Creating policies

You can create the following policies in Enforce.

Anti-Malware

Anti-malware policies use the Microsoft Anti-malware engine to protect your endpoints from viruses. Configured using Machine administrative templates- Windows Defender Antivirus Active Directory administrative group policy objects on Windows systems. See Create an Anti-malware policy.

AppLocker

AppLocker policies provide access control by using application whitelisting. Use AppLocker policies to prevent unwanted executables from running on your endpoints (Deny rules) or to only allow certain applications to run on endpoints (Allow rules).

Device Control

Use device control policies to control access to removable storage devices and the installation of all devices. See Createa Windows device control policy.

Firewall Management - Windows and Linux

Firewall management policies consist of rules that block or allow network traffic using the built-in operating system firewall. See Create a Windows firewall management policy and Create a Linux firewall management policy.

Machine Administrative Templates

Machine administrative template policies target machine-based Active Directory administrative template (ADMX) group policy objects on Windows systems. Use machine administrative policies to apply consistent rules to Windows devices regardless of the logged in user. See Create a Machine administrative template policy

The following Microsoft packages are used in Windows administrative template policies: Windows 10 baseline, Google Chrome, MS Office, and Windows Security Baseline ADMX files (MSS-legacy and SecGuide).

Software Restriction Policy (SRP)

SRPs consist of rules that block the execution of applications and are created using Windows SRP component.

Windows Remediation

A remediation policy is a list of tasks that run sequentially on the endpoint(s).

Create an Anti-malware policy

Anti-malware policies consist of groups of settings. You can only have one Anti-malware rule per policy; however, a single Anti-malware rule within one policy can have multiple settings.

Make sure you have completed the steps detailed in the Upload Anti-malware section before configuring anti-malware policies.

Default Windows Defender policy

Enforce provides a default Windows Defender policy. View this policy in the Enforce menu > Policies page. The default policy contains settings for client interface, anti-virus quarantining, scanning, and exclusions. Expand each policy to view the pre-configured settings. You can edit or delete this policy. Create an enforcement to deploy it to endpoints.

Configure a new anti-malware policy

  1. From the Enforce menu, go to Policies and click the Create Policy button.
  2. In the Summary section, do the following:
    • Enter a Name and Description for the policy.
    • Select Machine Administrative Templates from the Policy Type drop-down menu.
  3. In the Anti-malware Specific Settings section, click the Create exclusions for Tanium processes button. The required Tanium exclusions are automatically added to the policy.
  4. Determine if you should keep Deploy definition update using Tanium for Managed Definitions enabled.
  5. Complete the fields for Definition Grace Period to specify how often endpoints use Tanium to check for Anti-malware definition updates. This value represents how old an Anti-malware definition can be before the policy is considered unenforced. The default grace period is 1 day.
  6. By default, Anti-malware rules are configured to use Tanium to deploy Anti-malware definition updates. If an endpoint has not received an update within the specified grace period, it is considered unenforced. When this option is unchecked, endpoints retrieve definitions directly from Microsoft.

  7. Search for Windows Defender in the Configure Policy Settings section. Enable Windows Defender policies and enter settings as needed.
  8. Anti-malware policies require that endpoints have either SCEP or Windows Defender installed. When SCEP Installation is enabled, enforcing an Anti-malware policy automatically installs SCEP on endpoints that do not support Windows Defender. See Enable Microsoft System Center Endpoint Protection (SCEP) Installation to understand how to correctly enable SCEP installation.

  9. Click the Add to Policy button after you configure a policy setting.
  10. Click the Create button at the bottom of the page once all settings for the policy are complete. The policy now appears in the Policies list in the Machines tab. When you create an Anti-Malware policy, you can add settings to control the user experience.
  11. You can enforce a policy from three different places in the UI.

    • The Enforcements page
    • The Policy list page
    • The Policy details page

    See Enforcing policies for details.

    Create an AppLocker policy

    For successful AppLocker rule enforcement, Protect starts the Application Identity service on the endpoint.

    The Enforce settings include default rule templates for each rule type used in AppLocker policies. The Block list rule template is used by default until you change it. For more information about changing the default rule templates, see Set defaults for AppLocker.

