You need to prevent App1 from running on Computer1

Your network contains an Active Directory domain named contoso.com. You have a Group Policy
object (GPO) named GP1 that is linked to the domain. GP1 contains a software restriction policy that
blocks an application named App1.
You have a workgroup computer named Computer1 that runs Windows 8. A local Group Policy on
Computer1 contains an application control policy that allows App1.

You join Computer1 to the domain.
You need to prevent App1 from running on Computer1.
What should you do?

Your network contains an Active Directory domain named contoso.com. You have a Group Policy
object (GPO) named GP1 that is linked to the domain. GP1 contains a software restriction policy that
blocks an application named App1.
You have a workgroup computer named Computer1 that runs Windows 8. A local Group Policy on
Computer1 contains an application control policy that allows App1.

You join Computer1 to the domain.
You need to prevent App1 from running on Computer1.
What should you do?

A.
From Computer1, run gpupdate/force.

B.
From Group Policy Management, add an application control policy to GP1.

C.
From Group Policy Management, enable the Enforced option on GP1.

D.
In the local Group Policy of Computer1, configure a software restriction policy.

Explanation:
AppLocker policies take precedence over policies generated by SRP on computers that are running
an operating system that supports AppLocker.
AppLocker policies in the GPO are applied, and they supersede the policies generated by SRP in the
GPO and local AppLocker policies or policies generated by SRP.



Leave a Reply 5

Your email address will not be published. Required fields are marked *


a.l.i

a.l.i

The GP1’s SRP will block App1 so why we need an ACP to block it? I know it will take precedence but the SRP is not to allow it!

Silvio

Silvio

I don’t get it as well, I would have picked A. The only explanation i can find, is that the SRP will only block the installation of App1, and we need an application control policy to block the execution of the app if it is already installed. We need someone knowledgable to confirm or explain please.

pikapoka

pikapoka

The way I see it is:
As said in explanation “AppLocker policies take precedence over policies generated by SRP “.
In scenario is said:
1.”GP1 is linked to the domain and contains a software restriction policy (SRP) that blocks an application named App1″
2.”A local Group Policy on Computer1 contains an application control policy that allows App1”

Creating effective application control policies with AppLocker starts by creating the rules for each application. (https://technet.microsoft.com/en-us/library/ee791899%28v=ws.11%29.aspx?f=255&MSPPError=-2147217396)

In question, “AppLocker” word has not been used; they are using application control policy. And as application control policies are created with AppLocker, I think the answer is B.

AppLocker policy is taking the precedence over the SRP, which means that by choosing the answer A – run gpupdate/force , we would allow App1 to run on the domain.
To block App1, we need to add an application control policy to GP1 (answer B).

Am I getting this right?

TS

TS

This is a bit of a gotcha question.

Long story short, software restriction policies (SRP) are over ridden by application control policies (ACP). When the clients computer joins the domain, he has a local policy that will override the SRP. While forcing a GP update looks correct, the SRP will not override the ACP until you create a domain wide policy.

That is why B is correct, since a domain ACP will override the local policy. Both A nor C will work since the local policy will override. D will work but you don’t want anyone on the domain to run App1 so B is the correct answer in the long run/greater picture.