diff --git a/windows/keep-secure/access-this-computer-from-the-network.md b/windows/keep-secure/access-this-computer-from-the-network.md index 1cb598fcfd..0d93c1d879 100644 --- a/windows/keep-secure/access-this-computer-from-the-network.md +++ b/windows/keep-secure/access-this-computer-from-the-network.md @@ -1,5 +1,5 @@ --- -title: Access this computer from the network (Windows 10) +title: Access this computer from the network - security policy setting (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Access this computer from the network security policy setting. ms.assetid: f6767bc2-83d1-45f1-847c-54f5362db022 ms.prod: w10 @@ -9,7 +9,7 @@ ms.pagetype: security author: brianlic-msft --- -# Access this computer from the network +# Access this computer from the network - security policy setting **Applies to** - Windows 10 diff --git a/windows/keep-secure/accounts-guest-account-status.md b/windows/keep-secure/accounts-guest-account-status.md index f9054008ac..527a1357c4 100644 --- a/windows/keep-secure/accounts-guest-account-status.md +++ b/windows/keep-secure/accounts-guest-account-status.md @@ -1,5 +1,5 @@ --- -title: Accounts Guest account status (Windows 10) +title: Accounts Guest account status - security policy setting (Windows 10) description: Describes the best practices, location, values, and security considerations for the Accounts Guest account status security policy setting. ms.assetid: 07e53fc5-b495-4d02-ab42-5b245d10d0ce ms.prod: w10 @@ -9,7 +9,7 @@ ms.pagetype: security author: brianlic-msft --- -# Accounts: Guest account status +# Accounts: Guest account status - security policy setting **Applies to** - Windows 10 diff --git a/windows/keep-secure/accounts-rename-guest-account.md b/windows/keep-secure/accounts-rename-guest-account.md index aa06c480c3..c77030e875 100644 --- a/windows/keep-secure/accounts-rename-guest-account.md +++ b/windows/keep-secure/accounts-rename-guest-account.md @@ -1,5 +1,5 @@ --- -title: Accounts Rename guest account (Windows 10) +title: Accounts Rename guest account - security policy setting (Windows 10) description: Describes the best practices, location, values, and security considerations for the Accounts Rename guest account security policy setting. ms.assetid: 9b8052b4-bbb9-4cc1-bfee-ce25390db707 ms.prod: w10 @@ -9,7 +9,7 @@ ms.pagetype: security author: brianlic-msft --- -# Accounts: Rename guest account +# Accounts: Rename guest account - security policy setting **Applies to** - Windows 10 diff --git a/windows/keep-secure/allow-log-on-locally.md b/windows/keep-secure/allow-log-on-locally.md index 3cbeacb088..9e4831a223 100644 --- a/windows/keep-secure/allow-log-on-locally.md +++ b/windows/keep-secure/allow-log-on-locally.md @@ -1,5 +1,5 @@ --- -title: Allow log on locally (Windows 10) +title: Allow log on locally - security policy setting (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Allow log on locally security policy setting. ms.assetid: d9e5e1f3-3bff-4da7-a9a2-4bb3e0c79055 ms.prod: w10 @@ -9,7 +9,7 @@ ms.pagetype: security author: brianlic-msft --- -# Allow log on locally +# Allow log on locally - security policy setting **Applies to** - Windows 10 diff --git a/windows/keep-secure/back-up-files-and-directories.md b/windows/keep-secure/back-up-files-and-directories.md index 6f6a7b8805..f338698789 100644 --- a/windows/keep-secure/back-up-files-and-directories.md +++ b/windows/keep-secure/back-up-files-and-directories.md @@ -1,5 +1,5 @@ --- -title: Back up files and directories (Windows 10) +title: Back up files and directories - security policy setting (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Back up files and directories security policy setting. ms.assetid: 1cd6bdd5-1501-41f4-98b9-acf29ac173ae ms.prod: w10 @@ -9,7 +9,7 @@ ms.pagetype: security author: brianlic-msft --- -# Back up files and directories +# Back up files and directories - security policy setting **Applies to** - Windows 10 diff --git a/windows/keep-secure/bitlocker-basic-deployment.md b/windows/keep-secure/bitlocker-basic-deployment.md index b83692c713..fbc016705b 100644 --- a/windows/keep-secure/bitlocker-basic-deployment.md +++ b/windows/keep-secure/bitlocker-basic-deployment.md @@ -40,7 +40,7 @@ BitLocker encryption can be done using the following methods: ### Encrypting volumes using the BitLocker control panel -Encrypting volumes with the BitLocker control panel