    Only one AppLocker policy is in effect on an endpoint at a given time. Therefore, if you want to enforce rules for multiple app types (Executable, Windows Installer, or Script) on a particular endpoint, you must use one AppLocker policy with rules for each app type (and not a separate policy for each one). If there are multiple policies with the same policy type applied to an endpoint, the priority of the policy is used to resolve the conflict.

  1. From the Enforce menu, go to Policies and click the Create Policy button.
  2. In the Summary section, do the following:
    • Enter a Name and Description for the policy.
    • Select AppLocker from the Policy Type drop-down menu
  3. (Optional) Provide a Support URL if you want to display a custom URL when a user tries to run an app that is blocked.

  4. Select one or more rule types to configure for the policy: Executable, Windows Installer, or Script. A section displays for each rule type you select. Deny and Allow rules are populated with the default rule template you chose in the Enforce Settings > AppLocker section.
  5. Add additional rules, if necessary, as follows.
    • Click Create in the Deny section to create a deny rule that prevents the specified files from running on endpoints where the policy is enforced.
    • Click Create in the Allow section to create an allow rule that allows the specified files to run on endpoints where the policy is enforced.

      AppLocker Deny rules take precedence over AppLocker Allow rules. (You must include at least one Allow rule.) See Set defaults for AppLocker in the Getting Started section of this guide for best practice and rule precedence information.

      Be aware of AppLocker allow or deny rules that are set in your Domain Policy. These rules might take precedence over AppLocker rules created in Enforce.

      As a best practice, add to the existing default rules to allow or deny files rather than modifying the default rules. Test any modifications in audit mode first to ensure that they are running as intended before you switch to blocking mode.

      The Tanium Client uses BAT, EXE, and VBS files. Be sure that you do not block scripts in the Tanium Client directory that might break the client functions.

    • Specify the following settings for each rule that you add:
      1. Select whether the rule is Audit Only or Blocking.
      2. Click Create and provide a Name for the rule.
      3. In the Type section, select Path, Hash, or Publisher.
      4. Specify the settings for the file:
        • If you selected Path, provide the file name or path in the Path field.
        • If you selected Hash, provide the Hash and optional file size in bytes. Optionally, click the + sign to add another hash rule.
        • If you selected Publisher, provide the Publisher, Product Name, File Name, and File Version, using the pulldown to indicae whether you want earlier or later versions included or only the version you specify. Use the * character as a wildcard for any of these values.
      5. Select Everyone or Administrators in the Windows User section.
  6. Click Create.

Createa Windows device control policy

Windows device control policies provide two modes for administering devices on Windows endpoints.

Removable Storage

Controls access permissions on removable media. The types of removable media predefined by Microsoft are CD-ROM and DVD drives, floppy disk drives, removable disk drives, tape drives, and Windows Portable Devices (WPD).

With this mode, you can deny specific permissions to categories of removable devices. On the endpoint, the permissions are managed using local group policy settings located in Administrative Templates > System > Removable Storage Access.

All Devices

Restricts the installation of new devices. This advanced mode provides more granular control by using a list-based approach.

With this mode, the installation of any new device is blocked unless the device is explicitly allowed by either the device class or the hardware ID of the device. Optional settings allow administrators to bypass all restrictions and to uninstall existing USB storage devices that are not on the allowed list of devices. On the endpoint, the permissions are managed using local group policy settings located in Administrative Templates > System > Device Installation > Device Installation Restrictions.

Make sure you have completed the steps detailed in the Manage Windows device classes and devices section before configuring device control policies.

Create a Windows device control policy to administer removable storage

  1. From the Enforce menu, go to Policies and click the Create Policy button.

  2. In the Summary section, do the following:
    • Enter a Name and Description for the policy.
    • From the Policy Type drop-down, select Device Control - Removable Storage - Windows.
  3. In the Device Control section, select the type of removable storage that you want to administer and the access that you want to deny for that storage type.
  4. Click Create to create.

Create a Windows device control policy to administer all devices

This mode blocks new installations of all devices by default. This mode includes an optional setting to uninstall existing USB storage devices that are not on the policy allow list. All other existing devices remain installed and will not be blocked, including devices that are not currently connected but were installed previously. You must add devices to the policy allow list to allow installation to endpoints. Carefully test configurations and their impacts before you deploy them widely.

