Your network contains an Active Directory domain named contoso.com. The domain contains a server named
Server1 that runs Windows Server 2016.1
A user named User1 is a member of the local Administrators group. Server1 has the AppLocker rules
configured as shown in follow:

Rule1 and Rule2 are configured as shown in the following table:1

You verify that User1 is unable to run App2.exe on Server1.
Which changes will allow User1 to run D:\\Folder1\\Program.exe and D:\\Folder2\\App2.exe? Choose Two.

A.
User1 can run D:\\Folder1\\Program.exe if Program.exe is moved to another folder

B.
User1 can run D:\\Folder1\\Program.exe if Program.exe is renamed

C.
User1 can run D:\\Folder1\\Program.exe if Program.exe is updated

D.
User1 can run D:\\Folder2\\App2.exe if App2.exe is moved to another folder

E.
User1 can run D:\\Folder2\\App2.exe if App2.exe is renamed

F.
User1 can run D:\\Folder2\\App2.exe if App2.exe is upgraded

Explanation:
https://technet.microsoft.com/en-us/library/ee449492(v=ws.11).aspx

For “D:\\Folder1\\Program.exe”, it is originally explicitly denied due to Rule1, when moving the “Program,exe” out
of “D:\\Folder1\\”, it does not match Rule1.
Assume that “Program.exe” is moved to “D:\\Folder2”, it matches an Explicit Allow rule for group “BUILTIN
\\Administrators” which User1 is a member of, therefore A
is correct.
For “App2”,exe, it matches a Explicit Deny rule using its File Hash (created File content), no matter where you
move it to, or how you rename it, it would still match
Rule2.
Only changing the file content of App2.exe would let it no longer match the explicit deny hash-based rule
“Rule2”.
By upgrading its version and content, it will generate a new hash. so F is correct.