Deploying the AppLocker Policy into Production
Applies To: Windows 7, Windows 8, Windows Server 2008 R2, Windows Server 2012
This topic describes the tasks that should be completed before deploying AppLocker application control settings.
After successfully testing and modifying the AppLocker policy for each Group Policy Object (GPO), you are ready to deploy the enforcement settings into production. For most organizations, this means switching the AppLocker enforcement setting from Audit only to Enforce rules. However, it is important to follow the deployment plan that you created earlier. For more information, see the AppLocker Policies Design Guide. Depending upon the needs of different business groups in your organization, you might be deploying different enforcement settings for linked GPOs.
Understanding your design decisions
Before deploying an AppLocker policy, you should have determined:
For each business group, which applications will be controlled and in what manner. For more information, see Creating the List of Applications Deployed to Each Business Group.
How to handle requests for application access. For information about what to consider when developing your support policies, see Planning for AppLocker Policy Management.
How to manage events, including forwarding events. For information about event management in AppLocker, see:
Windows Server 2008 R2 and Windows 7
Windows Server 2012 and Windows 8
Your GPO structure, including how to include both Software Restriction Policies (SRP) policies and AppLocker policies. For more information, see Determining Group Policy Structure and Rule Enforcement.
For information about how AppLocker deployment is dependent upon design decisions, see Understanding AppLocker Policy Design Decisions.
AppLocker deployment methods
If you have configured a reference computer, you can create and update your AppLocker policies on this computer, test the policies, and then export the policies to the appropriate GPO for distribution. The other method is to create the policies with the enforcement setting set at Audit only and observe the events generated.
Using a Reference Computer to Create and Maintain AppLocker Policies
This topic describes the steps to use an AppLocker reference computer to prepare application control policies for deployment by using Group Policy or other means.
Deploying AppLocker Policies by Using the Enforce Rules Setting
This topic describes the steps to deploy the AppLocker policy by changing the enforcement setting to either Audit only or Enforce rules.