If your organization's security policy dictates that only licensed software is allowed to run in the user's computer, you need to prevent users from running unlicensed software, and also restrict the use of licensed software that is not authorized by IT. Policy enforcement ensures that only authorized applications will run on the system.

When planning policy enforcement for applications, you should create a list of all apps that are authorized to be used in the company. Based on this list, you should investigate the details about these apps by asking the following questions:

• What's the installation path for each app?
• What's the vendor's update policy for these apps?
• What executable files are used by these apps?

The more information you can get about the app itself, the more tangible data you will have to determine whether or not an app has been tampered with. For Windows systems, you should plan to use AppLocker and specify which applications are allowed to run on the local computer.

In AppLocker, there are three types of conditions to evaluate an app, which are:

• Publisher: This should be used if you want to create a rule that will evaluate an app that was signed by the software vendor
• Path: This should be used if you want to create a rule that will evaluate the application path
• File hash: This should be used if you want to create a rule that will evaluate an app that is not signed by the software vendor

These options will appear in the Conditions page when you run the create Executable Rules wizard:

Which option you choose will depend on your needs, but these three choices should cover the majority of the deployment scenarios. Keep in mind that, depending on which option you choose, a new set of questions will appear on the page that follows. Make sure that you read the AppLocker documentation at https://docs.microsoft.com/en-us/windows/device-security/applocker/applocker-overview.