Configure the AppLocker Reference Computer
Updated: May 23, 2012
Applies To: Windows 7, Windows 8, Windows Server 2008 R2, Windows Server 2012
This topic describes steps to create an AppLocker policy platform structure on a reference computer running Windows 7 or Windows 8.
An AppLocker reference computer used for the development and deployment of AppLocker policies should mimic the directory structure and corresponding applications in the organizational unit (OU) or business group for the production environment. On a reference computer, you can:
Maintain an application list for each business group.
Develop AppLocker policies by either creating individual rules or creating a policy by automatically generating rules.
Create the default rules to allow the Windows system files to run properly.
Run tests and analyze the event logs to determine the affect of the policies you intend to deploy.
The reference computer does not need to be joined to a domain but must be able to import and export AppLocker policies in XML format. The reference computer must be running one of the supported editions of Windows 7 or Windows 8. For information about the supported editions, see Requirements to Use AppLocker.
If the operating system is not already installed, install one of the supported editions of Windows 7 or Windows 8 on the computer.
Note If you use another computer to test your implementation of AppLocker policies by using Group Policy, you can export the policies to the other computer on which the Group Policy Management Console (GPMC) is installed.
Configure the administrator account.
To update local policies, you must be a member of the local Administrators group. To update domain policies, you must be a member of the Domain Admins group or have delegated privileges to use Group Policy to update a Group Policy object (GPO).
Install all applications that run in the targeted business group or OU by using the same directory structure.
The reference computer should be configured to mimic the structure of your production environment. It is dependent upon the same applications in the same directories as they are in production in order to accurately create the rules.
Import the AppLocker Windows PowerShell cmdlet module.
To use the AppLocker cmdlets, you must first import the AppLocker module by using the following command at the Windows PowerShell command prompt:
C:\PS> Import-Module AppLocker. Scripting must be enabled on the computer. For information about Windows PowerShell, see the Windows PowerShell Help file (WindowsPowerShellHelp.chm). For information about using the cmdlets, see Using the AppLocker Windows PowerShell Cmdlets.
After you configure the reference computer, you can now create the AppLocker rule collections. You can build, import, or automatically generate the rules. For procedures to do this, see: