AppLocker Audit vs. Enforced mode

If you haven't done so already, you should first read my previous AppLocker article, where we created our AppLocker rules from event log data. We can now move from AppLocker Audit mode to AppLocker Enforced mode.

Author
Recent Posts

Sami Laiho

Sami Laiho has been a Microsoft Most Valuable Professional (MVP) since 2011 and one of the world's leading IT experts for Windows and security. He has been teaching OS troubleshooting, management, and security since 1996. In 2019 TiVi-magazine chose Sami as one of the top 100 influencers in IT in Finland. For more info, go to https://samilaiho.com.

Latest posts by Sami Laiho (see all)

Hardening AppLocker - Thu, Jun 25 2020
AppLocker Audit vs. Enforced mode - Tue, Jun 23 2020
Creating AppLocker rules from the Windows event log - Wed, Jun 17 2020

Until now, we have only been auditing. Audit mode only adds event log entries about apps that would have been prevented if AppLocker was in Enforced mode. When moving to Enforced mode, you need to be ready to react quickly. When you have a client that can't run what is needed, you have a few options:

Make the app work by moving it to a trusted path.
Sign the app and trust your own code signing certificate.
Create an AppLocker rule to allow the app.

Sometimes the problem needs to be solved super-fast, or the person having it is a VIP that we really need to be on our side with the project. There's nothing more important than having management buy in on things like this, so you don't want to kill AppLocker in the beginning by angering VIPs or stopping people from being productive.

What I recommend is that you create a new policy that you use for enforcing AppLocker and keep another policy for auditing. You can export and import AppLocker rules as XML, so it's easy to copy from one policy to another.

Filter the GPOs so that you can instruct the ServiceDesk to just move the user's computer to another group if they are not able to solve a problem quickly. Then you can have the computer just audit while you fix the issue. When you're done, move the computer back to Enforced mode. I call this auditing policy PANIC MODE.

Exporting and importing AppLocker rules can be done via an XML file

You should now set the policies as seen in the picture.

Moving AppLocker to Enforced mode will actually block apps that are not trusted

Keeping another policy in Audit mode to quickly allow computers to run apps if needed

The Enforced policy should hit about 25% of your final target, and the rest should stay in Audit mode. After this, let it run again for a few weeks to see how everything goes. After that, you are ready to move the rest of the environment to Enforced mode.