Audit AppLocker Rules

Applies To: Windows Server 2008 R2

You can configure all rules contained within a specified rule collection to only audit activity but not enforce rules. This may be useful if you want to test new rules before they are deployed.

Membership in the local Administrators group, or equivalent, is the minimum required to complete this procedure.

To configure audit-only mode

  1. Click Start, type secpol.msc in the Search programs and files box, and then press ENTER. You can also:

    1. Click Start, and then click Control Panel.

    2. Click System and Security, and then click Administrative Tools.

    3. Double-click Local Security Policy.

  2. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Yes.

  3. In the console tree, double-click Application Control Policies, right-click AppLocker, and then click Properties.

  4. On the Enforcement tab, select the Configured check box for the appropriate rule collection, and then select Audit only in the list for that rule collection.

  5. Repeat step 4 to configure additional rule collections.

  6. Click OK.

Additional references