Using Software Restriction Policies and AppLocker Policies

Applies To: Windows 7, Windows 8, Windows Server 2008 R2, Windows Server 2012

This topic describes how to use Software Restriction Policies (SRP) and AppLocker policies in the same deployment for Windows operating systems beginning with Windows XP and Windows Server 2003 and including Windows Server 2012 and Windows 8.

Understanding the difference between SRP and AppLocker

You might want to deploy application control policies onto Windows operating systems earlier than Windows Server 2008 R2 or Windows 7. You can use AppLocker policies only on the supported editions of Windows Server 2012, Windows Server 2008 R2, Windows 8, and Windows 7, but you can use SRP on supported editions of Windows beginning with Windows Server 2003 and Windows XP. To compare features and functions in SRP and AppLocker so that you can determine when to use each technology to meet your application control objectives, see Determining Your Application Control Objectives.

Using SRP and AppLocker in the same domain

Both SRP and AppLocker use Group Policy for domain management. However, when SRP policies and AppLocker policies exist in the same domain and applied through Group Policy, AppLocker policies will take precedence over SRP policies on computers running Windows Server 2012, Windows Server 2008 R2, Windows 8 or Windows 7. For information about how inheritance in Group Policy applies to AppLocker policies and SRP policies, see Understanding AppLocker Rules and Enforcement Setting Inheritance in Group Policy.

Important

Use separate Group Policy Objects to implement your SRP and AppLocker policies. To reduce troubleshooting issues, do not combine them in the same GPO.

As an example of how both types of policy would affect the bank's "Teller software" application, consider the following scenario where the application is deployed on different Windows desktop operating systems and managed by the Tellers GPO.

Operating system Tellers GPO with AppLocker policy Tellers GPO with SRP policy Tellers GPO with both AppLocker policy and SRP policy

Windows 8 and Windows 7

AppLocker policies in the GPO are applied and supersede any local AppLocker policies.

Local AppLocker policies supersede any SRP policies applied through the GPO.

AppLocker policies in the GPO are applied and supersede the SRP policies in the GPO and any local AppLocker policies or SRP policies.

Windows Vista

AppLocker policies are not applied.

SRP policies in the GPO are applied and supersede any local SRP policies. AppLocker policies are not applied.

SRP policies in the GPO are applied and supersede any local SRP policies. AppLocker policies not applied.

Windows XP

AppLocker policies are not applied.

SRP policies in the GPO are applied and supersede any local SRP policies. AppLocker policies are not applied.

SRP policies in the GPO are applied and supersede any local SRP policies. AppLocker policies not applied.

Note

For information about supported versions and editions of the operating system, see Supported operating systems.

Testing and validating SRP policies and AppLocker policies that are deployed in the same environment

Because SRP policies and AppLocker policies function differently they should not be implemented in the same GPO. This will make testing the result of the policy straightforward, which is critical to successfully controlling application usage in the targeted organization. Configuring a testing and policy distribution system can aid in understanding the result of a policy. The effects of SRP policies and AppLocker policies need to be tested separately and by using different tools.

Step 1: Test the effect of SRP policies

You can use the Group Policy Management Console (GPMC) or the Resultant Set of Policy (RSoP) snap-in to determine the effect of applying SRP policies by using GPOs. For information about using RSoP, see Resultant Set of Policy. For information about using the GPMC, see Group Policy Management Console.

Step 2: Test the effect of AppLocker policies

You can test AppLocker policies by using Windows PowerShell cmdlets. For information about investigating the result of a policy, see:

Another method to use when determining the result of a policy is to set the enforcement mode to audit-only. When the policy is deployed, events will be written to the AppLocker logs as if the policy was enforced. For information about using the audit-only mode, see:

See Also

Concepts

AppLocker Policies Deployment Guide