AppLocker Rules with Publisher Conditions Cannot be Automatically Generated for Digitally Signed Scripts

Applies To: Windows 7, Windows Server 2008 R2

This article describes a known issue in AppLocker where script files digitally signed by publishers cannot be used by the Automatically Generate Rules wizard to create a rule with publisher conditions.

This article applies to the following operating systems:

• Windows® 7

• Windows Server® 2008 R2

Symptoms

When running the Automatically Generate Rules wizard for AppLocker, or the AppLockerPolicy PowerShell cmdlet, AppLocker will not create rules with publisher conditions for script files that are digitally signed by a software publisher.

Cause

The Automatically Generate Rules wizard will only create rules with publisher conditions when the application file in question contains a product name, and digitally signed scripts do not include product names. As a result, the wizard will not create publisher conditions for signed scripts.

Workaround

Instead of creating publisher conditions for the signed scripts, the Automatically Generate Rules wizard for AppLocker, or the AppLockerPolicy PowerShell cmdlet, will create conditions based on the path or file hash preferences that you have previously specified for files that are not signed. Alternatively, you can create a rule for the script using the Single Rule wizard. Once a single rule has been created for the script, all of that publisher’s signed scripts can then be executed.