is how many users will utilize BitLocker. The name of the BitLocker control panel is BitLocker Drive Encryption. The BitLocker control panel supports encrypting operating system, fixed data and removable data volumes. The BitLocker control panel will organize available drives in the appropriate category based on how the device reports itself to Windows. Only formatted volumes with assigned drive letters will appear properly in the BitLocker control panel applet. +Encrypting volumes with the BitLocker control panel (click **Start**, type **bitlocker**, click **Manage BitLocker**) is how many users will utilize BitLocker. The name of the BitLocker control panel is BitLocker Drive Encryption. The BitLocker control panel supports encrypting operating system, fixed data and removable data volumes. The BitLocker control panel will organize available drives in the appropriate category based on how the device reports itself to Windows. Only formatted volumes with assigned drive letters will appear properly in the BitLocker control panel applet. To start encryption for a volume, select **Turn on BitLocker** for the appropriate drive to initialize the BitLocker Drive Encryption Wizard. BitLocker Drive Encryption Wizard options vary based on volume type (operating system volume or data volume). ### Operating system volume diff --git a/windows/keep-secure/bitlocker-frequently-asked-questions.md b/windows/keep-secure/bitlocker-frequently-asked-questions.md index 6ab0f71f04..5761c7318a 100644 --- a/windows/keep-secure/bitlocker-frequently-asked-questions.md +++ b/windows/keep-secure/bitlocker-frequently-asked-questions.md @@ -47,6 +47,8 @@ Yes, BitLocker supports multifactor authentication for operating system drives. ### What are the BitLocker hardware and software requirements? +For requirements, see [System requirements](https://technet.microsoft.com/itpro/windows/keep-secure/bitlocker-overview#system-requirements). + > **Note:**  Dynamic disks are not supported by BitLocker. Dynamic data volumes will not be displayed in the Control Panel. Although the operating system volume will always be displayed in the Control Panel, regardless of whether it is a Dynamic disk, if it is a dynamic disk it is cannot be protected by BitLocker.   ### Why are two partitions required? Why does the system drive have to be so large? diff --git a/windows/keep-secure/bitlocker-how-to-deploy-on-windows-server.md b/windows/keep-secure/bitlocker-how-to-deploy-on-windows-server.md index e57e269aff..8a9e7b2ab7 100644 --- a/windows/keep-secure/bitlocker-how-to-deploy-on-windows-server.md +++ b/windows/keep-secure/bitlocker-how-to-deploy-on-windows-server.md @@ -14,7 +14,7 @@ author: brianlic-msft **Applies to** - Windows 10 -This topic for the IT professional explains how to deploy BitLocker and Windows Server 2012 and later. +This topic for the IT professional explains how to deploy BitLocker on Windows Server 2012 and later. For all Windows Server editions, BitLocker must be installed using Server Manager. However, you can still provision BitLocker before the server operating system is installed as part of your deployment. diff --git a/windows/keep-secure/bitlocker-overview.md b/windows/keep-secure/bitlocker-overview.md index 2921e55f01..89aea0f522 100644 --- a/windows/keep-secure/bitlocker-overview.md +++ b/windows/keep-secure/bitlocker-overview.md @@ -79,4 +79,4 @@ When installing the BitLocker optional component on a server you will also need | [Protect BitLocker from pre-boot attacks](protect-bitlocker-from-pre-boot-attacks.md)| This detailed guide will help you understand the circumstances under which the use of pre-boot authentication is recommended for devices running Windows 10, Windows 8.1, Windows 8, or Windows 7; and when it can be safely omitted from a device’s configuration. | | [Protecting cluster shared volumes and storage area networks with BitLocker](protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md)| This topic for IT pros describes how to protect CSVs and SANs with BitLocker.