About Trusted Sources

Applying Block and Lockdown rules may result in unexpected consequences. Windows may not be able to apply patches, users may not be able to start applications installed using application deployment tools, and allowed applications may not be able to open necessary link libraries (DLLs) and child processes.

Use the Allow rule Trusted Source settings to extend the Allow rights of trusted applications.

Important:
  • Change the Trusted Source setting only if you are having trouble using trusted, mission-critical applications or installers.

  • Never use the Permanent trust level for any web browser applications because extended rights would apply to any applications that the web browser downloaded.

  • After an application matches an Allow rule that gives extended rights, those extended rights apply to that application for all endpoint users.

  • Only kernel-level blocking supports the Trusted Source feature. See About Blocking Methods.

To change the Allow rule Trusted Source setting, go to the Add or Edit Allow Rule screen. Expand Rule options and then, under Trusted Source, select a trust level. See Add or Edit Rule Screen.

Trust ends after the rule is removed or the trust level of None is selected.

Table 1. Allow Rule Trusted Source Trust Levels and Additional Rights

Trust Level

Additional Rights

Example Use

None

Allows no extended rights

Default rule behaviors apply.

Day-to-day office scenarios

Temporary

Allows applications that match this rule to start any other applications

While trusted applications are running, block and lockdown rules take no action on the trusted applications or any of their child processes. For example, a trusted application launcher can start any applications, but users are unable to start the same applications themselves.

Kiosks and application launchers

Permanent

Allows applications that match this rule to install and start any other applications

Use caution with this trust level. Block and lockdown rules never take action on selected applications or any of their child processes. For example, after the trusted application installs an application, the user can start that application at any time.

Application deployment tools such as SCCM (CcmExec.exe) and BigFix (BESClient.exe)

Warning:

Never use this trust level for any web browser applications because extended rights would apply to any applications that the web browser downloaded.

Applications matching any of the following Allow rule Trusted Source conditions are always allowed to start:

Table 2. Trusted Sources and Extended Allow Rights

Application Conditions

Trust Level Allows Application Execution

None (default)

Temporary

Permanent

The application matches an Allow rule currently being applied.

Yes

Yes

Yes

The application is currently a child process of a trusted application.

 

Yes

Yes

The application was installed by a trusted application.

   

Yes

The application was, at any time, started by a trusted application.

   

Yes