Your network contains an Active Directory domain named contoso.com. All domain controllers run Windows
Server 2012.
You create and enforce the default App1ocker executable rules.
Users report that they can no longer execute a legacy Application installed in the root of drive C.
You need to ensure that the users can execute the legacy Application.
What should you do?
A.
Modify the action of the existing rules.
B.
Create a new rule.
C.
Add an exception to the existing rules.
D.
Delete an existing rule.
Explanation:
App1ocker is a feature that advances the functionality of the Software Restriction Policies feature.
App1ocker contains new capabilities and extensions that reduce administrative overhead and
helpadministrators control how users can access anduse files, such as executable files, scripts, Windows
Installerfiles, and DLLs. By using App1ocker, you can:
Define rules based on file attributes that persist across Application updates, such as the publisher name
(derived from the digital signature), product name,file name, and file version. You can also create rulesbased
on the file path and hash. Assign a rule to a security group or an individual user. Create exceptions to rules. For
example, you can create a rule that allows all users to run all Windowsbinaries except the Registry Editor
(Regedit.exe). Use audit-only mode to deploy the policy and understand its impact before enforcing it.Create
rules on a staging server, test them, export them to your production environment, and then importthem into a
Group Policy Object.
Simplify creating and managing App1ocker rules by using Windows PowerShell cmdlets for App1ocker.
App1ocker default rules
App1ocker allows you to generate default rules for each of the rule types.
Executable default rule types:
Allow members of the local Administrators group to run all Applications. Allow members of the Everyonegroup
to run Applications that are located in the Windowsfolder.
Allow members of the Everyone group to run Applications that are located in the Program Filesfolder.
Windows Installer default rule types:
Allow members of the local Administrators group to run all Windows Installer files. Allow members of the
Everyone group to run digitally signed Windows Installer files. Allow members of the Everyone group torun all
Windows Installer files located in the Windows\Installerfolder.
Script default rule types:
Allow members of the local Administrators group to run all scripts. Allow members of the Everyone group to run
scripts located in the Program Files folder. Allow members of the Everyone group to run scripts located in the
Windows folder. DLL default rule types:( this on can affect system performance ) Allow members of the local
Administrators group to run all DLLs. Allow membersof the Everyone group to run DLLs located in the Program
Files folder. Allow members of the Everyone group to run DLLs located in the Windows folder.
You can App1y App1ocker rules to individual users or to a group of users. If you App1y a rule to a group
ofusers, all users in that group are affected by that rule. If you need to allow a subset of a user group to use
anApplication, you can create a special rule for that subset. For example, the rule “Allow Everyone to
runWindows except Registry Editor” allows everyone in the organization to run the Windows operating sy stem,
butit does not allow anyone to run Registry Editor.
The effect of this rule would prevent users such asHelp Desk personnel from running a program that
isnecessary for their support tasks. To resolve this problem, create a second rule that App1ies to theHelpDesk
user group: “Allow Help Desk to run Registry Editor.” If you create a deny rule that does not allow anyusers to
run Registry Editor, the deny rule will override the second rule that allows the Help Desk user group torun
Registry Editor.
http://technet.microsoft.com/library/hh831440.aspx http://technet.microsoft.com/en-us/library/dd759068.aspx
http://technet.microsoft.com/de-de/library/hh994621.aspx
B – You have to create a new rule.