topic Re: Windows Endpoint Management - Applocker policies fail to push in Peer-Peer Topics

topic Re: Windows Endpoint Management - Applocker policies fail to push in Peer-Peer Topics https://www.googleforeducommunity.com/t5/Peer-Peer-Topics/Windows-Endpoint-Management-Applocker-policies-fail-to-push/m-p/1225#M820 <P>Our baseline policies are:</P><P>./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/Group1/EXE/Policy</P><LI-CODE lang="markup"><RuleCollection Type="Exe" EnforcementMode="Enabled"> <FilePathRule Id="921cc481-6e17-4653-8f75-050b80acca20" Name="(Default Rule) All files located in the Program Files folder" Description="Allows members of the Everyone group to run applications that are located in the Program Files folder." UserOrGroupSid="S-1-1-0" Action="Allow"> <Conditions> <FilePathCondition Path="%PROGRAMFILES%\*" /> </Conditions> </FilePathRule> <FilePathRule Id="a61c8b2c-a319-4cd0-9690-d2177cad7b51" Name="(Default Rule) All files located in the Windows folder" Description="Allows members of the Everyone group to run applications that are located in the Windows folder." UserOrGroupSid="S-1-1-0" Action="Allow"> <Conditions> <FilePathCondition Path="%WINDIR%\*" /> </Conditions> </FilePathRule> <FilePathRule Id="fd686d83-a829-4351-8ff4-27c7de5755d2" Name="(Default Rule) All files" Description="Allows members of the local Administrators group to run all applications." UserOrGroupSid="S-1-5-32-544" Action="Allow"> <Conditions> <FilePathCondition Path="*" /> </Conditions> </FilePathRule> <FilePublisherRule Id="462940ad-85aa-4bb6-afbe-cceab15fbed1" Name="Signed by O=LOOM, INC., L=SAN FRANCISCO, S=CA, C=US" Description="" UserOrGroupSid="S-1-1-0" Action="Allow"> <Conditions> <FilePublisherCondition PublisherName="O=LOOM, INC., L=SAN FRANCISCO, S=CA, C=US" ProductName="*" BinaryName="*"> <BinaryVersionRange LowSection="*" HighSection="*" /> </FilePublisherCondition> </Conditions> </FilePublisherRule> <FilePublisherRule Id="6f0088e0-796d-4de8-826d-15af91718148" Name="Signed by O=ZOOM VIDEO COMMUNICATIONS, INC., L=SAN JOSE, S=CALIFORNIA, C=US" Description="" UserOrGroupSid="S-1-1-0" Action="Allow"> <Conditions> <FilePublisherCondition PublisherName="O=ZOOM VIDEO COMMUNICATIONS, INC., L=SAN JOSE, S=CALIFORNIA, C=US" ProductName="*" BinaryName="*"> <BinaryVersionRange LowSection="*" HighSection="*" /> </FilePublisherCondition> </Conditions> </FilePublisherRule> <FilePublisherRule Id="b86a6638-ede4-4f0d-be6d-edc0c9cf126f" Name="Signed by O=GOOGLE LLC, L=MOUNTAIN VIEW, S=CA, C=US" Description="" UserOrGroupSid="S-1-1-0" Action="Allow"> <Conditions> <FilePublisherCondition PublisherName="O=GOOGLE LLC, L=MOUNTAIN VIEW, S=CA, C=US" ProductName="*" BinaryName="*"> <BinaryVersionRange LowSection="*" HighSection="*" /> </FilePublisherCondition> </Conditions> </FilePublisherRule> <FilePublisherRule Id="75f5793b-0fef-4517-9c9c-2410f52572f8" Name="Signed by O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" Description="" UserOrGroupSid="S-1-1-0" Action="Allow"> <Conditions> <FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="*" BinaryName="*"> <BinaryVersionRange LowSection="*" HighSection="*" /> </FilePublisherCondition> </Conditions> </FilePublisherRule> <FilePublisherRule Id="72527ee9-a2a8-4d9f-9761-aefe038ae16b" Name="Signed by O=ADOBE INC., L=SAN JOSE, S=CA, C=US" Description="" UserOrGroupSid="S-1-1-0" Action="Allow"> <Conditions> <FilePublisherCondition PublisherName="O=ADOBE INC., L=SAN JOSE, S=CA, C=US" ProductName="*" BinaryName="*"> <BinaryVersionRange LowSection="*" HighSection="*" /> </FilePublisherCondition> </Conditions> </FilePublisherRule> <FilePublisherRule Id="d8fc8c12-58bc-4495-be11-4c2901cead41" Name="Signed by O=LOGMEIN, INC., L=BOSTON, S=MASSACHUSETTS, C=US" Description="" UserOrGroupSid="S-1-1-0" Action="Allow"> <Conditions> <FilePublisherCondition PublisherName="O=LOGMEIN, INC., L=BOSTON, S=MASSACHUSETTS, C=US" ProductName="*" BinaryName="*"> <BinaryVersionRange