I can create AppLocker rules with all Windows exes, but this is not possible for the Certificates Rules of the Software Restriction Policies. Does AppLocker use different digital signatures than the Software Restrictions Policies? If so, what is the difference?

Software restriction info is here Windows AppLocker is a new feature in Windows7 and Windows Server2008R2 that replaces the Software Restriction Policies feature. AppLocker contains new capabilities and extensions that reduce administrative overhead and help administrators control how users can access and use files, such as .exe files, scripts, Windows Installer files (.msi and .msp files), and DLLs.Applocker information ishereI would call Applocker a superset of Software restriction policies. I'll see if I can find deeper information in the meantime.

Thanks! It would be nice if you could find information about the different types of signatures used in AppLocker and Software Restriction Policies. I searched for a while but wasn't able to find detailed information.In what sense does AppLocker replace the Software Restriction Policies? In Windows 7 Beta1 they are still available it seems.

from: http://4sysops.com/archives/review-windows-7-applocker-part-2-tipslaunch the Local Security Policy snap-in just type Local at the Start Search prompt. The AppLocker rules can be found under Computer Configuration\Policies\Windows Settings\Security Settings\Application Control Policies. The first thing you should do is create the Default Rules. Right click on Executable Rules and navigate to Create Default Rules. This will create three rules that allow the execution of all files in the Windows and in the Program Files folder. The third rule allows local administrators to execute all programs. You can also launch the wizard that automatically creates rules for all installed applications (Automatically Generate Rules).Rating posts helps other users Mark L. Ferguson MS-MVP

AppLocker has a new rule type calle "Publisher Rule", which allows administrators to identify binaries based on its authenticode certificate and extended information such as Product Name, Binary Name and Version.This way you could create a rule saying "Allow Adobe Reader 8.0 and above". This rule will survive patches that modify the binary.The certificate rules that are available in Software Restriction Policies are too wide... you could specify things like "everything signed by this certificate", which usually includes more software than what the administrator really wanted to allow.You can find this feature in the "Create New Rule..." wizard by selecting the "Publisher" rule type. You will also notice a slider on the left side of the certificate information allowing you to be more or less restrictive with the rule. You could slide it all the way up to allowed everything signed by a publisher.Thanks,Marcelo