Edit AppLocker Rules

  • Article

Applies To: Windows 7, Windows Server 2008 R2

This topic describes the steps to edit a publisher rule, path rule, and file hash rule in AppLocker in Windows Server 2008 R2 and Windows 7.

For more information about these rule types, see Understanding AppLocker Rule Condition Types.

You can edit AppLocker rules by using Group Policy for an AppLocker policy in a GPO or by using the Local Security Policy snap-in for an AppLocker policy on a local computer.

To complete this procedure, you must have Edit Setting permission to edit a GPO. By default, members of the Domain Admins group, the Enterprise Admins group, and the Group Policy Creator Owners group have this permission.

To edit AppLocker rules by using Group Policy

  1. Click Start, click Administrative Tools, and then click Group Policy Management to open the Group Policy Management Console (GPMC).

  2. Locate the GPO that contains the AppLocker policy to modify, right-click the GPO, and click Edit.

  3. Perform one of the following procedures:

    • To edit a publisher rule

    • To edit a file hash rule

    • To edit a path rule

Membership in the local Administrators group, or equivalent, is the minimum required to complete this procedure.

To edit AppLocker rules by using the Local Security Policy snap-in

  1. Click Start, type secpol.msc in the Search programs and files box, and then press ENTER.

  2. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Yes.

  3. Perform one of the following procedures:

    • To edit a publisher rule

    • To edit a file hash rule

    • To edit a path rule

To edit a publisher rule

  1. In the console tree, double-click Application Control Policies, and then double-click AppLocker.

  2. Click the appropriate rule collection.

  3. In the Action pane, right-click the publisher rule, and then click Properties.

  4. Click the appropriate tab to edit the rule properties.

    • Click the General tab to change the rule name, add a rule description, configure whether the rule is used to allow or deny applications, and set the security group for which this rule should apply.

    • Click the Publisher tab to configure the certificate's common name, the product name, the file name, or file version of the publisher.

    • Click the Exceptions tab to create or edit exceptions.

    • When you finish updating the rule, click OK.

To edit a file hash rule

  1. In the console tree, double-click Application Control Policies, and then double-click AppLocker.

  2. Choose the appropriate rule collection.

  3. In the Action pane, right-click the file hash rule, and then click Properties.

  4. Click the appropriate tab to edit the rule properties.

    • Click the General tab to change the rule name, add a rule description, configure whether the rule is used to allow or deny applications, and set the security group in which this rule should apply.

    • Click the File Hash tab to configure the files that should be used to enforce the rule. You can click Browse Files to add a specific file or click Browse Folders to add all files in a specified folder. To remove hashes individually, click Remove.

    • When you finish updating the rule, click OK.

To edit a path rule

  1. In the console tree, double-click Application Control Policies, and then double-click AppLocker.

  2. Choose the appropriate rule collection.

  3. In the Action pane, right-click the path rule, and then click Properties.

  4. Click the appropriate tab to edit the rule properties.

    • Click the General tab to change the rule name, add a rule description, configure whether the rule is used to allow or deny applications, and set the security group in which this rule should apply.

    • Click the Path tab to configure the path on the computer in which the rule should be enforced.

    • Click the Exceptions tab to create exceptions for specific files in a folder.

    • When you finish updating the rule, click OK.