Recently testing out a Whitelisting Policy in App Locker , that denied an App Listed from a Allowed Publisher

If you have deployed Applocker rules using Intune, you can find the Policy rules at C:\Windows\System32\AppLocker\MDM

You can also look at Get-ApplockerPolicy -Xml -Effective

Looking at the event Log we can see the RuleID is all 0’s

 A DeniedbyDefault RUN decision from Applocker has a RuleId set to {00000000-0000-0000-0000-000000000000}.

When we run the powershell as the user we get “DeniedbyDefault”

Test-AppLockerPolicy -XmlPolicy .\SamplePolicy.xml -Path c:\windows\system32\calc.exe

*Policy.xml needs to be the full Policy not just rule collection ( <AppLockerPolicy></AppLockerPolicy>

We were tagetting Domain Users Group in the policy , however the Machese were Azure AD Joined

“AppLocker doesn’t support AzureAD groups, only local groups“

We changed this to UserOrGroupSid=”S-1-1-0″ ( everyone and it fixed the issue)