--- title: Document the Group Policy structure and AppLocker rule enforcement (Windows 10) description: This planning topic describes what you need to investigate, determine, and record in your application control policies plan when you use AppLocker. ms.assetid: 389ffa8e-11fc-49ff-b0b1-89553e6fb6e5 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library author: brianlic-msft ms.pagetype: security --- # Document the Group Policy structure and AppLocker rule enforcement **Applies to** - Windows 10 This planning topic describes what you need to investigate, determine, and record in your application control policies plan when you use AppLocker. ## Record your findings To complete this AppLocker planning document, you should first complete the following steps: 1. [Determine your application control objectives](determine-your-application-control-objectives.md) 2. [Create a list of apps deployed to each business group](create-list-of-applications-deployed-to-each-business-group.md) 3. [Select the types of rules to create](select-types-of-rules-to-create.md) 4. [Determine the Group Policy structure and rule enforcement](determine-group-policy-structure-and-rule-enforcement.md) After you determine how to structure your Group Policy Objects (GPOs) so that you can apply AppLocker policies, you should record your findings. You can use the following table to determine how many GPOs to create (or edit) and which objects they are linked to. If you decided to create custom rules to allow system files to run, note the high-level rule configuration in the **Use default rule or define new rule condition** column. The following table includes the sample data that was collected when you determined your enforcement settings and the GPO structure for your AppLocker policies.

Business group	Organizational unit	Implement AppLocker?	Apps	Installation path	Use default rule or define new rule condition	Allow or deny	GPO name
Bank Tellers	Teller-East and Teller-West	Yes	Teller Software	C:\Program Files\Woodgrove\Teller.exe	File is signed; create a publisher condition	Allow	Tellers-AppLockerTellerRules
			Windows files	C:\Windows	Create a path exception to the default rule to exclude \Windows\Temp	Allow
Human Resources	HR-All	Yes	Check Payout	C:\Program Files\Woodgrove\HR\Checkcut.exe	File is signed; create a publisher condition	Allow	HR-AppLockerHRRules
			Time Sheet Organizer	C:\Program Files\Woodgrove\HR\Timesheet.exe	File is not signed; create a file hash condition	Allow
			Internet Explorer 7	C:\Program Files\Internet Explorer\	File is signed; create a publisher condition	Deny
			Windows files	C:\Windows	Use a default rule for the Windows path	Allow

## Next steps After you have determined the Group Policy structure and rule enforcement strategy for each business group's apps, the following tasks remain: - [Plan for AppLocker policy management](plan-for-applocker-policy-management.md) - [Create your AppLocker planning document](create-your-applocker-planning-document.md)