LowSection="*" HighSection="*" /> </FilePublisherCondition> </Conditions> </FilePublisherRule> <FilePublisherRule Id="4fb964e0-43ec-4b42-a2af-c10ee424ede1" Name="Signed by O=ZWIFT, INC., L=LONG BEACH, S=CALIFORNIA, C=US" Description="" UserOrGroupSid="S-1-1-0" Action="Allow"> <Conditions> <FilePublisherCondition PublisherName="O=ZWIFT, INC., L=LONG BEACH, S=CALIFORNIA, C=US" ProductName="*" BinaryName="*"> <BinaryVersionRange LowSection="*" HighSection="*" /> </FilePublisherCondition> </Conditions> </FilePublisherRule> <FilePublisherRule Id="6fa008eb-d90e-4aff-ba4b-b2f53a64e682" Name="Signed by O=ESSEX COUNTY COUNCIL, L=CHELMSFORD, S=ESSEX, C=GB" Description="" UserOrGroupSid="S-1-1-0" Action="Allow"> <Conditions> <FilePublisherCondition PublisherName="O=ESSEX COUNTY COUNCIL, L=CHELMSFORD, S=ESSEX, C=GB" ProductName="*" BinaryName="*"> <BinaryVersionRange LowSection="*" HighSection="*" /> </FilePublisherCondition> </Conditions> </FilePublisherRule> <FilePublisherRule Id="bf6b505c-e6b6-4ab6-b34c-f8d8c1a3c405" Name="Signed by O=CISCO WEBEX LLC, L=SAN JOSE, S=CALIFORNIA, C=US" Description="" UserOrGroupSid="S-1-1-0" Action="Allow"> <Conditions> <FilePublisherCondition PublisherName="O=CISCO WEBEX LLC, L=SAN JOSE, S=CALIFORNIA, C=US" ProductName="*" BinaryName="*"> <BinaryVersionRange LowSection="*" HighSection="*" /> </FilePublisherCondition> </Conditions> </FilePublisherRule> <FilePublisherRule Id="31d5888c-65d2-4610-8189-3d089cf355c6" Name="RUNASSPC.EXE, in RUNASSPC, from O=OLIVER HESSING, L=STUTTGART, S=BADEN W�RTTEMBERG, C=DE" Description="" UserOrGroupSid="S-1-1-0" Action="Allow"> <Conditions> <FilePublisherCondition PublisherName="O=OLIVER HESSING, L=STUTTGART, S=BADEN W�RTTEMBERG, C=DE" ProductName="RUNASSPC" BinaryName="RUNASSPC.EXE"> <BinaryVersionRange LowSection="*" HighSection="*" /> </FilePublisherCondition> </Conditions> </FilePublisherRule> <FilePublisherRule Id="a4c338eb-8a41-43a4-9a73-c7b4f7e9ab0d" Name="SETUP.EXE, in LADIBUG3.0, from O=LUMENS DIGITAL OPTICS INC., L=HSINCHU, S=TAIWAN, C=TW" Description="" UserOrGroupSid="S-1-1-0" Action="Allow"> <Conditions> <FilePublisherCondition PublisherName="O=LUMENS DIGITAL OPTICS INC., L=HSINCHU, S=TAIWAN, C=TW" ProductName="LADIBUG3.0" BinaryName="SETUP.EXE"> <BinaryVersionRange LowSection="*" HighSection="*" /> </FilePublisherCondition> </Conditions> </FilePublisherRule> <FilePublisherRule Id="2ca85e89-17b3-44e2-8212-738c570e0c3c" Name="&quot;&quot;, in OPENSHOT VIDEO EDITOR, from O=OPENSHOT STUDIOS, LLC, L=ROCKWALL, S=TEXAS, C=US" Description="" UserOrGroupSid="S-1-1-0" Action="Allow"> <Conditions> <FilePublisherCondition PublisherName="O=OPENSHOT STUDIOS, LLC, L=ROCKWALL, S=TEXAS, C=US" ProductName="OPENSHOT VIDEO EDITOR" BinaryName=""> <BinaryVersionRange LowSection="*" HighSection="*" /> </FilePublisherCondition> </Conditions> </FilePublisherRule> <FilePublisherRule Id="524be818-df37-48f9-91c8-7cb9457711d0" Name="Mendeley" Description="" UserOrGroupSid="S-1-1-0" Action="Allow"> <Conditions> <FilePublisherCondition PublisherName="O=ELSEVIER LTD, L=KIDLINGTON, C=GB" ProductName="*" BinaryName="*"> <BinaryVersionRange LowSection="*" HighSection="*" /> </FilePublisherCondition> </Conditions> </FilePublisherRule> <FilePublisherRule Id="66652289-5bfa-4a6a-b77f-11868c203437" Name="Widget" Description="" UserOrGroupSid="S-1-1-0" Action="Allow"> <Conditions> <FilePublisherCondition PublisherName="O=SYMBOLS WORLDWIDE LTD., L=LEAMINGTON SPA, S=WARWICKSHIRE, C=GB" ProductName="*" BinaryName="*"> <BinaryVersionRange LowSection="*" HighSection="*" /> </FilePublisherCondition> </Conditions> </FilePublisherRule> <FilePathRule Id="9352e338-9fd0-4b66-a537-729741e5fc76" Name="Salto" Description="" UserOrGroupSid="S-1-1-0" Action="Allow"> <Conditions> <FilePathCondition Path="%OSDRIVE%\SALTO\*" /> </Conditions> </FilePathRule> <FilePathRule Id="1d1a7093-08a1-49ab-bfb7-2c203f686069" Name="EdgeBlock" Description="" UserOrGroupSid="S-1-1-0" Action="Deny"> <Conditions> <FilePathCondition