Discover the Effect of an AppLocker Policy
Applies To: Windows 7, Windows 8, Windows Server 2008 R2, Windows Server 2012
This topic describes the tasks to discover the effect of an AppLocker policy.
You can evaluate how the AppLocker policy is currently implemented for documentation or audit purposes, or before you modify the policy. Updating your AppLocker Policy Deployment Planning document will help you track your findings. For information about creating this document, see Creating Your AppLocker Planning Document. You can perform one or more of the following steps to understand what application controls are currently enforced through AppLocker rules.
Analyze the AppLocker logs in Event Viewer
When AppLocker policy enforcement is set to Enforce rules, rules are enforced for the rule collection and all events are audited. When AppLocker policy enforcement is set to Audit only, rules are not enforced but are still evaluated to generate audit event data that is written to the AppLocker logs..
For the procedure to access the log, see View the AppLocker Log in Event Viewer.
Enable the Audit only AppLocker enforcement setting
By using the Audit only enforcement setting, you can ensure that the AppLocker rules are properly configured for your organization. When AppLocker policy enforcement is set to Audit only, rules are only evaluated but all events generated from that evaluation are written to the AppLocker log.
For the procedure to do this, see Configure an AppLocker Policy for Audit Only.
Review AppLocker events with Get-AppLockerFileInformation
For both event subscriptions and local events, you can use the Get-AppLockerFileInformation Windows PowerShell cmdlet to determine which files have been blocked or would have been blocked (if you are using the audit-only enforcement mode) and how many times the event has occurred for each file.
For the procedure to do this, see Review AppLocker Events with Get-AppLockerFileInformation.
Review AppLocker events with Test-AppLockerPolicy
You can use the Test-AppLockerPolicy Windows PowerShell cmdlet to determine determine whether any of the rules in your rule collections will be blocked on your reference computer or the computer on which you maintain policies.
For the procedure to do this, see Test an AppLocker Policy by Using Test-AppLockerPolicy.