Hi all! I have run into an issue while deploying Windows 8.1 Enterprise using MDT 2013 with applocker policies applied. During testing I have had no issues with the default provisioned Store Apps but I have recently configured an applocker policy that will prevent any apps from being installed other than those provided by Windows. When I test the policy on a running computer it appears that everything is working correctly - any of the original provisioned apps can be run or re-installed from the Store and any other apps will not install.
With this policy applied when a machine images and joins the domain none of the provisioned apps will successfully download and install but instead they get an x in the lower right-hand corner. I have verified that the Applocker policy is the culprit by disabling it and imaging a new computer which successfully installed the default apps. What is going on here? If the policy seems to work on a computer during normal operation why does it prevent the apps from initially downloading? Is this a bug in the way Applocker works?
The policy is configured as such:
Executable Rules - Enforced Audit Only - Created default rules
Packaged App Rules - Enforced - Auto-created rules based on a machine with default configured apps
One workaround I am considering is to make sure the Applocker policy doesn't apply in the staging OU so the apps will download and be in a working state. These computers could then be moved to an OU with the Applocker policy linked so that it will begin to prevent the installation of other apps. This is not a desirable method but could be a stop-gap until this bug is worked out.
Please let me know if there is any other info I can provide to make this issue clearer. Thanks!