/windows-defender-application-control/wdac-and-applocker-overview.md

@@ -2,22 +2,22 @@
 title: WDAC and AppLocker Overview
 description: Compare Windows application control technologies.
 ms.localizationpriority: medium
-ms.date: 04/04/2023
+ms.date: 12/19/2023
 ms.topic: article
 ---
 
 # Windows Defender Application Control and AppLocker Overview
 
 > [!NOTE]
-> Some capabilities of Windows Defender Application Control (WDAC) are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md).
+> Some capabilities of Windows Defender Application Control (WDAC) are only available on specific Windows versions. Learn more about the [WDAC feature availability](feature-availability.md).
 
 Windows 10 and Windows 11 include two technologies that can be used for application control, depending on your organization's specific scenarios and requirements: Windows Defender Application Control (WDAC) and AppLocker.
 
 ## Windows Defender Application Control
 
-Windows Defender Application Control was introduced with Windows 10 and allows organizations to control which drivers and applications are allowed to run on their Windows clients. It was designed as a security feature under the [servicing criteria](https://www.microsoft.com/msrc/windows-security-servicing-criteria), defined by the Microsoft Security Response Center (MSRC).
+WDAC was introduced with Windows 10 and allows organizations to control which drivers and applications are allowed to run on their Windows clients. It was designed as a security feature under the [servicing criteria](https://www.microsoft.com/msrc/windows-security-servicing-criteria), defined by the Microsoft Security Response Center (MSRC).
 
-Windows Defender Application Control policies apply to the managed computer as a whole and affects all users of the device. WDAC rules can be defined based on:
+WDAC policies apply to the managed computer as a whole and affects all users of the device. WDAC rules can be defined based on:
 
 - Attributes of the codesigning certificate(s) used to sign an app and its binaries
 - Attributes of the app's binaries that come from the signed metadata for the files, such as Original Filename and version, or the hash of the file
@@ -31,7 +31,7 @@ Windows Defender Application Control policies apply to the managed computer as a
 
 ### WDAC System Requirements
 
-Windows Defender Application Control (WDAC) policies can be created and applied on any client edition of Windows 10 or Windows 11, or on Windows Server 2016 and higher. WDAC policies can be deployed via a Mobile Device Management (MDM) solution, for example, Intune; a management interface such as Configuration Manager; or a script host such as PowerShell. Group Policy can also be used to deploy WDAC policies, but is limited to single-policy format policies that work on Windows Server 2016 and 2019.
+WDAC policies can be created and applied on any client edition of Windows 10 or Windows 11, or on Windows Server 2016 and higher. WDAC policies can be deployed via a Mobile Device Management (MDM) solution, for example, Intune; a management interface such as Configuration Manager; or a script host such as PowerShell. Group Policy can also be used to deploy WDAC policies, but is limited to single-policy format policies that work on Windows Server 2016 and 2019.
 
 For more information on which individual WDAC features are available on specific WDAC builds, see [WDAC feature availability](feature-availability.md).
 
@@ -45,6 +45,8 @@ AppLocker policies can apply to all users on a computer, or to individual users
 - Attributes of the app's binaries that come from the signed metadata for the files, such as Original Filename and version, or the hash of the file.
 - The path from which the app or file is launched.
 
+AppLocker is also used by some features of WDAC, including [managed installer](/windows/security/application-security/application-control/windows-defender-application-control/design/configure-authorized-apps-deployed-with-a-managed-installer) and the [Intelligent Security Graph](/windows/security/application-security/application-control/windows-defender-application-control/design/use-wdac-with-intelligent-security-graph).
+
 ### AppLocker System Requirements
 
 AppLocker policies can only be configured on and applied to devices that are running on the supported versions and editions of the Windows operating system. For more info, see [Requirements to Use AppLocker](applocker/requirements-to-use-applocker.md).
@@ -52,13 +54,12 @@ AppLocker policies can be deployed using Group Policy or MDM.
 
 ## Choose when to use WDAC or AppLocker
 
-Generally, it's recommended that customers, who are able to implement application control using Windows Defender Application Control rather than AppLocker, do so. WDAC is undergoing continual improvements, and is getting added support from Microsoft management platforms. Although AppLocker continues to receive security fixes, it isn't getting new feature improvements.
+Generally, customers who are able to implement application control using WDAC, rather than AppLocker, should do so. WDAC is undergoing continual improvements, and is getting added support from Microsoft management platforms. Although AppLocker continues to receive security fixes, it isn't getting new feature improvements.
 
-However, in some cases, AppLocker may be the more appropriate technology for your organization. AppLocker is best when:
+However, in some cases, AppLocker might be the more appropriate technology for your organization. AppLocker is best when:
 
 - You have a mixed Windows operating system (OS) environment and need to apply the same policy controls to Windows 10 and earlier versions of the OS.
 - You need to apply different policies for different users or groups on shared computers.
 - You don't want to enforce application control on application files such as DLLs or drivers.
 
-AppLocker can also be deployed as a complement to Windows Defender Application Control (WDAC) to add user or group-specific rules for shared device scenarios, where it's important to prevent some users from running specific apps.
+AppLocker can also be deployed as a complement to WDAC to add user or group-specific rules for shared device scenarios, where it's important to prevent some users from running specific apps. As a best practice, you should enforce WDAC at the most restrictive level possible for your organization, and then you can use AppLocker to further fine-tune the restrictions.
-As a best practice, you should enforce WDAC at the most restrictive level possible for your organization, and then you can use AppLocker to further fine-tune the restrictions.