<AppLockerPolicy Version="1"> <RuleCollection Type="Appx" EnforcementMode="Enabled"> <FilePublisherRule Id="e8aaa8bb-8335-4fa3-ba4b-b38b0d091862" Name="All signed packaged apps" Description="Allows members of the Everyone group to run packaged apps that are signed." UserOrGroupSid="S-1-5-32-544" Action="Allow"> <Conditions> <FilePublisherCondition PublisherName="*" ProductName="*" BinaryName="*"> <BinaryVersionRange LowSection="0.0.0.0" HighSection="*" /> </FilePublisherCondition> </Conditions> </FilePublisherRule> <FilePublisherRule Id="fc489625-164e-4d79-9ae7-e4497ce3d396" Name="All signed packaged apps (except Edge and Search)" Description="Allows members of the Everyone group to run packaged apps that are signed." UserOrGroupSid="S-1-1-0" Action="Allow"> <Conditions> <FilePublisherCondition PublisherName="*" ProductName="*" BinaryName="*"> <BinaryVersionRange LowSection="0.0.0.0" HighSection="*" /> </FilePublisherCondition> </Conditions> <Exceptions> <FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.MicrosoftEdge.Stable" BinaryName="*"> <BinaryVersionRange LowSection="*" HighSection="*" /> </FilePublisherCondition> <FilePublisherCondition PublisherName="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.Windows.Search" BinaryName="*"> <BinaryVersionRange LowSection="*" HighSection="*" /> </FilePublisherCondition> </Exceptions> </FilePublisherRule> </RuleCollection> <RuleCollection Type="Dll" EnforcementMode="NotConfigured" /> <RuleCollection Type="Exe" EnforcementMode="Enabled"> <FilePathRule Id="35f41f42-11c0-4455-8723-5a4116fc1002" Name="All files located in the Windows folder (except notepad)" Description="Allows members of the Everyone group to run applications that are located in the Windows folder with exceptions." UserOrGroupSid="S-1-1-0" Action="Allow"> <Conditions> <FilePathCondition Path="%WINDIR%\*" /> </Conditions> <Exceptions> <FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="MICROSOFT® WINDOWS® OPERATING SYSTEM" BinaryName="NOTEPAD.EXE"> <BinaryVersionRange LowSection="*" HighSection="*" /> </FilePublisherCondition> </Exceptions> </FilePathRule> <FilePathRule Id="b03ff384-aa20-4db0-bbee-82c7f7c47ab3" Name="All files located in the Program Files folder (except Edge, IE, and Wordpad)" Description="Allows members of the Everyone group to run applications that are located in the Program Files folder with exceptions." UserOrGroupSid="S-1-1-0" Action="Allow"> <Conditions> <FilePathCondition Path="%PROGRAMFILES%\*" /> </Conditions> <Exceptions> <FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="INTERNET EXPLORER" BinaryName="IEXPLORE.EXE"> <BinaryVersionRange LowSection="*" HighSection="*" /> </FilePublisherCondition> <FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="MICROSOFT EDGE" BinaryName="MSEDGE.EXE"> <BinaryVersionRange LowSection="*" HighSection="*" /> </FilePublisherCondition> <FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="MICROSOFT® WINDOWS® OPERATING SYSTEM" BinaryName="WORDPAD.EXE"> <BinaryVersionRange LowSection="*" HighSection="*" /> </FilePublisherCondition> </Exceptions> </FilePathRule> <FilePathRule Id="fd686d83-a829-4351-8ff4-27c7de5755d2" Name="(Default Rule) All files" Description="Allows members of the local Administrators group to run all applications." UserOrGroupSid="S-1-5-32-544" Action="Allow"> <Conditions> <FilePathCondition Path="*" /> </Conditions> </FilePathRule> </RuleCollection> <RuleCollection Type="Msi" EnforcementMode="NotConfigured" /> <RuleCollection Type="Script" EnforcementMode="NotConfigured" /> </AppLockerPolicy>