Configure an AppLocker Policy for Audit Only
Updated: May 2, 2012
Applies To: Windows 8.1, Windows Server 2012 R2, Windows Server 2012, Windows 8
This topic describes how to set AppLocker policies to Audit only within your IT environment by using AppLocker in Windows Server 2012 and Windows 8.
After AppLocker rules are created within the rule collection, you can configure the enforcement setting to Enforce rules or Audit only.
When AppLocker policy enforcement is set to Enforce rules, rules are enforced for the rule collection and all events are audited. When AppLocker policy enforcement is set to Audit only, rules are only evaluated but all events generated from that evaluation are written to the AppLocker log.
There is no audit mode for the DLL rule collection. DLL rules affect specific applications. Therefore, test the impact of these rules first before deploying them to production. To enable the DLL rule collection, see Enable the DLL Rule Collection.
You can perform this task by using the Group Policy Management Console for an AppLocker policy in a Group Policy Object (GPO) or by using the Local Security Policy snap-in for an AppLocker policy on a local computer or in a security template. For information how to use these MMC snap-ins to administer AppLocker, see Using the MMC snap-ins to administer AppLocker.
To audit rule collections
In the console tree of the snap-in, double-click Application Control Policies, right-click AppLocker, and then click Properties.
On the Enforcement tab, select the Configured check box for the rule collection that you want to enforce, and then verify that Audit only is selected in the list for that rule collection.
Repeat the above step to configure the enforcement setting to Audit only for additional rule collections.