🟠 High   ⏱ 5–30 min  Last verified: 01 April 2027
Affected versions: Windows Server 2019

πŸ“– ~1 min read

Table of contents
  1. Symptom & Impact
  2. Environment & Reproduction
  3. Root Cause Analysis
  4. Quick Triage
  5. Step-by-Step Diagnosis
  6. Solution – Primary Fix
  7. Solution – Alternative Approaches
  8. Verification & Acceptance Criteria
  9. Rollback Plan
  10. Prevention & Hardening
  11. Related Errors & Cross-Refs
  12. References & Further Reading

Symptom & Impact

Legitimate applications fail to launch on Windows Server 2019 because conflicting AppLocker rules – typically an explicit deny overriding a publisher allow – block executables, scripts, or MSI installers.

Environment & Reproduction

Seen after merging AppLocker policy sets from different baselines or piloting new deny rules.

Get-AppLockerPolicy -Effective
Get-WinEvent -LogName 'Microsoft-Windows-AppLocker/EXE and DLL' -MaxEvents 20

Root Cause Analysis

AppLocker evaluates deny first; a single deny rule with broader scope can override publisher or path allow rules.

Quick Triage

Capture the block event and policy snapshot.

Get-WinEvent -LogName 'Microsoft-Windows-AppLocker/EXE and DLL' -FilterXPath "*[System[EventID=8004]]" -MaxEvents 20
Get-AppLockerPolicy -Effective -Xml | Out-File C:Tempapplocker.xml

Step-by-Step Diagnosis

Test rule logic against the blocked file.

Test-AppLockerPolicy -Path 'C:Program FilesAppapp.exe' -User 'CORPjdoe' -PolicyObject (Get-AppLockerPolicy -Effective)
Get-AppLockerFileInformation -Path 'C:Program FilesAppapp.exe'

Solution – Primary Fix

Narrow the deny rule or add a publisher allow exception.

Still having issues? Our IT Consulting team can diagnose and resolve this for you. Get in touch for a free consultation.

$pol = Get-AppLockerPolicy -Local
$pol.RuleCollections | Where-Object {$_.RuleCollectionType -eq 'Exe'} | Remove-AppLockerPolicy -Rules
Set-AppLockerPolicy -PolicyObject $pol

Solution – Alternative Approaches

Switch the rule collection to Audit Only while the conflict is investigated.

Get-AppLockerPolicy -Local -Xml | Out-File C:Temppol.xml
# edit EnforcementMode='AuditOnly'
Set-AppLockerPolicy -XmlPolicy C:Temppol.xml

Verification & Acceptance Criteria

Applications launch and no new 8004 events appear.

Get-WinEvent -LogName 'Microsoft-Windows-AppLocker/EXE and DLL' -MaxEvents 10

Rollback Plan

Restore prior policy XML if business risk requires the deny rule.

Set-AppLockerPolicy -XmlPolicy C:Tempprior-applocker.xml

Prevention & Hardening

Use publisher rules where possible, document exceptions, and pilot policy in Audit mode first.

Get-AppLockerPolicy -Effective -Xml | Out-File C:Tempapplocker-baseline.xml

Related to Smart Screen blocks, Windows Defender quarantines, and Code Integrity policies.

Related tutorial: View the step-by-step tutorial for Windows Server 2019.

View all Windows Server 2019 tutorials on the Tutorials Hub β†’

Browse all common problems & solutions on the Tutorials Hub.

References & Further Reading

Microsoft Learn: AppLocker rule design and enforcement modes.

Illustrative mockup for windows-server-2019 β€” terminal_or_powershell
Diagnostics commands in PowerShell β€” Illustrative mockup β€” Progressive Robot
Illustrative mockup for windows-server-2019 β€” event_or_log_viewer
Event log verification for Windows Server 2019 β€” Illustrative mockup β€” Progressive Robot

Need Expert Help?

If you cannot resolve this yourself, our team offers hands-on Server Management, Managed IT Services, and flexible Support Plans. Contact us today β€” we respond within one business day.