...
- Create a file named exactly applock.txt (an empty file is fine).
- Move it to c:\windows\tracing\applock.txt
- Run gpedit /force (or wait about 30 minutes for it to run as scheduled)
At some future date, when AppLocker is considered safe for our clients, the opt-in logic would become opt-out. Any PC in "Campus Clients" would be subject to the policy unless they created a "no-applock.txt" file (or some such signal TBD).
How to Run a Blocked Program or Opt Out
...
- Application whitelisting explained
- Using Event Viewer with AppLocker
- Display a custom URL when an application is blocked
- Free, almost perfect malware protection with GPO AppLocker
- A pragmatic approach towards AppLocker policies
- DSD confirms: application whitelisting is the go
- AppLocker Guide for Technical Decision Makers
...
(Yes, AppLocker makes even more sense for servers, which run a more predictable set of software.)