About Trusted Sources
Applying Block and Lockdown rules may result in unexpected consequences. Windows may not be able to apply patches, users may not be able to start applications installed using application deployment tools, and allowed applications may not be able to open necessary link libraries (DLLs) and child processes.
Use the Allow rule Trusted Source settings to extend the Allow rights of trusted applications.
-
Change the Trusted Source setting only if you are having trouble using trusted, mission-critical applications or installers.
-
Never use the High trust level for any web browser applications because extended rights would apply to any applications that the web browser downloaded.
-
After an application matches an Allow rule that gives extended rights, those extended rights apply to that application for all endpoint users.
-
Only kernel-level blocking supports the Trusted Source feature. See About Blocking Methods.
To change the Allow rule Trusted Source setting, go to the Add or Edit Allow Rule screen. Expand Rule options and then, under Trusted Source, select a trust level. See Add or Edit Rule Screen.
Trust ends after the rule is removed or the trust level of None is selected.
|
Trust Level |
Additional Rights |
Example Use |
|---|---|---|
|
None |
Allows no extended rights Default rule behaviors apply. |
Day-to-day office scenarios |
|
Medium |
Allows applications that match this rule to start any other applications While trusted applications are running, block and lockdown rules take no action on the trusted applications or any of their child processes. For example, a trusted application launcher can start any applications. But, users are unable to start the same applications themselves. |
Kiosks and application launchers |
|
High |
Allows applications that match this rule to install and start any other applications Use caution with this trust level. Block and lockdown rules never take action on selected applications or any of their child processes. For example, after the trusted application installs an application, the user can start that application at any time. |
Application deployment tools such as SCCM (CcmExec.exe) and BigFix (BESClient.exe) Warning:
Never use this trust level for any web browser applications because extended rights would apply to any applications that the web browser downloaded. |
Applications matching any of the following Allow rule Trusted Source conditions are always allowed to start:
|
Application Conditions |
Trust Level Allows Application Execution |
||
|---|---|---|---|
|
None (default) |
Medium |
High |
|
|
The application matches an Allow rule currently being applied. |
Yes |
Yes |
Yes |
|
The application is currently a child process of a trusted application. |
Yes |
Yes |
|
|
The application was installed by a trusted application. |
Yes |
||
|
The application was, at any time, started by a trusted application. |
Yes |
||