Path="%PROGRAMFILES%\Microsoft\Edge\*" /> </Conditions> </FilePathRule> <FilePathRule Id="d696237d-f2c0-4bee-b451-d1a5ea88fd0c" Name="InVentry" Description="" UserOrGroupSid="S-1-1-0" Action="Allow"> <Conditions> <FilePathCondition Path="\\10.42.236.31\InVentry\V4\Console\*" /> </Conditions> </FilePathRule> <FileHashRule Id="853e2140-5422-457b-9ba0-409c73275d48" Name="Total Lock" Description="USB drive encryption software." UserOrGroupSid="S-1-1-0" Action="Allow"> <Conditions> <FileHashCondition> <FileHash Type="SHA256" Data="0xA23D77A118DB829CBD21B5CE0A9883C2661DAC796ECCB9D3C175582358EE8C6A" SourceFileName="TotalLock.exe" SourceFileLength="9913344" /> </FileHashCondition> </Conditions> </FileHashRule> <FilePublisherRule Id="6be7c34e-9a1d-4abd-998c-0108d40217a6" Name="4Matrix" Description="" UserOrGroupSid="S-1-1-0" Action="Allow"> <Conditions> <FilePublisherCondition PublisherName="O=NEW MEDIA LEARNING LTD, L=LEIGH-ON-SEA, S=ESSEX, C=GB" ProductName="*" BinaryName="*"> <BinaryVersionRange LowSection="*" HighSection="*" /> </FilePublisherCondition> </Conditions> </FilePublisherRule> <FilePublisherRule Id="8067d315-2f60-4c76-b6e1-0a587345f9e8" Name="Surpass Viewer" Description="" UserOrGroupSid="S-1-1-0" Action="Allow"> <Conditions> <FilePublisherCondition PublisherName="O=BTL GROUP LTD, L=SHIPLEY, S=WEST YORKSHIRE, C=GB" ProductName="*" BinaryName="*"> <BinaryVersionRange LowSection="*" HighSection="*" /> </FilePublisherCondition> </Conditions> </FilePublisherRule> <FilePublisherRule Id="0c0b2f03-9330-4f69-8076-05afe7402929" Name="POS Admin" Description="" UserOrGroupSid="S-1-1-0" Action="Allow"> <Conditions> <FilePublisherCondition PublisherName="O=BIOSTORE LTD, L=HEXHAM, S=NORTHUMBERLAND, C=GB" ProductName="*" BinaryName="*"> <BinaryVersionRange LowSection="*" HighSection="*" /> </FilePublisherCondition> </Conditions> </FilePublisherRule> </RuleCollection></LI-CODE><P> ./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/Group2/MSI/Policy</P><LI-CODE lang="markup"><RuleCollection Type="Msi" EnforcementMode="Enabled"> <FilePublisherRule Id="b7af7102-efde-4369-8a89-7a6a392d1473" Name="(Default Rule) All digitally signed Windows Installer files" Description="Allows members of the Everyone group to run digitally signed Windows Installer files." UserOrGroupSid="S-1-1-0" Action="Allow"> <Conditions> <FilePublisherCondition PublisherName="*" ProductName="*" BinaryName="*"> <BinaryVersionRange LowSection="0.0.0.0" HighSection="*" /> </FilePublisherCondition> </Conditions> </FilePublisherRule> <FilePathRule Id="5b290184-345a-4453-b184-45305f6d9a54" Name="(Default Rule) All Windows Installer files in %systemdrive%\Windows\Installer" Description="Allows members of the Everyone group to run all Windows Installer files located in %systemdrive%\Windows\Installer." UserOrGroupSid="S-1-1-0" Action="Allow"> <Conditions> <FilePathCondition Path="%WINDIR%\Installer\*" /> </Conditions> </FilePathRule> <FilePathRule Id="64ad46ff-0d71-4fa0-a30b-3f3d30c5433d" Name="(Default Rule) All Windows Installer files" Description="Allows members of the local Administrators group to run all Windows Installer files." UserOrGroupSid="S-1-5-32-544" Action="Allow"> <Conditions> <FilePathCondition Path="*.*" /> </Conditions> </FilePathRule> <FilePublisherRule Id="8fe8eccb-700f-4dc5-954e-01c34b802412" Name="Signed by O=CISCO WEBEX LLC, L=SAN JOSE, S=CALIFORNIA, C=US" Description="" UserOrGroupSid="S-1-1-0" Action="Allow"> <Conditions> <FilePublisherCondition PublisherName="O=CISCO WEBEX LLC, L=SAN JOSE, S=CALIFORNIA, C=US" ProductName="*" BinaryName="*"> <BinaryVersionRange LowSection="*" HighSection="*" /> </FilePublisherCondition> </Conditions> </FilePublisherRule> <FilePublisherRule Id="6fa008eb-d90e-4aff-ba4b-b2f53a64e682" Name="Signed by O=ESSEX COUNTY COUNCIL, L=CHELMSFORD, S=ESSEX, C=GB" Description="" UserOrGroupSid="S-1-1-0" Action="Allow"> <Conditions> <FilePublisherCondition