| -If you're looking for info on how to use it with Windows 10 IoT Core, see [Enabling Secure Boot and BitLocker Device Encryption on Windows 10 IoT Core](https://developer.microsoft.com/windows/iot/win10/SB_BL.htm). \ No newline at end of file +If you're looking for info on how to use it with Windows 10 IoT Core, see [Enabling Secure Boot and BitLocker Device Encryption on Windows 10 IoT Core](https://developer.microsoft.com/windows/iot/docs/securebootandbitlocker). \ No newline at end of file diff --git a/windows/keep-secure/change-the-system-time.md b/windows/keep-secure/change-the-system-time.md index e6f43e3f88..0ca13c1625 100644 --- a/windows/keep-secure/change-the-system-time.md +++ b/windows/keep-secure/change-the-system-time.md @@ -1,5 +1,5 @@ --- -title: Change the system time (Windows 10) +title: Change the system time - security policy setting (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Change the system time security policy setting. ms.assetid: f2f6637d-acbc-4352-8ca3-ec563f918e65 ms.prod: w10 @@ -9,7 +9,7 @@ ms.pagetype: security author: brianlic-msft --- -# Change the system time +# Change the system time - security policy setting **Applies to** - Windows 10 diff --git a/windows/keep-secure/change-the-time-zone.md b/windows/keep-secure/change-the-time-zone.md index 3eb72473a5..50067366d5 100644 --- a/windows/keep-secure/change-the-time-zone.md +++ b/windows/keep-secure/change-the-time-zone.md @@ -1,5 +1,5 @@ --- -title: Change the time zone (Windows 10) +title: Change the time zone - security policy setting (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Change the time zone security policy setting. ms.assetid: 3b1afae4-68bb-472f-a43e-49e300d73e50 ms.prod: w10 @@ -9,7 +9,7 @@ ms.pagetype: security author: brianlic-msft --- -# Change the time zone +# Change the time zone - security policy setting **Applies to** - Windows 10 diff --git a/windows/keep-secure/create-a-pagefile.md b/windows/keep-secure/create-a-pagefile.md index a8c65abbab..804d32f022 100644 --- a/windows/keep-secure/create-a-pagefile.md +++ b/windows/keep-secure/create-a-pagefile.md @@ -1,5 +1,5 @@ --- -title: Create a pagefile (Windows 10) +title: Create a pagefile - security policy setting (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Create a pagefile security policy setting. ms.assetid: dc087897-459d-414b-abe0-cd86c8dccdea ms.prod: w10 @@ -9,7 +9,7 @@ ms.pagetype: security author: brianlic-msft --- -# Create a pagefile +# Create a pagefile - security policy setting **Applies to** - Windows 10 diff --git a/windows/keep-secure/create-applocker-default-rules.md b/windows/keep-secure/create-applocker-default-rules.md index 930d2bc4d7..6f5b802707 100644 --- a/windows/keep-secure/create-applocker-default-rules.md +++ b/windows/keep-secure/create-applocker-default-rules.md @@ -27,3 +27,7 @@ You can perform this task by using the Group Policy Management Console for an Ap 1. Open the AppLocker console. 2. Right-click the appropriate rule type for which you want to automatically generate default rules. You can automatically generate rules for executable, Windows Installer, script rules and Packaged app rules. 3. Click **Create Default Rules**. + +## Related topics + +- [Understanding AppLocker default rules](understanding-applocker-default-rules.md) diff --git a/windows/keep-secure/credential-guard.md b/windows/keep-secure/credential-guard.md index ea7309fee3..a92cf8f9f5 100644 --- a/windows/keep-secure/credential-guard.md +++ b/windows/keep-secure/credential-guard.md @@ -195,10 +195,9 @@ Requirements for running Credential Guard in Hyper-V virtual machines - The Hyper-V host must have an IOMMU, and run at least Windows Server 2016 or Windows 10 version 1607. - The Hyper-V virtual machine must be Generation 2, have an enabled virtual TPM, and running at least Windows Server 2016 or Windows 10. - ### Remove Credential Guard -If you have to remove Credential Guard on a PC, you need to do the following: +If you have to remove Credential Guard on a PC, you can use the following set of procedures, or you can [use the Device Guard and Credential Guard hardware readiness tool](#turn-off-with-hardware-readiness-tool). 1. If you used Group Policy, disable the Group Policy setting that you used to enable Credential Guard (**Computer Configuration** -> **Administrative Templates** -> **System** -> **Device Guard** -> **Turn on Virtualization Based Security**). 