You can give each rule an effect of permit or deny. The effect is what the rule evaluates to when its child condition or group of conditions evaluates to true. You can set a rule so that, if a condition evaluates to true and the effect is set to deny, the rule evaluates to deny.


A condition that returns false causes the rule to be Not Applicable. It does not create the opposite effect. You must create a separate and opposite rule to generate the opposite effect. The most consistent way to create such a pair of rules is to use Named conditions, with both rules referencing the same named condition but with the expected outcome being opposite.

Rules can include targets, which work in the same way as on policies and policy sets. However, you cannot associate conditions with these targets. You can apply targets to achieve a more fine-grained approach.

Screen capture of rule structure

If the condition in this example evaluates to true, the effect is Permit. If it evaluates to false, the effect is Not Applicable.

You can reorder collapsed rules by dragging the handles on the left. To reorder using the keyboard, press Tab to go to the rule, press Enter to select the rule, press the Up Arrow or Down Arrow to go to the desired location, press Enter to drop the rule in the new location.


When a logical condition involves comparing two attributes, try to ensure the attributes have the same data type. Comparing different data types requires an implicit conversion that might not always yield the intended result.