PublisherName="O=ESSEX COUNTY COUNCIL, L=CHELMSFORD, S=ESSEX, C=GB" ProductName="*" BinaryName="*"> <BinaryVersionRange LowSection="*" HighSection="*" /> </FilePublisherCondition> </Conditions> </FilePublisherRule> <FilePublisherRule Id="967be9b5-6777-4acd-993e-7b05be672f44" Name="Webex" Description="" UserOrGroupSid="S-1-1-0" Action="Allow"> <Conditions> <FilePublisherCondition PublisherName="O=CISCO SYSTEMS, INC., L=SAN JOSE, S=CALIFORNIA, C=US" ProductName="*" BinaryName="*"> <BinaryVersionRange LowSection="*" HighSection="*" /> </FilePublisherCondition> </Conditions> </FilePublisherRule> <FilePublisherRule Id="981b2144-9a6d-453b-81de-bd9d0fb9c5b6" Name="PenPal" Description="" UserOrGroupSid="S-1-1-0" Action="Allow"> <Conditions> <FilePublisherCondition PublisherName="O=CAMBRIDGE HITACHI-SOLUTIONS EDUCATION LIMITED, L=CAMBRIDGE, S=CAMBRIDGESHIRE, C=GB" ProductName="*" BinaryName="*"> <BinaryVersionRange LowSection="*" HighSection="*" /> </FilePublisherCondition> </Conditions> </FilePublisherRule> </RuleCollection></LI-CODE><P>and finally</P><P>./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/Group3/Script/Policy</P><LI-CODE lang="markup"><RuleCollection Type="Script" EnforcementMode="Enabled"> <FilePathRule Id="06dce67b-934c-454f-a263-2515c8796a5d" Name="(Default Rule) All scripts located in the Program Files folder" Description="Allows members of the Everyone group to run scripts that are located in the Program Files folder." UserOrGroupSid="S-1-1-0" Action="Allow"> <Conditions> <FilePathCondition Path="%PROGRAMFILES%\*" /> </Conditions> </FilePathRule> <FilePathRule Id="9428c672-5fc3-47f4-808a-a0011f36dd2c" Name="(Default Rule) All scripts located in the Windows folder" Description="Allows members of the Everyone group to run scripts that are located in the Windows folder." UserOrGroupSid="S-1-1-0" Action="Allow"> <Conditions> <FilePathCondition Path="%WINDIR%\*" /> </Conditions> </FilePathRule> <FilePathRule Id="ed97d0cb-15ff-430f-b82c-8d7832957725" Name="(Default Rule) All scripts" Description="Allows members of the local Administrators group to run all scripts." UserOrGroupSid="S-1-5-32-544" Action="Allow"> <Conditions> <FilePathCondition Path="*" /> </Conditions> </FilePathRule> </RuleCollection></LI-CODE><P>These all work fine and we slightly modify them for specific OUs to allow certain things to run.</P><P>The only obvious thing I can see is you don't need:</P><P><AppLockerPolicy Version="1"></P><P></AppLockerPolicy></P><P>Top and bottom.</P> Fri, 29 Sep 2023 15:53:43 GMT rdnixon 2023-09-29T15:53:43Z Windows Endpoint Management - Applocker policies fail to push https://www.googleforeducommunity.com/t5/Peer-Peer-Topics/Windows-Endpoint-Management-Applocker-policies-fail-to-push/m-p/1224#M819 <P>I am working with Google on this, but wanted to check here and see if anyone has some insight to my problem.</P><P>I am attempting to push some Applocker policies to devices, but it fails every time, based on which type I send (MSI, EXE, Script).</P><P>The script policy fails (with error code shown on Google console) : 516</P><P>Anyone encountered these failures? Fixed it? </P><P>Here is a specific one, which is a default policy as far as I can tell:</P><P>./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/Group3/Script/Policy</P><LI-CODE lang="markup"><AppLockerPolicy Version="1"> <RuleCollection Type="Script" EnforcementMode="Enabled"> <FilePathRule Id="06dce67b-934c-454f-a263-2515c8796a5d" Name="(Default Rule) All scripts located in the Program Files folder" Description="Allows members of the Everyone group to run scripts that are located in the Program Files folder." UserOrGroupSid="S-1-1-0" Action="Allow"> <Conditions> <FilePathCondition Path="%PROGRAMFILES%\*" /> </Conditions> </FilePathRule> <FilePathRule Id="9428c672-5fc3-47f4-808a-a0011f36dd2c" Name="(Default Rule) All scripts located in the Windows folder" Description="Allows members of the