  1. From the Enforce menu, go to Policies and click the Create Policy button.
  2. In the Summary section, do the following:
    • Enter a Name and Description for the policy.
    • From the Policy Type drop-down, select Device Control - All Devices - Windows.
  3. Configure the Device Control settings for your policy:
    1. Optional. In the Deny section, select Provide a notification message for users when a device is denied access and specify a message to display when a user attempts to install a restricted device.
    2. In the Allow section, configure the following settings:

      General Device Rules

      • Select the Allow Administrators to bypass all restrictions option to enable end-users to bypass the restrictions if they are logged in as an administrator.

        Devices do not install automatically when this option is selected. Administrators must manually install the device through Device Manager.

      • Select the Uninstall existing USB storage devices not on the allowed list of devices option to uninstall USB storage devices that are not allow listed.

        As a safeguard against uninstalling devices that are required for the system to run, other devices that are currently installed on an endpoint, including devices that are not currently connected but were installed previously, are not uninstalled when this option is selected. If the device is in use when the policy is enforced on the endpoint, the device is uninstalled at the next reboot of the endpoint. In this scenario, the policy status sensor returns a status indicating that prohibited devices are still installed.

      Device Classes

      Use the Device Classes section to define groups of devices that you want to allow in your environment. Many device classes are predefined by Microsoft, and you can define custom device classes. Each device class has a globally unique identifier (GUID). For more information about device classes, see Microsoft: Hardware Dev Center: Device Classes. When you add a device class, it is stored in the global device class list, which you can access from the Settings page.

      If you add a device by device class, you must allow all of the device nodes in the device tree for that class. For example, if you want to allow the installation of a USB storage device, you must allow the installation of Disk Drives and USB Bus Devices (hubs and host controllers). For more information, see Microsoft: Hardware Dev Center: Device nodes and device stacks.

      1. Click Import to query all Windows endpoints for their installed device classes and import them to the allow list. With this option, you can quickly add any custom device classes that might be used in your environment. Device classes that are already known to Enforce, marked with a warning icon , are not imported to avoid duplicates. From this page, you can select all device classes that were found on endpoints or you can select individual device classes. Click Proceed to add the selected device classes to the allow list.
      2. Click Manage Existing to add existing device classes to the allow list. This list contains the predefined device classes that are provided by Microsoft and any device classes that were manually added previously. From this page, you can add or remove all available device classes, or add or remove individual device classes.

        If you added a device class using the Create option, you will not see it in this list until you save the policy.

      3. Click Create to add a new device class. Specify a device class name, valid GUID, and optional description. Click Create again to add the device class to the allow list.

      Devices

      Use the Devices section to define individual devices that you want to allow in your environment. This option is useful if, for example, you want to allow a USB storage device from a specific manufacturer that is supported by your company, but no other USB storage devices. You do not need to allow the associated device classes when you allow a specific device. When you add a device, it is stored in the global device list, which you can access from the Protect settings page. For more information on the global list, see Creating policies.

      • Click Create to add a new device. Specify a device name and an optional ID. Click Create again to add the device to the allow list.

        Most devices have several hardware IDs. These IDs range from the most specific, which identifies a particular device, to a more general ID, which might identify a device type. Use the hardware ID that is appropriate for your environment.

      • Click Import to query all Windows endpoints for their installed USB storage devices and import them to the allow list. With this option, you can quickly add any USB storage devices that might be used in your environment. USB storage devices that are already known to Protect, marked with a warning icon , are not imported to avoid duplicates. From this page, you can select all USB storage devices that were found on endpoints or you can select individual USB storage devices. Click Proceed to add the selected USB storage devices to the allow list.
      • Click Manage Existing to add existing devices to the allow list. This list contains devices that were manually added previously. From this page, you can add or remove all available devices, or add or remove individual devices.

  4. Click Create.

Create a Windows firewall management policy

When a Windows firewall management policy is enforced on an endpoint, Enforce starts the MpsSvc (Windows Firewall) service on that endpoint.

The maximum number of firewall rules per policy is 1000.

  1. From the Enforce menu, go to Policies and click the Create Policy button.
  2. In the Summary section, do the following:
    • Enter a Name and Description for the policy.
    • From the Policy Type drop-down, select Firewall Management - Windows.
  3. For Rule Management, choose Replace or Merge
  4. The Replace option removes all existing firewall rules on the endpoint and replaces them with the rules in this policy. The Merge option leaves the existing firewall policies on the endpoint in place and adds the rules in this policy.
  5. Configure the following settings in the Firewall Profiles section:
    • For Network Selection, choose Default, Enabled, or Disabled.

