When you configure the default AppLocker Script rules in a Group Policy Object (GPO) one of the ones it adds is for:
Except when a user logs on, if you’ve enabled the AppLocker MSI and Script event log, you still get the following event logged:
Log Name: Microsoft-Windows-AppLocker/MSI and Script Source: Microsoft-Windows-AppLocker Date: 20/08/2013 11:37:21 Event ID: 8007 Task Category: None Level: Error Keywords: User: RCMTech\JohanSmythe Computer: RDS2012-01.rcmtech.co.uk Description: C:\USERS\JOHA~1\APPDATA\LOCAL\TEMP\2\GETPATHS.CMD was prevented from running.
Which is a nuisance. I’ve not noticed anything bad as a result of this being blocked, but I’m going to assume that it shouldn’t be because there’s a default rule that looks like it should allow it to run. Plus it’s messy to have errors being logged unnecessarily.
So after a bit of experimentation, it seems as though at least part of the problem is the %OSDRIVE% “special” AppLocker variable. I’ve now added a rule for the following path, and getpaths.cmd is running fine: