Configure Exceptions for an AppLocker Rule

Applies To: Windows 8.1, Windows Server 2012 R2, Windows Server 2012, Windows 8

This topic describes the steps to specify which applications can or cannot run as exceptions to an AppLocker rule in Windows Server 2012 and Windows 8.

Rule exceptions allow you to specify files or folders to exclude from the rule. For more information about exceptions, see Understanding AppLocker Rule Exceptions.

You can perform this task by using the Group Policy Management Console for an AppLocker policy in a Group Policy Object (GPO) or by using the Local Security Policy snap-in for an AppLocker policy on a local computer or in a security template. For information how to use these MMC snap-ins to administer AppLocker, see Using the MMC snap-ins to administer AppLocker.

To configure exceptions for a rule

1. In the console tree of the snap-in, double-click Application Control Policies, and then double-click AppLocker.

2. Expand the rule collection, right-click the rule that you want to configure exceptions for, and then click Properties.

3. Click the Exceptions tab.

4. In the Add exception box, select the rule type that you want to create, and then click Add.

   • For a publisher exception, click Browse, select the file that contains the publisher to exclude, and then click OK.

   • For a path exception, choose the file or folder path to exclude, and then click OK.

   • For a file hash exception, edit the file hash rule, and click Remove.

   • For Packaged apps exception, click Add to create the exceptions based on reference app and rule scope.