Create a new Windows firewall rule

  1. In the Firewall Rules section, click Add Rule.
  2. Complete the following fields for your firewall rule:
  3. Field Description
    Name This is a required field. Enter a brief name for the rule.
    Direction This is a required field. Select Outbound, Inbound, or Bi-directional for the direction of the connection.
    Action This is a required field. Select either Block or Allow depending on the type of rule you are creating.
    Network Protocol

    This is a required field. Select a protocol. If you specify UDP or TCP for the protocol, then you must specify at least one value in the following fields: Application Path, Local Address(es), Local Port(s), Remote Address(es), Remote Port(s), or Service Name.

    For more information about protocols, see Microsoft Technet: Firewall Rule Properties.

    Group This is an optional field. You can specify a group name here or choose one that already exists that can help organize your firewall rules.
    Profiles Select the applicable profiles. If you do not select one or more profiles, the rule is created as if all profiles were selected.
    Application Path An example of an application path is C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe.
    Local Address(es) Use this field to target the rule to specific local IP addresses. Separate IP addresses with commas.
    Local Port(s) This field is most likely populated for Inbound connections. You can specify port ranges, for example: 80, 443, 5000-5010.
    Remote Address(es) This field can be used to target the rule to a specific remote IP address. Separate IP addresses with commas.
    Remote Port(s) This field is most likely populated for Outbound connections. You can specify port ranges, for example: 80, 443, 5000-5010.
    Service Name This field can be used for a Windows Service Display name.
  4. Click Create .
  5. Edit a policy once you have created it by selecting the policy on the Policies page and then clicking Edit, making any necessary changes, and clicking Enforce Changes if enforcements exist or Update (if no enforcements are in place).

Import firewall rules from a Windows TSV file

Before you can import a firewall policy into Enforce from a Windows TSV file, you must export it from Windows.

  1. In Windows, go to Windows Firewall Advanced Security.
  2. In the left pane, right-click on Inbound Rules and click Export List. Save the file as a Text (Tab Delimited) .txt file.
  3. In the Firewall Rules section, click the Import button.
  4. Click the Select TSV File button to locate the files that contains the exported firewall rules and click Open. The Import window shows the file name and how many rules are being imported.
  5. Select the Direction.
  6. Click Proceed.
  7. Repeat these steps for Outbound Rules to export them from Windows and import them into Protect.

If the file you are importing does not include a Service column, a warning displays. If your firewall rules depend on the Service field, add the Service column and re-export the firewall rules from Windows.

To add a Service column

  1. In Windows, go to Windows Firewall with Advanced Security.
  2. Select Add/Remove Columns from the View menu.
  3. Select Service from Available columns and click Add.
  4. Click OK.
  5. Select Export List from the Action menu and save it to a file.

Import firewall rules from Tanium Endpoints

  1. In the Firewall Rules section, select Import Rules from Tanium Endpoints from the Import drop-down button.
  2. In the Import Rules from Tanium Endpoints window, select the rules already existing on Tanium endpoints that you want to import
  3. Click Add Rules.

You can enforce a policy from three different places in the UI.

    • The Enforcements page
    • The Policy list page
    • The Policy details page
  • See Enforcing policies for details.

    Create a Linux firewall management policy

    1. From the Enforce menu, go to Policies and click the Create Policy button.
    2. In the Summary section, do the following:
      • Enter a Name and Description for the policy.
      • From the Policy Type drop-down, select Firewall Management - Linux.
    3. In the Linux Firewall Default Chain Policies section, select ACCEPT or DROP for the Input, Output, and Forward fields.

    4. Expand the Linux Firewall Default Rules section to view the default input, output, and forward rules. You cannot edit these defaults.

    Create a new Linux firewall rule

    1. In the Firewall Rules section, click Add Rule.
    2. Complete the following fields for your firewall rule:
    3. Field Description
      Name This is a required field. Enter a brief name for the rule.
      Table Filter is the only supported table at this time.
      Chain This is a required field. Select INPUT, OUTPUT, or FORWARD to specify where in a packet's delivery path a rule is evaluated.
      Target

      This is a required field. Select one of the following:

      ACCEPT: Allows the packet.

      DROP: Drops the packet.

