P2 · Endpoint & Device Management

Security Baseline / Application Control Policy Blocking Legitimate Application Execution — AppLocker, WDAC, or SRP

Security baseline policies or application control technologies (AppLocker, Windows Defender Application Control, Software Restriction Policies) block legitimate applications from executing, causing failures mistaken for software faults. Root cause is typically an overly restrictive or misconfigured policy applied via Group Policy or MDM. Resolution involves identifying the blocking rule via event logs, creating an appropriate allow rule (publisher, path, or hash), and redeploying the policy without weakening overall security posture.

Indicators

Application fails to launch silently or displays 'This app has been blocked by your system administrator' message
Event ID 8003 or 8004 in Microsoft-Windows-AppLocker/EXE and DLL log — application blocked by AppLocker policy
Event ID 3076 or 3077 in Microsoft-Windows-CodeIntegrity/Operational — WDAC audit or enforcement block
Event ID 865, 866, 867, or 868 in Application log — Software Restriction Policy blocked execution
gpresult shows restrictive AppLocker or SRP policy applied to affected user or computer
Application runs under local administrator account but fails under standard user account, suggesting policy scope differences

Likely causes

AppLocker Executable, Script, or MSI rules do not include an allow rule for the affected application's path, publisher, or hash
Windows Defender Application Control (WDAC) policy in enforcement mode does not trust the application's signing certificate or hash
Software Restriction Policy (SRP) set to Disallowed by default with no matching path or certificate rule for the application
Security baseline GPO (e.g., Microsoft Security Compliance Toolkit) applies restrictive settings that override local policy
Application binary resides in a user-writable path (e.g., temp directories) blocked by default in applied policy
Recently updated application binary whose hash no longer matches the hash-based allow rule in AppLocker or WDAC

Diagnostic steps

Run Resultant Set of Policy to identify which GPOs are applied and check for AppLocker or SRP settings: gpresult /H C:\Temp\gpresult.html /F

Determines which Group Policy Object is enforcing the application blocking rule and its scope (user vs computer)
Review AppLocker event logs for block events: Get-WinEvent -LogName 'Microsoft-Windows-AppLocker/EXE and DLL' | Where-Object { $_.Id -in @(8003,8004) } | Select-Object TimeCreated, Id, Message | Format-List

Identifies the exact AppLocker rule collection and rule blocking the application, including file path and publisher details
Check CodeIntegrity operational log for WDAC blocks: Get-WinEvent -LogName 'Microsoft-Windows-CodeIntegrity/Operational' | Where-Object { $_.Id -in @(3076,3077) } | Select-Object TimeCreated, Id, Message | Format-List

Determines whether WDAC (rather than AppLocker or SRP) is responsible for blocking the application
Check Software Restriction Policy blocks in Application log: Get-EventLog -LogName Application -Source 'Application Management' -Newest 100 | Where-Object { $_.EventID -in @(865,866,867,868) } | Select-Object TimeWritten, EventID, Message | Format-List

Confirms whether legacy SRP is the blocking mechanism and identifies the restricted path or zone
Export effective AppLocker policy: Get-AppLockerPolicy -Effective -Xml | Out-File C:\Temp\EffectiveAppLockerPolicy.xml

Provides the full rule set so that missing or incorrect allow rules can be identified
Retrieve application attributes for rule creation: Get-AppLockerFileInformation -Path 'C:\Path\To\Application.exe' | Format-List

Generates exact attributes needed to create a correctly scoped allow rule (publisher, product name, binary name, version, hash)

Resolution path

Identify the GPO containing the blocking policy using gpresult output or GPMC. Open the GPO in GPMC and navigate to Computer Configuration > Windows Settings > Security Settings > Application Control Policies > AppLocker (or Software Restriction Policies).
If AppLocker is blocking: add a Publisher, Path, or Hash allow rule for the affected application in the appropriate rule collection (Executable Rules, Script Rules, Windows Installer Rules, or Packaged App Rules). Use attributes captured by Get-AppLockerFileInformation. Apply with: Set-AppLockerPolicy -XMLPolicy C:\Temp\UpdatedPolicy.xml -Merge
If WDAC is blocking: update the WDAC policy XML to add a signer rule or file rule for the application, re-sign the policy if required, and deploy via GPMC or Intune. Use WDAC Wizard or New-CIPolicy / Merge-CIPolicy cmdlets to generate the updated policy.
If SRP is blocking: in the GPO navigate to Computer Configuration > Windows Settings > Security Settings > Software Restriction Policies > Additional Rules and add a Path Rule or Certificate Rule set to Unrestricted for the affected application.
Force Group Policy update and restart Application Identity service: gpupdate /force then Restart-Service -Name AppIDSvc
If the block is caused by a security baseline GPO that should not be modified, place the affected computer or user in an OU where a more permissive policy is linked, or use GPO block inheritance or security filtering to exclude specific objects.

Prevention

Deploy AppLocker or WDAC in Audit mode before switching to Enforcement mode; review audit logs across a representative sample of endpoints over at least two weeks to identify all applications that would be blocked, and create allow rules before enforcing.
Maintain a tested, version-controlled application allow list and update it as part of the software deployment process — when a new application or update is approved for deployment, update AppLocker/WDAC rules in the same change request before rolling out the software.
Use OU structure and GPO security filtering to ensure security baseline GPOs are scoped only to appropriate device populations (e.g., exclude PAW or specialised workstations from standard user baseline where needed).
Subscribe to Microsoft Security Compliance Toolkit release notes and review baseline changes for AppLocker/SRP/WDAC settings before applying updates to production, testing in a representative pilot group first.

Tools

gpresult — generates Resultant Set of Policy report to identify applied GPOs and security settings
Get-AppLockerPolicy (PowerShell) — retrieves effective or GPO-based AppLocker policy XML
Get-AppLockerFileInformation (PowerShell) — extracts publisher, hash, and path attributes from a binary for rule creation
Set-AppLockerPolicy (PowerShell) — applies or merges an AppLocker policy XML
WDAC Wizard (Microsoft) — GUI tool for creating and editing Windows Defender Application Control policies
New-CIPolicy / Merge-CIPolicy (PowerShell) — creates and merges WDAC code integrity policies
Group Policy Management Console (GPMC) — reviews and edits GPO-based application control policies
Event Viewer / Get-WinEvent — reads AppLocker, CodeIntegrity, and Application event logs for block events

References

applockerwdacapplication-controlsecurity-baselineapp-blockinggroup-policysrpwindows-securityendpoint-hardeninggpocis-benchmarksmicrosoft-sct