So our domain currently has numerous Software Restriction Policies in place for assorted departments, and we want to migrate to AppLocker. The current plan is as follows:
- Create an AppLocker GPO for each of the affected departments, independent of the SRP GPOs. Since all our SRP GPOs at the moment are path-based and AppLocker does path-based rules, we figure this is a 1:1 migration.
- Set the AppLocker policies to audit only.
- Let these run on the domain for X amount of time while monitoring the event logs to see if what people are doing and what we see coincide with one another.
- Remove SRP GPOs when satisfied.
Now, I understand that in Windows, AppLocker policies supersede SRPs in terms of enforcement. Say I create a SRP GPO which requires whitelisting ("allow list mode" as defined in the documentation), and I create an AppLocker policy which does the same, only in audit mode. If I run an app that isn't whitelisted, does it:
a) trigger the AppLocker audit GPO, which makes a note of it in the event log, and then skips the SRP GPO and runs the app
or
b) trigger the AppLocker audit GPO, which makes a note of it in the event log, and then check the SRP GPO which then denies the application from being run?
Any help on this subject would be greatly appreciated.