      QUEUE: Pass the packet to userspace.

      REJECT: Send a response back and drop the packet.

      Network Protocol

      This is an optional field where you can select the protocol of the rule or of the packet to check. The specified protocol can be one of the predefined options or it can be a numeric value, representing one of these protocols or a different one. Protocol all is the default when this option is omitted.

      Select the Inverse check box include everything but the selected protocol.

      State

      Select one of the following:

      • New: The packet has started a new connection.
      • Established: The packet is associated with a connection which has seen packets in both directions.
      • Related: The packet is starting a new connection, but is associated with an existing connection.
      • Invalid: The packet could not be identified for some reason.
      Source Address

      A comma separated list of network names, IP addresses with masks, plain IP addresses, or IP address ranges.

      Select the Inverse check box to include everything but addresses you entered.

      Destination Address

      A comma separated list of network names, IP addresses with masks, plain IP addresses, or IP address ranges.

      Select the Inverse check box to include everything but addresses you entered.

      Optional fields that might appear depending on choices you make for some of the fields above:
      Source port(s) A comma separated list of ports or port ranges.
      Destination ports(s) A comma separated list of ports or port ranges.
      In Interface Name of an interface via which a packet was received.
      Out Interface Name of an interface via which a packet is going to be sent.

      Depending on the choices you make for the Chain, Target, and Network Protocol fields, additional optional fields might appear that you can complete.

    4. Click Create .
    5. Edit a policy once you have created it by selecting the policy on the Policies page and then clicking Edit, making any necessary changes, and clicking Enforce Changes if enforcements exist or Update (if no enforcements are in place).

    Import Linux firewall rules from Tanium endpoints

    1. In the Linux Firewall Rules section, click Import Rules from Tanium Endpoints.
    2. In the Import Firewall Rules from Tanium Endpoints window, select the check boxes for rules already existing on Tanium endpoints that you want to import.
    3. Click Add Rules.

    Some rules might specify “rule not supported …”. This means that Enforce does not support this rule, but the entire rule configuration is shown in the rule listing so that you can configure it manually if needed.

  • You can enforce a policy from three different places in the UI.

    • The Enforcements page
    • The Policy list page
    • The Policy details page
  • See Enforcing policies for details.

    Create a Machine administrative template policy

    1. From the Enforce menu, go to Policies and click the Machines tab.
    2. Click the Create Policy button.
    3. In the Summary section, do the following:
      •  Enter a Name and Description for the policy.
      • From the Policy Type drop-down, select Machine administrative template. Machine administrative template policies target machine-based ADMX (Active Directory administrative templates) group policy objects.
    4. In the Configure Policy Settings section, select a category on the left side, and the available settings for that category appear on the right side.
      • Search Categories and Settings— There is a search field at the top of the categories column on the left side. Type the name of the category or setting you are looking for and an asterisk appears to the right of all items that contain the search criteria.
      • Some high-level categories for Machine administrative template policies are listed in the Machine Administrative Templates Policy Categories Example table below.
    5. Table 1:   Machine Administrative Templates Policy Categories Example
      Category (top level) Overview
      Control Panel Includes display, personalization, regional and language options, and printers.
      Google Chrome Includes cookies, Javascript, and image settings.
      MS Security Guide Includes UAC restrictions and SMB server and client.
      MSS (Legacy) Includes legacy Windows registry values that predate group policy.
      Microsoft Office Included Window security restrictions and storage of user passwords.
      Network Includes network connections.
      Printers Includes prevention of security issues with print driver installation.
      Start Menu and Task Bar Includes notifications.
      System Includes driver installation, display, locale services, group policy, mitigation options, logon, power management, removable storage access, and user profiles.
      Windows Components Includes app runtime, attachment manager, autoplay policies, cloud content, credential user interface, edge UI, and Windows Defender antivirus.

      For the full list of policy settings included in Windows administrative template files, see Microsoft: Group Policy Settings Reference for Windows and Windows Server and Microsoft Security Compliance Toolkit 1.0.

    6. When you configure a policy, the following settings are available: Not Configured, Enabled, and Disabled. Both Not Configured and Disabled use default Microsoft settings. When you change the state to Enabled, you can enter your own settings. Refer to Microsoft for a detailed explanation of each state.
    7. There is help text from Microsoft for each Policy Setting in the Enforce UI page for that setting.

