mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-06-16 10:53:43 +00:00
fixing spacing issues
This commit is contained in:
Brian Lich
@ -2,34 +2,54 @@
|
|||||||
title: Deploy AppLocker policies by using the enforce rules setting (Windows 10)
|
title: Deploy AppLocker policies by using the enforce rules setting (Windows 10)
|
||||||
description: This topic for IT professionals describes the steps to deploy AppLocker policies by using the enforcement setting method.
|
description: This topic for IT professionals describes the steps to deploy AppLocker policies by using the enforcement setting method.
|
||||||
ms.assetid: fd3a3d25-ff3b-4060-8390-6262a90749ba
|
ms.assetid: fd3a3d25-ff3b-4060-8390-6262a90749ba
|
||||||
ms.pagetype: security
|
|
||||||
ms.prod: W10
|
ms.prod: W10
|
||||||
ms.mktglfcycl: deploy
|
ms.mktglfcycl: deploy
|
||||||
ms.sitesec: library
|
ms.sitesec: library
|
||||||
|
ms.pagetype: security
|
||||||
author: brianlic-msft
|
author: brianlic-msft
|
||||||
---
|
---
|
||||||
|
|
||||||
|
|
||||||
# Deploy AppLocker policies by using the enforce rules setting
|
# Deploy AppLocker policies by using the enforce rules setting
|
||||||
|
|
||||||
**Applies to**
|
**Applies to**
|
||||||
- Windows 10
|
- Windows 10
|
||||||
|
|
||||||
This topic for IT professionals describes the steps to deploy AppLocker policies by using the enforcement setting method.
|
This topic for IT professionals describes the steps to deploy AppLocker policies by using the enforcement setting method.
|
||||||
|
|
||||||
## Background and prerequisites
|
## Background and prerequisites
|
||||||
|
|
||||||
These procedures assume that you have already deployed AppLocker policies with the enforcement set to **Audit only**, and you have been collecting data through the AppLocker event logs and other channels to determine what effect these policies have on your environment and the policy's adherence to your application control design.
|
These procedures assume that you have already deployed AppLocker policies with the enforcement set to **Audit only**, and you have been collecting data through the AppLocker event logs and other channels to determine what effect these policies have on your environment and the policy's adherence to your application control design.
|
||||||
|
|
||||||
For info about the AppLocker policy enforcement setting, see [Understand AppLocker enforcement settings](understand-applocker-enforcement-settings.md).
|
For info about the AppLocker policy enforcement setting, see [Understand AppLocker enforcement settings](understand-applocker-enforcement-settings.md).
|
||||||
|
|
||||||
For info about how to plan an AppLocker policy deployment, see [AppLocker Design Guide](applocker-policies-design-guide.md).
|
For info about how to plan an AppLocker policy deployment, see [AppLocker Design Guide](applocker-policies-design-guide.md).
|
||||||
|
|
||||||
## Step 1: Retrieve the AppLocker policy
|
## Step 1: Retrieve the AppLocker policy
|
||||||
|
|
||||||
Updating an AppLocker policy that is currently enforced in your production environment can have unintended results. Using Group Policy, you can export the policy from the Group Policy Object (GPO) and then update the rule or rules by using AppLocker on your AppLocker reference or test PC. For the procedure to do this, see [Export an AppLocker policy from a GPO](export-an-applocker-policy-from-a-gpo.md) and [Import an AppLocker policy into a GPO](import-an-applocker-policy-into-a-gpo.md). For local AppLocker policies, you can update the rule or rules by using the Local Security policy snap-in (secpol.msc) on your AppLocker reference or test PC. For the procedures to do this, see [Export an AppLocker policy to an XML file](export-an-applocker-policy-to-an-xml-file.md) and [Import an AppLocker policy from another computer](import-an-applocker-policy-from-another-computer.md).
|
Updating an AppLocker policy that is currently enforced in your production environment can have unintended results. Using Group Policy, you can export the policy from the Group Policy Object (GPO) and then update the rule or rules by using AppLocker on your AppLocker reference or test PC. For the procedure to do this, see [Export an AppLocker policy from a GPO](export-an-applocker-policy-from-a-gpo.md) and [Import an AppLocker policy into a GPO](import-an-applocker-policy-into-a-gpo.md). For local AppLocker policies, you can update the rule or rules by using the Local Security policy snap-in (secpol.msc) on your AppLocker reference or test PC. For the procedures to do this, see [Export an AppLocker policy to an XML file](export-an-applocker-policy-to-an-xml-file.md) and [Import an AppLocker policy from another computer](import-an-applocker-policy-from-another-computer.md).
