Your network contains an Active Directory domain named contoso.com. All domain controllers run
Windows Server 2012 R2.
You create and enforce the default AppLocker executable rules.
Users report that they can no longer execute a legacy application installed in the root of drive C.
You need to ensure that the users can execute the legacy application.
What should you do?

A.
Create a new rule.

B.
Delete an existing rule.

C.
Modify the action of the existing rules.

D.
Add an exception to the existing rules.

Explanation:
AppLocker is a feature that advances the functionality of the Software Restriction Policies feature.
AppLocker contains new capabilities and extensions that reduce administrative overhead and help
administrators control how users can access and use files, such as executable files, scripts, Windows
Installer files, and DLLs. By using AppLocker, you can:
Define rules based on file attributes that persist across application updates, such as the publisher
name (derived from the digital signature), product name, file name, and file version. You can also
create rules based on the file path and hash.
Assign a rule to a security group or an individual user.
Create exceptions to rules. For example, you can create a rule that allows all users to run all
Windows binaries except the Registry Editor (Regedit.exe).
Use audit-only mode to deploy the policy and understand its impact before enforcing it. . Create
rules on a staging server, test them, export them to your production environment, and then import
them into a Group Policy Object.
Simplify creating and managing AppLocker rules by using Windows PowerShell cmdlets for
AppLocker.
AppLocker default rules
AppLocker allows you to generate default rules for each of the rule types.
Executable default rule types:
Allow members of the local Administrators group to run all applications. Allow members of the
Everyone group to run applications that are located in the Windows folder. Allow members of the
Everyone group to run applications that are located in the Program Filesfolder. Windows Installer
default rule types:
Allow members of the local Administrators group to run all Windows Installer files. Allow members
of the Everyone group to run digitally signed Windows Installer files. Allow members of the Everyone
group to run all Windows Installer files located in the Windows\Installer folder. Script default rule
types:
Allow members of the local Administrators group to run all scripts. Allow members of the Everyone
group to run scripts located in the Program Files folder. Allow members of the Everyone group to
run scripts located in the Windows folder. DLL default rule types: (this on can affect system
performance ) Allow members of the local Administrators group to run all DLLs. Allow members of
the Everyone group to run DLLs located in the Program Files folder. Allow members of the Everyone
group to run DLLs located in the Windows folder. You can apply AppLocker rules to individual users
or to a group of users. If you apply a rule to a group of users, all users in that group are affected by
that rule. If you need to allow a subset of a user group to use an application, you can create a special
rule for that subset. For example, the rule “Allow Everyone to run Windows except Registry Editor”
allows everyone in the organization to run the Windows operating system, but it does not allow
anyone to run Registry Editor.
The effect of this rule would prevent users such as Help Desk personnel from running a program that
is necessary for their support tasks. To resolve this problem, create a second rule that applies to the
Help Desk user group: “Allow Help Desk to run Registry Editor.” If you create a deny rule that does
not allow any users to run Registry Editor, the deny rule will override the second rule that allows the
Help Desk user group to run Registry Editor.