2. Delete the following registry settings: @@ -242,7 +241,8 @@ If you have to remove Credential Guard on a PC, you need to do the following: For more info on virtualization-based security and Device Guard, see [Device Guard deployment guide](device-guard-deployment-guide.md). -**Turn off Credential Guard by using the Device Guard and Credential Guard hardware readiness tool** + +#### Turn off Credential Guard by using the Device Guard and Credential Guard hardware readiness tool You can also disable Credential Guard by using the [Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337). diff --git a/windows/keep-secure/interactive-logon-require-smart-card.md b/windows/keep-secure/interactive-logon-require-smart-card.md index 2441b3c3e7..503713f8e7 100644 --- a/windows/keep-secure/interactive-logon-require-smart-card.md +++ b/windows/keep-secure/interactive-logon-require-smart-card.md @@ -1,5 +1,5 @@ --- -title: Interactive logon Require smart card (Windows 10) +title: Interactive logon Require smart card - security policy setting (Windows 10) description: Describes the best practices, location, values, policy management and security considerations for the Interactive logon Require smart card security policy setting. ms.assetid: c6a8c040-cbc7-472d-8bc5-579ddf3cbd6c ms.prod: w10 @@ -9,7 +9,7 @@ ms.pagetype: security author: brianlic-msft --- -# Interactive logon: Require smart card +# Interactive logon: Require smart card - security policy setting **Applies to** - Windows 10 diff --git a/windows/keep-secure/remove-computer-from-docking-station.md b/windows/keep-secure/remove-computer-from-docking-station.md index ee3b81a7d3..1823951ae4 100644 --- a/windows/keep-secure/remove-computer-from-docking-station.md +++ b/windows/keep-secure/remove-computer-from-docking-station.md @@ -1,5 +1,5 @@ --- -title: Remove computer from docking station (Windows 10) +title: Remove computer from docking station - security policy setting (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Remove computer from docking station security policy setting. ms.assetid: 229a385a-a862-4973-899a-413b1b5b6c30 ms.prod: w10 @@ -9,7 +9,7 @@ ms.pagetype: security author: brianlic-msft --- -# Remove computer from docking station +# Remove computer from docking station - security policy setting **Applies to** - Windows 10 diff --git a/windows/keep-secure/requirements-for-deploying-applocker-policies.md b/windows/keep-secure/requirements-for-deploying-applocker-policies.md index e3b6c29aa7..874036e3b6 100644 --- a/windows/keep-secure/requirements-for-deploying-applocker-policies.md +++ b/windows/keep-secure/requirements-for-deploying-applocker-policies.md @@ -24,7 +24,7 @@ The following requirements must be met or addressed before you deploy your AppLo ### Deployment plan -An AppLocker policy deployment plan is the result of investigating which applications are required and necessary in your organization, which apps are optional, and which apps are forbidden. To develop this plan, see [AppLocker Design Guide](applocker-policies-design-guide.md). The following table is an example of the data you need to collect and the decisions you need to make to successfully deploy AppLocker policies on the supported operating systems (as listed in [Requirements to use AppLocker](requirements-to-use-applocker.md). +An AppLocker policy deployment plan is the result of investigating which applications are required and necessary in your organization, which apps are optional, and which apps are forbidden. To develop this plan, see [AppLocker Design Guide](applocker-policies-design-guide.md). The following table is an example of the data you need to collect and the decisions you need to make to successfully deploy AppLocker policies on the supported operating systems (as listed in [Requirements to use AppLocker](requirements-to-use-applocker.md)). diff --git a/windows/keep-secure/restore-files-and-directories.md b/windows/keep-secure/restore-files-and-directories.md index e8bb7e6f85..bf78f4ff41 100644 --- a/windows/keep-secure/restore-files-and-directories.md +++ b/windows/keep-secure/restore-files-and-directories.md @@ -1,5 +1,5 @@ --- -title: Restore files and directories (Windows 10) +title: Restore files and directories - security policy setting (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Restore files and directories security policy setting. ms.assetid: c673c0fa-6f49-4edd-8c1f-c5e8513f701d ms.prod: w10 @@ -9,7 +9,7 @@ ms.pagetype: security author: brianlic-msft --- -# Restore files and directories +# Restore files and directories - security policy setting **Applies to** - Windows 10 diff --git a/windows/keep-secure/select-types-of-rules-to-create.md