Everyone group to run scripts that are located in the Windows folder." UserOrGroupSid="S-1-1-0" Action="Allow"> <Conditions> <FilePathCondition Path="%WINDIR%\*" /> </Conditions> </FilePathRule> <FilePathRule Id="ed97d0cb-15ff-430f-b82c-8d7832957725" Name="(Default Rule) All scripts" Description="Allows members of the local Administrators group to run all scripts." UserOrGroupSid="S-1-5-32-544" Action="Allow"> <Conditions> <FilePathCondition Path="*" /> </Conditions> </FilePathRule> </RuleCollection> </AppLockerPolicy></LI-CODE><P> </P> Fri, 29 Sep 2023 15:46:43 GMT https://www.googleforeducommunity.com/t5/Peer-Peer-Topics/Windows-Endpoint-Management-Applocker-policies-fail-to-push/m-p/1224#M819 hanker 2023-09-29T15:46:43Z Re: Windows Endpoint Management - Applocker policies fail to push https://www.googleforeducommunity.com/t5/Peer-Peer-Topics/Windows-Endpoint-Management-Applocker-policies-fail-to-push/m-p/1225#M820 <P>Our baseline policies are:</P><P>./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/Group1/EXE/Policy</P><LI-CODE lang="markup"><RuleCollection Type="Exe" EnforcementMode="Enabled"> <FilePathRule Id="921cc481-6e17-4653-8f75-050b80acca20" Name="(Default Rule) All files located in the Program Files folder" Description="Allows members of the Everyone group to run applications that are located in the Program Files folder." UserOrGroupSid="S-1-1-0" Action="Allow"> <Conditions> <FilePathCondition Path="%PROGRAMFILES%\*" /> </Conditions> </FilePathRule> <FilePathRule Id="a61c8b2c-a319-4cd0-9690-d2177cad7b51" Name="(Default Rule) All files located in the Windows folder" Description="Allows members of the Everyone group to run applications that are located in the Windows folder." UserOrGroupSid="S-1-1-0" Action="Allow"> <Conditions> <FilePathCondition Path="%WINDIR%\*" /> </Conditions> </FilePathRule> <FilePathRule Id="fd686d83-a829-4351-8ff4-27c7de5755d2" Name="(Default Rule) All files" Description="Allows members of the local Administrators group to run all applications." UserOrGroupSid="S-1-5-32-544" Action="Allow"> <Conditions> <FilePathCondition Path="*" /> </Conditions> </FilePathRule> <FilePublisherRule Id="462940ad-85aa-4bb6-afbe-cceab15fbed1" Name="Signed by O=LOOM, INC., L=SAN FRANCISCO, S=CA, C=US" Description="" UserOrGroupSid="S-1-1-0" Action="Allow"> <Conditions> <FilePublisherCondition PublisherName="O=LOOM, INC., L=SAN FRANCISCO, S=CA, C=US" ProductName="*" BinaryName="*"> <BinaryVersionRange LowSection="*" HighSection="*" /> </FilePublisherCondition> </Conditions> </FilePublisherRule> <FilePublisherRule Id="6f0088e0-796d-4de8-826d-15af91718148" Name="Signed by O=ZOOM VIDEO COMMUNICATIONS, INC., L=SAN JOSE, S=CALIFORNIA, C=US" Description="" UserOrGroupSid="S-1-1-0" Action="Allow"> <Conditions> <FilePublisherCondition PublisherName="O=ZOOM VIDEO COMMUNICATIONS, INC., L=SAN JOSE, S=CALIFORNIA, C=US" ProductName="*" BinaryName="*"> <BinaryVersionRange LowSection="*" HighSection="*" /> </FilePublisherCondition> </Conditions> </FilePublisherRule> <FilePublisherRule Id="b86a6638-ede4-4f0d-be6d-edc0c9cf126f" Name="Signed by O=GOOGLE LLC, L=MOUNTAIN VIEW, S=CA, C=US" Description="" UserOrGroupSid="S-1-1-0" Action="Allow"> <Conditions> <FilePublisherCondition PublisherName="O=GOOGLE LLC, L=MOUNTAIN VIEW, S=CA, C=US" ProductName="*" BinaryName="*"> <BinaryVersionRange LowSection="*" HighSection="*" /> </FilePublisherCondition> </Conditions> </FilePublisherRule> <FilePublisherRule Id="75f5793b-0fef-4517-9c9c-2410f52572f8" Name="Signed by O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" Description="" UserOrGroupSid="S-1-1-0" Action="Allow"> <Conditions> <FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="*" BinaryName="*"> <BinaryVersionRange LowSection="*" HighSection="*" /> </FilePublisherCondition> </Conditions> </FilePublisherRule> <FilePublisherRule Id="72527ee9-a2a8-4d9f-9761-aefe038ae16b" Name="Signed by O=ADOBE INC., L=SAN