AppLocker path rules not working

Hi there,

I've got a set of rules in an AppLocker policy that I'm applying via Group Policy for a particular W2K8R2 server.

I've created a deny-by-default policy with the default rules added.

I need a wildcard Path 'Allow' rule for a set of DLLs all located under two folders: C:\Program Files\Common Files\System and C:\Program Files (x86)\Common Files\System

This, in theory, should be fairly simple.  I've created the following rule (using the 'Browse Folders' button in the creation wizard, not typing it manually):

%PROGRAMFILES%\Common Files\System\*

The XML of the rule looks like

<FilePathRule Id="8988a14f-501a-4494-a865-0ab3aed42252" Name="Database DLLs" Description="" UserOrGroupSid="S-1-1-0" Action="Allow"><Conditions><FilePathCondition Path="%PROGRAMFILES%\Common Files\System\*" /></Conditions></FilePathRule>

However, it doesn't seem to work, and I don't know why.  AppLocker refuses to allow the DLLs to run (logging errors in Audit mode, and actually preventing it in Enforce mode).

An extract of a random error event logged to the AppLocker log looks like:

Description: %PROGRAMFILES%\COMMON FILES\SYSTEM\ADO\MSADER15.DLL was prevented from running.Log Name:    Microsoft-Windows-AppLocker/EXE and DLLSource:      AppLockerLogged:      12/11/2013 5:22:37 PMEvent ID:    8004Level:       Error

If I try and use the Test-AppLockerPolicy cmdlet on some of the DLLs I get the following results:

PS C:\Users\alan> Test-AppLockerPolicy -XmlPolicy C:\users\alan\Desktop\policy.xml -Path `>> 'C:\Program Files\Common Files\System\ado\msader15.dll' -User 'myusername@MYDOMAIN' | fl *>>

FilePath       : C:\Program Files\Common Files\System\ado\msader15.dll
PolicyDecision : DeniedByDefault
MatchingRule   :

PS C:\Users\alan>

If I don't create a wildcard rule and instead create a Path 'Allow' rule for each individual DLL it works correctly (both usingTest-AppLockerPolicy and in reality); however this hardly seems to be an ideal solution.  For example:

<FilePathRule Id="dff2f892-b81c-4ca7-a754-2e27e8a9f194" Name="msader15" Description="" UserOrGroupSid="S-1-1-0" Action="Allow"><Conditions><FilePathCondition Path="%PROGRAMFILES%\Common Files\System\ado\msader15.dll" /></Conditions>

results in:

PS C:\Users\alan> Test-AppLockerPolicy -XmlPolicy C:\users\alan\Desktop\policyv2.xml -Path `>> 'C:\Program Files\Common Files\System\ado\msader15.dll' -User 'myusername@MYDOMAIN' | fl *>>

FilePath       : C:\Program Files\Common Files\System\ado\msader15.dll
PolicyDecision : Allowed
MatchingRule   : msader15

PS C:\Users\alan>

I'm someone baffled by it all. Has anyone got any idea what I might be missing?

Cheers,

- Alan