    8. Click the Add to Policy button after you configure a policy setting.
    9. Click the Create button at the bottom of the page once all settings for the policy are complete. The policy now appears in the Policies list.

    You can enforce a policy from three different places in the UI.

    • The Enforcements page
    • The Policy list page
    • The Policy details page

    See Enforcing policies for details.

    Create a Windows remediation policy

    1. From the Enforce menu, go to Policies and click the Create Policy button.
    2. In the Summary section, do the following:
      • Enter a Name and Description for the policy.
      • From the Policy Type drop-down, select Windows Remediation.
    3. In the Remediation section, select the task you want to run on your endpoint(s) from the Add Task drop-down button.

      You can add the following seven types of tasks to a Windows remediation policy:

      • Delete File: deletes a single file or multiple files matching a glob pattern. See Remediation policy file pattern matching examples.
      • Delete Registry Key: deletes a registry key if it exists.
      • Edit Registry Data: modifies an existing registry value if it exists; optionally, the value can be created if it does not exist.
      • Kill Process: kills all processes that match the specified Process Type options: name, path, or hash. You can also optionally enter Command Line Args to use a regular expression to match against process command line arguments for any of the Process Type options.
      • Run Service Action: changes the running state of the specified service.
      • Run Service Configuration: changes the startup config of the specified service.
      • Update Registry Value: changes the name of a registry value if it exists or deletes the value if the delete option is selected.

        For tasks that modify the registry and target the HKEY_USERS hive, if you use the wildcard (*) to target all users, users that are logged out when the policy is enforced are skipped.

    4. Complete the required fields for the task you are defining.
    5. Add other tasks as needed for the policy. When you have added all tasks, click Create.

    You can enforce this policy from the following places in the UI.

    • The Enforcements page
    • The Policy list page
    • The Policy details page

    See Enforcing policies for details.

    Remediation policy file pattern matching examples

    Protect support globs for pattern matching in remediation policies. See the Python documentation for details.

    Recursive matching is not supported. Each directory level must be specified.

    Definition Example
    Match a file by name in an unknown directory path.

    Actual Path: c:\a\b\c\file.exe

    Wildcard: c:\*\*\*\file.exe

    Match any file in a known directory path.

    Actual Path: c:\a\b\c\file.exe

    Wildcard: c:\a\b\c\*

    Match a specific file type in a partially known directory path.

    Actual Path: c:\a\b\c\file.exe

    Wildcard: c:\a\*\c\*.exe

    Disable case sensitivity for the first character in a file name.

    Actual Path: c:\a\b\c\File.exe

    Wildcard: c:\a\b\c\[Ff]ile.exe

    Match a single character in a file name.

    Actual Path: c:\a\b\c\cat.exe

    Actual Path: c:\a\b\c\bat.exe

    Wildcard: c:\a\b\c\?at.exe

    Do not match a character in a file name.

    Actual Path: c:\a\b\c\cat.exe

    Wildcard: c:\a\b\c\[!c]at.exe

    Create an SRP Managment Policy

    When you enable Windows SRP for the first time, targeted endpoints must be rebooted in order for SRP Management policies to be enforced.

    As a best practice, you might want to enforce an SRP Management policy that does not block anything or allows a path that will always be trusted, such as the Tanium Client. With this practice, the required reboot does not have to take place when you need push out an urgent policy, such as a policy to block a malicious application.

    1. From the Enforce menu, go to Policies and click the Create Policy button.
    2. In the Summary section, do the following:
      • Enter a Name and Description for the policy.
      • From the Policy Type drop-down, select SRP Management.

    Create an SRP process rule using a path

    1. In the Path Rules section, click Create.
    2. Enter a Name for the rule.
    3. Enter the path or filename in the Path field. Full paths, environment variables, and filenames are supported.
    4. Click Save to create your policy or continue to add rules.

    Create an SRP process rule using a hash

    1. In the Hash Rules section, click Create.
    2. Enter a Name for the rule.
    3. Enter the MD5 Hash.
    4. Enter the File Size in bytes.
    5. Click Save to create your policy or continue adding rules.

    You can enforce this policy from the following places in the UI.

    • The Enforcements page
    • The Policy list page
    • The Policy details page

    Be aware of AppLocker Allow or Deny rules set in your Domain Policy – these rules might prevent SRP process rules created in Enforce from being enforced.