JOSE, S=CA, C=US" Description="" UserOrGroupSid="S-1-1-0" Action="Allow"> <Conditions> <FilePublisherCondition PublisherName="O=ADOBE INC., L=SAN JOSE, S=CA, C=US" ProductName="*" BinaryName="*"> <BinaryVersionRange LowSection="*" HighSection="*" /> </FilePublisherCondition> </Conditions> </FilePublisherRule> <FilePublisherRule Id="d8fc8c12-58bc-4495-be11-4c2901cead41" Name="Signed by O=LOGMEIN, INC., L=BOSTON, S=MASSACHUSETTS, C=US" Description="" UserOrGroupSid="S-1-1-0" Action="Allow"> <Conditions> <FilePublisherCondition PublisherName="O=LOGMEIN, INC., L=BOSTON, S=MASSACHUSETTS, C=US" ProductName="*" BinaryName="*"> <BinaryVersionRange LowSection="*" HighSection="*" /> </FilePublisherCondition> </Conditions> </FilePublisherRule> <FilePublisherRule Id="4fb964e0-43ec-4b42-a2af-c10ee424ede1" Name="Signed by O=ZWIFT, INC., L=LONG BEACH, S=CALIFORNIA, C=US" Description="" UserOrGroupSid="S-1-1-0" Action="Allow"> <Conditions> <FilePublisherCondition PublisherName="O=ZWIFT, INC., L=LONG BEACH, S=CALIFORNIA, C=US" ProductName="*" BinaryName="*"> <BinaryVersionRange LowSection="*" HighSection="*" /> </FilePublisherCondition> </Conditions> </FilePublisherRule> <FilePublisherRule Id="6fa008eb-d90e-4aff-ba4b-b2f53a64e682" Name="Signed by O=ESSEX COUNTY COUNCIL, L=CHELMSFORD, S=ESSEX, C=GB" Description="" UserOrGroupSid="S-1-1-0" Action="Allow"> <Conditions> <FilePublisherCondition PublisherName="O=ESSEX COUNTY COUNCIL, L=CHELMSFORD, S=ESSEX, C=GB" ProductName="*" BinaryName="*"> <BinaryVersionRange LowSection="*" HighSection="*" /> </FilePublisherCondition> </Conditions> </FilePublisherRule> <FilePublisherRule Id="bf6b505c-e6b6-4ab6-b34c-f8d8c1a3c405" Name="Signed by O=CISCO WEBEX LLC, L=SAN JOSE, S=CALIFORNIA, C=US" Description="" UserOrGroupSid="S-1-1-0" Action="Allow"> <Conditions> <FilePublisherCondition PublisherName="O=CISCO WEBEX LLC, L=SAN JOSE, S=CALIFORNIA, C=US" ProductName="*" BinaryName="*"> <BinaryVersionRange LowSection="*" HighSection="*" /> </FilePublisherCondition> </Conditions> </FilePublisherRule> <FilePublisherRule Id="31d5888c-65d2-4610-8189-3d089cf355c6" Name="RUNASSPC.EXE, in RUNASSPC, from O=OLIVER HESSING, L=STUTTGART, S=BADEN W�RTTEMBERG, C=DE" Description="" UserOrGroupSid="S-1-1-0" Action="Allow"> <Conditions> <FilePublisherCondition PublisherName="O=OLIVER HESSING, L=STUTTGART, S=BADEN W�RTTEMBERG, C=DE" ProductName="RUNASSPC" BinaryName="RUNASSPC.EXE"> <BinaryVersionRange LowSection="*" HighSection="*" /> </FilePublisherCondition> </Conditions> </FilePublisherRule> <FilePublisherRule Id="a4c338eb-8a41-43a4-9a73-c7b4f7e9ab0d" Name="SETUP.EXE, in LADIBUG3.0, from O=LUMENS DIGITAL OPTICS INC., L=HSINCHU, S=TAIWAN, C=TW" Description="" UserOrGroupSid="S-1-1-0" Action="Allow"> <Conditions> <FilePublisherCondition PublisherName="O=LUMENS DIGITAL OPTICS INC., L=HSINCHU, S=TAIWAN, C=TW" ProductName="LADIBUG3.0" BinaryName="SETUP.EXE"> <BinaryVersionRange LowSection="*" HighSection="*" /> </FilePublisherCondition> </Conditions> </FilePublisherRule> <FilePublisherRule Id="2ca85e89-17b3-44e2-8212-738c570e0c3c" Name="&quot;&quot;, in OPENSHOT VIDEO EDITOR, from O=OPENSHOT STUDIOS, LLC, L=ROCKWALL, S=TEXAS, C=US" Description="" UserOrGroupSid="S-1-1-0" Action="Allow"> <Conditions> <FilePublisherCondition PublisherName="O=OPENSHOT STUDIOS, LLC, L=ROCKWALL, S=TEXAS, C=US" ProductName="OPENSHOT VIDEO EDITOR" BinaryName=""> <BinaryVersionRange LowSection="*" HighSection="*" /> </FilePublisherCondition> </Conditions> </FilePublisherRule> <FilePublisherRule Id="524be818-df37-48f9-91c8-7cb9457711d0" Name="Mendeley" Description="" UserOrGroupSid="S-1-1-0" Action="Allow"> <Conditions> <FilePublisherCondition PublisherName="O=ELSEVIER LTD, L=KIDLINGTON, C=GB" ProductName="*" BinaryName="*"> <BinaryVersionRange LowSection="*" HighSection="*" /> </FilePublisherCondition> </Conditions> </FilePublisherRule> <FilePublisherRule Id="66652289-5bfa-4a6a-b77f-11868c203437" Name="Widget" Description="" UserOrGroupSid="S-1-1-0" Action="Allow"> <Conditions> <FilePublisherCondition