|
||||||
|
|
||||||
## Step 2: Alter the enforcement setting
|
## Step 2: Alter the enforcement setting
|
||||||
|
|
||||||
Rule enforcement is applied only to a collection of rules, not to individual rules. AppLocker divides the rules into collections: executable files, Windows Installer files, packaged apps, scripts, and DLL files. By default, if enforcement is not configured and rules are present in a rule collection, those rules are enforced. For information about the enforcement setting, see [Understand AppLocker Enforcement Settings](understand-applocker-enforcement-settings.md). For the procedure to alter the enforcement setting, see [Configure an AppLocker policy for audit only](configure-an-applocker-policy-for-audit-only.md).
|
Rule enforcement is applied only to a collection of rules, not to individual rules. AppLocker divides the rules into collections: executable files, Windows Installer files, packaged apps, scripts, and DLL files. By default, if enforcement is not configured and rules are present in a rule collection, those rules are enforced. For information about the enforcement setting, see [Understand AppLocker Enforcement Settings](understand-applocker-enforcement-settings.md). For the procedure to alter the enforcement setting, see [Configure an AppLocker policy for audit only](configure-an-applocker-policy-for-audit-only.md).
|
||||||
|
|
||||||
## Step 3: Update the policy
|
## Step 3: Update the policy
|
||||||
You can edit an AppLocker policy by adding, changing, or removing rules. However, you cannot specify a version for the AppLocker policy by importing additional rules. To ensure version control when modifying an AppLocker policy, use Group Policy management software that allows you to create versions of GPOs. An example of this type of software is the [Advanced Group Policy Management](http://go.microsoft.com/fwlink/p/?LinkId=145013) feature from the Microsoft Desktop Optimization Pack.
|
|
||||||
**Caution**
|
You can edit an AppLocker policy by adding, changing, or removing rules. However, you cannot specify a version for the AppLocker policy by importing additional rules. To ensure version control when modifying an AppLocker policy, use Group Policy management software that allows you to create versions of GPOs. An example of this type of software is the [Advanced Group Policy Management](http://go.microsoft.com/fwlink/p/?LinkId=145013) feature from the
|
||||||
You should not edit an AppLocker rule collection while it is being enforced in Group Policy. Because AppLocker controls what files are allowed to run, making changes to a live policy can create unexpected behavior.
|
Microsoft Desktop Optimization Pack.
|
||||||
|
|
||||||
|
>**Caution:** You should not edit an AppLocker rule collection while it is being enforced in Group Policy. Because AppLocker controls what files are allowed to run, making changes to a live policy can create unexpected behavior.
|
||||||
|
|
||||||
For the procedure to update the GPO, see [Import an AppLocker policy into a GPO](import-an-applocker-policy-into-a-gpo.md).
|
For the procedure to update the GPO, see [Import an AppLocker policy into a GPO](import-an-applocker-policy-into-a-gpo.md).
|
||||||
|
|
||||||
For the procedures to distribute policies for local PCs by using the Local Security Policy snap-in (secpol.msc), see [Export an AppLocker policy to an XML file](export-an-applocker-policy-to-an-xml-file.md) and [Import an AppLocker policy from another computer](import-an-applocker-policy-from-another-computer.md).
|
For the procedures to distribute policies for local PCs by using the Local Security Policy snap-in (secpol.msc), see [Export an AppLocker policy to an XML file](export-an-applocker-policy-to-an-xml-file.md) and [Import an AppLocker policy from another computer](import-an-applocker-policy-from-another-computer.md).
|
||||||
|
|
||||||
## Step 4: Monitor the effect of the policy
|
## Step 4: Monitor the effect of the policy
|
||||||
|
|
||||||
When a policy is deployed, it is important to monitor the actual implementation of that policy. You can do this by monitoring your support organization's app access request activity and reviewing the AppLocker event logs. To monitor the effect of the policy, see [Monitor Application Usage with AppLocker](monitor-application-usage-with-applocker.md).
|
When a policy is deployed, it is important to monitor the actual implementation of that policy. You can do this by monitoring your support organization's app access request activity and reviewing the AppLocker event logs. To monitor the effect of the policy, see [Monitor Application Usage with AppLocker](monitor-application-usage-with-applocker.md).
|
||||||
|
|
||||||
## Additional resources
|
## Additional resources
|
||||||
|
|
||||||
- For steps to perform other AppLocker policy tasks, see [Administer AppLocker](administer-applocker.md).
|
- For steps to perform other AppLocker policy tasks, see [Administer AppLocker](administer-applocker.md).
|
||||||
|
|
||||||
|
|
||||||
|
|||||||
@ -2,24 +2,35 @@
|
|||||||
title: User Account Control (Windows 10)
|
title: User Account Control (Windows 10)
|
||||||
description: User Account Control (UAC) helps prevent malware from damaging a PC and helps organizations deploy a better-managed desktop.
