The three AppLocker enforcement modes are described in the following table.

Enforcement modeDescription

Not configured

This is the default setting. If linked Group Policy objects (GPOs) contain a different setting, that setting is used. If enforcement is not configured but rules are present in the corresponding rule collection, those rules are enforced.

Enforce rules

Rules are enforced.

Audit only

Rules are audited but not enforced. The audit-only enforcement mode helps you determine which applications are affected by the policy before enforcing the policy. When the AppLocker policy for a rule collection is set to Audit only, rules for that rule collection are not enforced. When a user runs an application that is affected by an AppLocker rule, information about that application is added to the AppLocker event log.

When AppLocker policies from various GPOs are merged, both the rules and the enforcement modes are merged. The most similar Group Policy setting is used for the enforcement mode, and all rules from linked GPOs are applied.

For information about GPOs and Group Policy inheritance, see the Group Policy Planning and Deployment Guide (https://go.microsoft.com/fwlink/?LinkId=143138).

Additional references