App Control includes a built-in policy named Default Policy. This is the policy to which computers are assigned in the following situations:

  • If you are using AD Mapping to assign policies, App Control is initially configured to assign a computer that does not match any other mapping rules to the Default Policy. You can, however, change the policy to which unmatched computers are assigned, and it is generally advisable to create a separate "AD Default" policy for this purpose. See Assigning Policy by Active Directory Mapping for more information.

  • When computers in a non-existent (deleted) policy report to the App Control Server, they are automatically moved into the Default Policy and subject to enforcement based on that policy’s settings. See Restoring Computers from the Default Policy for information about how you might deal with this situation.

If you are licensed for Control features, you can set the Default Policy Enforcement Level to High (Block Unapproved) to make sure that if a computer is switched to the Default Policy, neither Banned nor Unapproved files are allowed to run. If you are less concerned about Unapproved files but still do not want to allow them to execute without user interaction, you can set the Enforcement Level to Medium. You also can edit any of the other settings for the Default Policy.

Note: Computers can be assigned to the Default Policy unexpectedly. Because of this, the initial policy setting for “Locally approve unapproved files on transition from Visibility or Low Enforcement Level to Medium or High” is off (un-checked). Otherwise an unexpected transition to the Default Policy could locally approve many files without you wanting that to happen. See Automatic Local Approval on Enforcement Level Change for more details about this setting.