|
description: User Account Control (UAC) helps prevent malware from damaging a PC and helps organizations deploy a better-managed desktop.
|
||||||
ms.assetid: 43ac4926-076f-4df2-84af-471ee7d20c38
|
ms.assetid: 43ac4926-076f-4df2-84af-471ee7d20c38
|
||||||
ms.pagetype: security
|
|
||||||
ms.prod: W10
|
ms.prod: W10
|
||||||
ms.mktglfcycl: operate
|
ms.mktglfcycl: operate
|
||||||
ms.sitesec: library
|
ms.sitesec: library
|
||||||
|
ms.pagetype: security
|
||||||
author: brianlic-msft
|
author: brianlic-msft
|
||||||
---
|
---
|
||||||
|
|
||||||
# User Account Control
|
# User Account Control
|
||||||
|
|
||||||
**Applies to**
|
**Applies to**
|
||||||
- Windows 10
|
- Windows 10
|
||||||
- Windows Server 2016 Technical Preview
|
- Windows Server 2016 Technical Preview
|
||||||
|
|
||||||
User Account Control (UAC) helps prevent malware from damaging a PC and helps organizations deploy a better-managed desktop. With UAC, apps and tasks always run in the security context of a non-administrator account, unless an administrator specifically authorizes administrator-level access to the system. UAC can block the automatic installation of unauthorized apps and prevent inadvertent changes to system settings.
|
User Account Control (UAC) helps prevent malware from damaging a PC and helps organizations deploy a better-managed desktop. With UAC, apps and tasks always run in the security context of a non-administrator account, unless an administrator specifically authorizes administrator-level access to the system. UAC can block the automatic installation of unauthorized apps and prevent inadvertent changes to system settings.
|
||||||
|
|
||||||
UAC allows all users to log on to their computers using a standard user account. Processes launched using a standard user token may perform tasks using access rights granted to a standard user. For instance, Windows Explorer automatically inherits standard user level permissions. Additionally, any apps that are started using Windows Explorer (for example, by double-clicking a shortcut) also run with the standard set of user permissions. Many apps, including those that are included with the operating system itself, are designed to work properly in this way.
|
UAC allows all users to log on to their computers using a standard user account. Processes launched using a standard user token may perform tasks using access rights granted to a standard user. For instance, Windows Explorer automatically inherits standard user level permissions. Additionally, any apps that are started using Windows Explorer (for example, by double-clicking a shortcut) also run with the standard set of user permissions. Many apps, including those that are included with the operating system itself, are designed to work properly in this way.
|
||||||
|
|
||||||
Other apps, especially those that were not specifically designed with security settings in mind, often require additional permissions to run successfully. These types of apps are referred to as legacy apps. Additionally, actions such as installing new software and making configuration changes to the Windows Firewall, require more permissions than what is available to a standard user account.
|
Other apps, especially those that were not specifically designed with security settings in mind, often require additional permissions to run successfully. These types of apps are referred to as legacy apps. Additionally, actions such as installing new software and making configuration changes to the Windows Firewall, require more permissions than what is available to a standard user account.
|
||||||
|
|
||||||
When an app needs to run with more than standard user rights, UAC can restore additional user groups to the token. This enables the user to have explicit control of apps that are making system level changes to their computer or device.
|
When an app needs to run with more than standard user rights, UAC can restore additional user groups to the token. This enables the user to have explicit control of apps that are making system level changes to their computer or device.
|
||||||
|
|
||||||
## Practical applications
|
## Practical applications
|
||||||
|
|
||||||
Admin Approval Mode in UAC helps prevent malware from silently installing without an administrator's knowledge. It also helps protect from inadvertent system-wide changes. Lastly, it can be used to enforce a higher level of compliance where administrators must actively consent or provide credentials for each administrative process.
|
Admin Approval Mode in UAC helps prevent malware from silently installing without an administrator's knowledge. It also helps protect from inadvertent system-wide changes. Lastly, it can be used to enforce a higher level of compliance where administrators must actively consent or provide credentials for each administrative process.
|
||||||
|
|
||||||
## New and changed functionality
|
## New and changed functionality
|
||||||
|
|
||||||
To find out what's new in UAC for Windows 10, see [User Account Control](../whats-new/user-account-control.md).
|
To find out what's new in UAC for Windows 10, see [User Account Control](../whats-new/user-account-control.md).
|
||||||
|
|
||||||
## In this section
|
## In this section
|
||||||
| Topic | Description |
|
| Topic | Description |
|
||||||
| - | - |
|
| - | - |
|
||||||
|
|||||||
Reference in New Issue
Block a user