When application control is enabled and has finished its initial software inventory scan:
- The State field indicates "On" or "On, Blocking unrecognized software".
- On Computers, the Status field changes from "Application Control Ruleset Build In Progress" to "Managed (Online)".
- Events & Reports > Events > System Events will record “Application Control Ruleset Build Started” and “Application Control Ruleset Build Completed". (If you don’t see any logs, see Choose which application control events to log.)
To verify that application control is working:
- Copy an executable to the computer or add execute permissions to a plain text file. Try to run the executable.
- Add an allow or block rule for your test software and then try again. This time, application control should apply your allow or block rule.
Depending on your enforcement setting for unrecognized software, it should be either blocked or allowed. Once application control has built initial allow rules or downloaded a shared ruleset, if any change is detected, it should appear in the Actions tab, which you can use to create allow and block rules (see Monitor new and changed software). Depending on your alert configuration, you will also see an alert if unrecognized software is detected, or if application control blocks software from launching (see Monitor application control events). The event should persist until the software change no longer exists, or until the oldest data has been removed from the database.