b/windows/keep-secure/select-types-of-rules-to-create.md index 00ae11caf5..35f8ffd6b2 100644 --- a/windows/keep-secure/select-types-of-rules-to-create.md +++ b/windows/keep-secure/select-types-of-rules-to-create.md @@ -55,7 +55,7 @@ In the Woodgrove Bank example, the line-of-business app for the Bank Tellers bus ### Determine how to allow system files to run -Because AppLocker rules build a list of allowed apps, a rule or rules must be created to allow all Windows files to run. AppLocker provides a means to ensure system files are properly considered in your rule collection by generating the default rules for each rule collection. You can use the default rules as a template when creating your own rules. However, these rules are only meant to function as a starter policy when you are first testing AppLocker rules so that the system files in the Windows folders will be allowed to run. When a default rule is created, it is denoted with "(Default rule)" in its name as it appears in the rule collection. +Because AppLocker rules build a list of allowed apps, a rule or rules must be created to allow all Windows files to run. AppLocker provides a means to ensure system files are properly considered in your rule collection by generating the default rules for each rule collection. You can use the default rules (listed in [AppLocker default rules](working-with-applocker-rules.md#applocker-default-rules)) as a template when creating your own rules. However, these rules are only meant to function as a starter policy when you are first testing AppLocker rules so that the system files in the Windows folders will be allowed to run. When a default rule is created, it is denoted with "(Default rule)" in its name as it appears in the rule collection. You can also create a rule for the system files based on the path condition. In the preceding example, for the Bank Tellers group, all Windows files reside under C:\\Windows and can be defined with the path rule condition type. This will permit access to these files whenever updates are applied and the files change. If you require additional application security, you might need to modify the rules created from the built-in default rule collection. For example, the default rule to allow all users to run .exe files in the Windows folder is based on a path condition that allows all files within the Windows folder to run. The Windows folder contains a Temp subfolder to which the Users group is given the following permissions: diff --git a/windows/keep-secure/shut-down-the-system.md b/windows/keep-secure/shut-down-the-system.md index 0c4f6b24a7..4cde410c2d 100644 --- a/windows/keep-secure/shut-down-the-system.md +++ b/windows/keep-secure/shut-down-the-system.md @@ -1,5 +1,5 @@ --- -title: Shut down the system (Windows 10) +title: Shut down the system - security policy setting (Windows 10) description: Describes the best practices, location, values, policy management, and security considerations for the Shut down the system security policy setting. ms.assetid: c8e8f890-153a-401e-a957-ba6a130304bf ms.prod: w10 @@ -9,7 +9,7 @@ ms.pagetype: security author: brianlic-msft --- -# Shut down the system +# Shut down the system - security policy setting **Applies to** - Windows 10 diff --git a/windows/keep-secure/shutdown-clear-virtual-memory-pagefile.md b/windows/keep-secure/shutdown-clear-virtual-memory-pagefile.md index 83e27c9e00..348aa4eb2d 100644 --- a/windows/keep-secure/shutdown-clear-virtual-memory-pagefile.md +++ b/windows/keep-secure/shutdown-clear-virtual-memory-pagefile.md @@ -1,5 +1,5 @@ --- -title: Shutdown Clear virtual memory pagefile (Windows 10) +title: Shutdown Clear virtual memory pagefile - security policy setting (Windows 10) description: Describes the best practices, location, values, policy management and security considerations for the Shutdown Clear virtual memory pagefile security policy setting. ms.assetid: 31400078-6c56-4891-a6df-6dfb403c4bc9 ms.prod: w10 @@ -9,7 +9,7 @@ ms.pagetype: security author: brianlic-msft --- -# Shutdown: Clear virtual memory pagefile +# Shutdown: Clear virtual memory pagefile - security policy setting **Applies to** - Windows 10 diff --git a/windows/keep-secure/tools-to-use-with-applocker.md b/windows/keep-secure/tools-to-use-with-applocker.md index 5d2d69ff81..a5346774ab 100644 --- a/windows/keep-secure/tools-to-use-with-applocker.md +++ b/windows/keep-secure/tools-to-use-with-applocker.md @@ -24,7 +24,7 @@ The following tools can help you administer the application control policies cre - **Generate Default Rules tool** - AppLocker includes default rules for each rule collection accessed through the Local Security Policy snap-in. These rules are intended to help ensure that the files that are required for Windows to operate properly are allowed in an AppLocker rule collection. For info about how to use this tool, see [Create AppLocker default rules](create-applocker-default-rules.md). + AppLocker includes default rules for each rule collection accessed through the Local Security Policy snap-in. These rules are intended to help ensure that the files that are required for Windows to operate properly are allowed in an AppLocker rule collection. For info about how to use this tool, see [Create AppLocker default rules](create-applocker-default-rules.md). For a list of the default rules, see [AppLocker default rules](working-with-applocker-rules.md#applocker-default-rules). - **Automatically Generate AppLocker Rules wizard** diff --git a/windows/keep-secure/understanding-applocker-default-rules.md b/windows/keep-secure/understanding-applocker-default-rules.md index b0aa99f22e..f0b744d7ad 100644 --- a/windows/keep-secure/understanding-applocker-default-rules.md +++ b/windows/keep-secure/understanding-applocker-default-rules.md @@ -42,5 +42,4 @@ These permissions settings are applied to this folder for app compatibility. How ## Related topics - [How AppLocker works](how-applocker-works-techref.md) -  -  +- [Create AppLocker default rules](create-applocker-default-rules.md) \ No newline at end of file diff --git a/windows/keep-secure/understanding-applocker-rule-collections.md b/windows/keep-secure/understanding-applocker-rule-collections.md index b8adef234c..bfe5fd07ce 100644 --- a/windows/keep-secure/understanding-applocker-rule-collections.md +++ b/windows/keep-secure/understanding-applocker-rule-collections.md @@ -33,3 +33,5 @@ For info about how to enable the DLL rule collection, see [Enable the DLL rule c ## Related topics - [How AppLocker works](how-applocker-works-techref.md) +- [Understanding AppLocker default rules](understanding-applocker-default-rules.md) + diff --git a/windows/keep-secure/use-applocker-and-software-restriction-policies-in-the-same-domain.md b/windows/keep-secure/use-applocker-and-software-restriction-policies-in-the-same-domain.md index 17fe40b6a1..0fa2a8f258 100644 --- a/windows/keep-secure/use-applocker-and-software-restriction-policies-in-the-same-domain.md +++ b/windows/keep-secure/use-applocker-and-software-restriction-policies-in-the-same-domain.md @@ -61,7 +61,7 @@ The following table compares the features and functions of Software Restriction +

SRP can also be configured in the “allow list mode” so that by default all files are blocked and administrators need to create allow rules for files that they want to allow.

diff --git a/windows/keep-secure/working-with-applocker-rules.md b/windows/keep-secure/working-with-applocker-rules.md index 9c528133ef..26270475b6 100644 --- a/windows/keep-secure/working-with-applocker-rules.md +++ b/windows/keep-secure/working-with-applocker-rules.md @@ -123,7 +123,7 @@ When you choose the file hash rule condition, the system computes a cryptographi ## AppLocker default rules -AppLocker allows you to generate default rules for each rule collection. +AppLocker includes default rules, which are intended to help ensure that the files that are required for Windows to operate properly are allowed in an AppLocker rule collection. For background, see [Understanding AppLocker default rules](understanding-applocker-default-rules.md), and for steps, see [Create AppLocker default rules](create-applocker-default-rules.md). Executable default rule types include:

Enforcement mode

SRP works in the “deny list mode” where administrators can create rules for files that they do not want to allow in this Enterprise whereas the rest of the file are allowed to run by default.

-

SRP can also be configured in the “allow list mode” such that the by default all files are blocked and administrators need to create allow rules for files that they want to allow.

AppLocker by default works in the “allow list mode” where only those files are allowed to run for which there is a matching allow rule.