PublisherName="O=SYMBOLS WORLDWIDE LTD., L=LEAMINGTON SPA, S=WARWICKSHIRE, C=GB" ProductName="*" BinaryName="*"> <BinaryVersionRange LowSection="*" HighSection="*" /> </FilePublisherCondition> </Conditions> </FilePublisherRule> <FilePathRule Id="9352e338-9fd0-4b66-a537-729741e5fc76" Name="Salto" Description="" UserOrGroupSid="S-1-1-0" Action="Allow"> <Conditions> <FilePathCondition Path="%OSDRIVE%\SALTO\*" /> </Conditions> </FilePathRule> <FilePathRule Id="1d1a7093-08a1-49ab-bfb7-2c203f686069" Name="EdgeBlock" Description="" UserOrGroupSid="S-1-1-0" Action="Deny"> <Conditions> <FilePathCondition Path="%PROGRAMFILES%\Microsoft\Edge\*" /> </Conditions> </FilePathRule> <FilePathRule Id="d696237d-f2c0-4bee-b451-d1a5ea88fd0c" Name="InVentry" Description="" UserOrGroupSid="S-1-1-0" Action="Allow"> <Conditions> <FilePathCondition Path="\\10.42.236.31\InVentry\V4\Console\*" /> </Conditions> </FilePathRule> <FileHashRule Id="853e2140-5422-457b-9ba0-409c73275d48" Name="Total Lock" Description="USB drive encryption software." UserOrGroupSid="S-1-1-0" Action="Allow"> <Conditions> <FileHashCondition> <FileHash Type="SHA256" Data="0xA23D77A118DB829CBD21B5CE0A9883C2661DAC796ECCB9D3C175582358EE8C6A" SourceFileName="TotalLock.exe" SourceFileLength="9913344" /> </FileHashCondition> </Conditions> </FileHashRule> <FilePublisherRule Id="6be7c34e-9a1d-4abd-998c-0108d40217a6" Name="4Matrix" Description="" UserOrGroupSid="S-1-1-0" Action="Allow"> <Conditions> <FilePublisherCondition PublisherName="O=NEW MEDIA LEARNING LTD, L=LEIGH-ON-SEA, S=ESSEX, C=GB" ProductName="*" BinaryName="*"> <BinaryVersionRange LowSection="*" HighSection="*" /> </FilePublisherCondition> </Conditions> </FilePublisherRule> <FilePublisherRule Id="8067d315-2f60-4c76-b6e1-0a587345f9e8" Name="Surpass Viewer" Description="" UserOrGroupSid="S-1-1-0" Action="Allow"> <Conditions> <FilePublisherCondition PublisherName="O=BTL GROUP LTD, L=SHIPLEY, S=WEST YORKSHIRE, C=GB" ProductName="*" BinaryName="*"> <BinaryVersionRange LowSection="*" HighSection="*" /> </FilePublisherCondition> </Conditions> </FilePublisherRule> <FilePublisherRule Id="0c0b2f03-9330-4f69-8076-05afe7402929" Name="POS Admin" Description="" UserOrGroupSid="S-1-1-0" Action="Allow"> <Conditions> <FilePublisherCondition PublisherName="O=BIOSTORE LTD, L=HEXHAM, S=NORTHUMBERLAND, C=GB" ProductName="*" BinaryName="*"> <BinaryVersionRange LowSection="*" HighSection="*" /> </FilePublisherCondition> </Conditions> </FilePublisherRule> </RuleCollection></LI-CODE><P> ./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/Group2/MSI/Policy</P><LI-CODE lang="markup"><RuleCollection Type="Msi" EnforcementMode="Enabled"> <FilePublisherRule Id="b7af7102-efde-4369-8a89-7a6a392d1473" Name="(Default Rule) All digitally signed Windows Installer files" Description="Allows members of the Everyone group to run digitally signed Windows Installer files." UserOrGroupSid="S-1-1-0" Action="Allow"> <Conditions> <FilePublisherCondition PublisherName="*" ProductName="*" BinaryName="*"> <BinaryVersionRange LowSection="0.0.0.0" HighSection="*" /> </FilePublisherCondition> </Conditions> </FilePublisherRule> <FilePathRule Id="5b290184-345a-4453-b184-45305f6d9a54" Name="(Default Rule) All Windows Installer files in %systemdrive%\Windows\Installer" Description="Allows members of the Everyone group to run all Windows Installer files located in %systemdrive%\Windows\Installer." UserOrGroupSid="S-1-1-0" Action="Allow"> <Conditions> <FilePathCondition Path="%WINDIR%\Installer\*" /> </Conditions> </FilePathRule> <FilePathRule Id="64ad46ff-0d71-4fa0-a30b-3f3d30c5433d" Name="(Default Rule) All Windows Installer files" Description="Allows members of the local Administrators group to run all Windows Installer files." UserOrGroupSid="S-1-5-32-544" Action="Allow"> <Conditions> <FilePathCondition Path="*.