Configure an AppLocker Policy for Audit Only

  • Article

Applies To: Windows 7, Windows Server 2008 R2

This topic describes how to set AppLocker policies to Audit only within your IT environment by using AppLocker in Windows Server 2008 R2 and Windows 7.

After AppLocker rules are created within the rule collection, you can configure the enforcement setting to Enforce rules or Audit only.

When AppLocker policy enforcement is set to Enforce rules, rules are enforced for the rule collection and all events are audited. When AppLocker policy enforcement is set to Audit only, rules are only evaluated but all events generated from that evaluation are written to the AppLocker log.

Note

There is no audit mode for the DLL rule collection. DLL rules affect specific applications. Therefore, test the impact of these rules first before deploying them to production. To enable the DLL rule collection, see Enable the DLL Rule Collection.

You can perform this task by using Group Policy for an AppLocker policy in a GPO or by using the Local Security Policy snap-in for an AppLocker policy on a local computer.

To complete this procedure, you must have Edit Setting permission to edit a GPO. By default, members of the Domain Admins group, the Enterprise Admins group, and the Group Policy Creator Owners group have this permission.

To audit rule collections within a GPO by using Group Policy

  1. Click Start, click Administrative Tools, and then click Group Policy Management to open the Group Policy Management Console (GPMC).

  2. Locate the GPO that contains the rule collections you want audit, right-click the GPO, and click Edit.

  3. In the console tree, double-click Application Control Policies, right-click AppLocker, and then click Properties.

  4. On the Enforcement tab, select the Configured check box for the rule collection that you want to enforce, and then verify that Audit only is selected in the list for that rule collection.

  5. Repeat step 4 to configure the enforcement setting to Audit only for additional rule collections.

  6. Click OK.

Membership in the local Administrators group, or equivalent, is the minimum required to complete this procedure.

To audit rule collections by using the Local Security Policy snap-in

  1. Click Start, type secpol.msc in the Search programs and files box, and then press ENTER.

  2. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Yes.

  3. In the console tree, double-click Application Control Policies, right-click AppLocker, and then click Properties.

  4. On the Enforcement tab, select the Configured check box for the rule collection that you want to enforce, and then verify that Audit only is selected in the list for that rule collection.

  5. Repeat step 4 to configure the enforcement setting to Audit only for additional rule collections.

  6. Click OK.