*" /> </Conditions> </FilePathRule> <FilePublisherRule Id="8fe8eccb-700f-4dc5-954e-01c34b802412" Name="Signed by O=CISCO WEBEX LLC, L=SAN JOSE, S=CALIFORNIA, C=US" Description="" UserOrGroupSid="S-1-1-0" Action="Allow"> <Conditions> <FilePublisherCondition PublisherName="O=CISCO WEBEX LLC, L=SAN JOSE, S=CALIFORNIA, C=US" ProductName="*" BinaryName="*"> <BinaryVersionRange LowSection="*" HighSection="*" /> </FilePublisherCondition> </Conditions> </FilePublisherRule> <FilePublisherRule Id="6fa008eb-d90e-4aff-ba4b-b2f53a64e682" Name="Signed by O=ESSEX COUNTY COUNCIL, L=CHELMSFORD, S=ESSEX, C=GB" Description="" UserOrGroupSid="S-1-1-0" Action="Allow"> <Conditions> <FilePublisherCondition PublisherName="O=ESSEX COUNTY COUNCIL, L=CHELMSFORD, S=ESSEX, C=GB" ProductName="*" BinaryName="*"> <BinaryVersionRange LowSection="*" HighSection="*" /> </FilePublisherCondition> </Conditions> </FilePublisherRule> <FilePublisherRule Id="967be9b5-6777-4acd-993e-7b05be672f44" Name="Webex" Description="" UserOrGroupSid="S-1-1-0" Action="Allow"> <Conditions> <FilePublisherCondition PublisherName="O=CISCO SYSTEMS, INC., L=SAN JOSE, S=CALIFORNIA, C=US" ProductName="*" BinaryName="*"> <BinaryVersionRange LowSection="*" HighSection="*" /> </FilePublisherCondition> </Conditions> </FilePublisherRule> <FilePublisherRule Id="981b2144-9a6d-453b-81de-bd9d0fb9c5b6" Name="PenPal" Description="" UserOrGroupSid="S-1-1-0" Action="Allow"> <Conditions> <FilePublisherCondition PublisherName="O=CAMBRIDGE HITACHI-SOLUTIONS EDUCATION LIMITED, L=CAMBRIDGE, S=CAMBRIDGESHIRE, C=GB" ProductName="*" BinaryName="*"> <BinaryVersionRange LowSection="*" HighSection="*" /> </FilePublisherCondition> </Conditions> </FilePublisherRule> </RuleCollection></LI-CODE><P>and finally</P><P>./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/Group3/Script/Policy</P><LI-CODE lang="markup"><RuleCollection Type="Script" EnforcementMode="Enabled"> <FilePathRule Id="06dce67b-934c-454f-a263-2515c8796a5d" Name="(Default Rule) All scripts located in the Program Files folder" Description="Allows members of the Everyone group to run scripts that are located in the Program Files folder." UserOrGroupSid="S-1-1-0" Action="Allow"> <Conditions> <FilePathCondition Path="%PROGRAMFILES%\*" /> </Conditions> </FilePathRule> <FilePathRule Id="9428c672-5fc3-47f4-808a-a0011f36dd2c" Name="(Default Rule) All scripts located in the Windows folder" Description="Allows members of the Everyone group to run scripts that are located in the Windows folder." UserOrGroupSid="S-1-1-0" Action="Allow"> <Conditions> <FilePathCondition Path="%WINDIR%\*" /> </Conditions> </FilePathRule> <FilePathRule Id="ed97d0cb-15ff-430f-b82c-8d7832957725" Name="(Default Rule) All scripts" Description="Allows members of the local Administrators group to run all scripts." UserOrGroupSid="S-1-5-32-544" Action="Allow"> <Conditions> <FilePathCondition Path="*" /> </Conditions> </FilePathRule> </RuleCollection></LI-CODE><P>These all work fine and we slightly modify them for specific OUs to allow certain things to run.</P><P>The only obvious thing I can see is you don't need:</P><P><AppLockerPolicy Version="1"></P><P></AppLockerPolicy></P><P>Top and bottom.</P> Fri, 29 Sep 2023 15:53:43 GMT https://www.googleforeducommunity.com/t5/Peer-Peer-Topics/Windows-Endpoint-Management-Applocker-policies-fail-to-push/m-p/1225#M820 rdnixon 2023-09-29T15:53:43Z Re: Windows Endpoint Management - Applocker policies fail to push https://www.googleforeducommunity.com/t5/Peer-Peer-Topics/Windows-Endpoint-Management-Applocker-policies-fail-to-push/m-p/1228#M821 <P>I will try removing those extra bits to see if that makes the difference. I think I added those because when I tested the policy without the "<applockerpolicy.." on a local device using "Test-AppLockerPolicy" it would fail.</P><P>Thanks</P> Fri, 29 Sep 2023 16:19:38 GMT https://www.googleforeducommunity.com/t5/Peer-Peer-Topics/Windows-Endpoint-Management-Applocker-policies-fail-to-push/m-p/1228#M821 hanker 2023-09-29T16:19:38Z