You have configured AppLocker rules on a Windows 11 Pro for Workstations machine, but the rules are not being enforced. Applications that should be blocked run normally, and allowed applications are blocked incorrectly. This issue typically occurs because the Application Identity service is not running, Group Policy has not applied correctly, or the rules are stored in a location the system does not read. This article explains why AppLocker rules are ignored on Windows 11 Pro for Workstations and provides a step-by-step fix to make them work.
Key Takeaways: Restoring AppLocker Rule Enforcement on Windows 11 Pro for Workstations
- Services console (services.msc): Ensure the Application Identity service is running and set to Automatic startup type.
- Event Viewer > Applications and Services Logs > Microsoft > Windows > AppLocker: Check event logs for rule parsing errors or missing policy application.
- Local Group Policy Editor > Computer Configuration > Windows Settings > Security Settings > Application Control Policies > AppLocker: Verify rules are present and enforced after a gpupdate /force.
Why AppLocker Rules Are Ignored on Windows 11 Pro for Workstations
AppLocker relies on the Application Identity service to evaluate and enforce rules. If this service is stopped or set to Manual, AppLocker does not function. Windows 11 Pro for Workstations includes the same AppLocker engine as other editions, but the default service configuration may differ due to performance optimizations. Additionally, Group Policy refresh cycles may fail silently if the client cannot reach a domain controller or if the local policy store is corrupted. Rules stored in a custom XML file that is not referenced by the AppLocker policy are also ignored.
Application Identity Service State
The Application Identity service must be running for AppLocker to evaluate any rule. On a clean installation of Windows 11 Pro for Workstations, this service is set to Manual and started only when needed. If the service is stopped when a user launches an application, AppLocker does not block or allow it. The service must be set to Automatic and started before AppLocker can enforce rules.
Group Policy Application Failures
AppLocker rules are applied through Group Policy. If the machine is domain-joined, the policy must be refreshed and applied correctly. A failed Group Policy update due to network issues, permission errors, or a corrupted policy file leaves the old rules in place or no rules at all. The Resultant Set of Policy tool (rsop.msc) can show whether the AppLocker policy is applied.
Rule Syntax and Storage Issues
AppLocker rules are stored in the registry under HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\SrpV2. If this key is missing or contains malformed entries, the system ignores the rules. Rules exported to an XML file and imported incorrectly can also cause parsing errors. Event ID 8004 in the AppLocker operational log indicates a rule parsing failure.
Steps to Fix AppLocker Rules Ignored on Windows 11 Pro for Workstations
Follow these steps in order. Each step addresses a specific root cause. Verify AppLocker enforcement after each step by launching a blocked application.
- Start the Application Identity Service and Set It to Automatic
Press Win + R, type services.msc, and press Enter. Locate Application Identity in the list. Right-click it and select Properties. In the Startup type dropdown, choose Automatic. Click Apply, then click Start. Click OK. This ensures the service runs at boot and enforces rules immediately. - Force a Group Policy Update
Open Command Prompt as Administrator. Type gpupdate /force and press Enter. Wait for the update to complete. If errors appear, run gpresult /h gpresult.html to generate an HTML report. Open the report in a browser and check the Administrative Templates section for AppLocker policy settings. - Verify AppLocker Rules in Local Group Policy Editor
Press Win + R, type gpedit.msc, and press Enter. Navigate to Computer Configuration > Windows Settings > Security Settings > Application Control Policies > AppLocker. Click Executable Rules, Windows Installer Rules, Script Rules, and Packaged app Rules. Confirm that rules exist and the Enforcement setting is not set to Not configured. Right-click AppLocker and select Properties. Under Enforcement, set each rule collection to Enforce rules. - Check the AppLocker Operational Event Log for Errors
Open Event Viewer (eventvwr.msc). Expand Applications and Services Logs > Microsoft > Windows > AppLocker. Click Operational. Look for Event IDs 8003 (rule applied), 8004 (rule parsing error), or 8005 (rule not applied). If you see Event 8004, export the AppLocker rules to an XML file, delete all rules in gpedit.msc, and re-import the XML using the Import Policy action. - Reset AppLocker Policy to Default and Reapply
Open an elevated Command Prompt. Run secedit /configure /cfg %windir%\inf\defltbase.inf /db defltbase.sdb /verbose to reset security policy. Then open gpedit.msc and re-create your AppLocker rules. This step fixes corrupted policy storage in the registry. - Verify the SrpV2 Registry Key
Press Win + R, type regedit, and press Enter. Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\SrpV2. Ensure this key exists and contains subkeys for each rule collection (Exe, Msi, Script, Appx). If the key is missing, AppLocker rules are not being read. Reapply the policy via gpedit.msc or Group Policy Management Console.
If AppLocker Rules Are Still Ignored on Windows 11 Pro for Workstations
AppLocker Rules Not Applying After a Windows Update
A Windows Update may reset the Application Identity service startup type to Manual. Check the service state again. Also verify that the update did not change the AppLocker policy enforcement setting back to Not configured. Reapply the enforcement setting in gpedit.msc.
Rules Applied but Blocked Applications Still Run
This occurs when the blocked application is running from a location that is not covered by the rule. For example, a rule blocking C:\Program Files\ does not block an executable launched from a USB drive. Review the path, publisher, or file hash conditions in your rules. Use the Create Default Rules action in gpedit.msc to apply the built-in default rules that cover the Windows folder and Program Files.
Event ID 8004: Rule Parsing Error
The rule XML file contains invalid syntax. Export all rules to XML, open the file in Notepad, and check for mismatched tags or missing closing elements. Re-import the corrected XML. If you cannot fix the XML, delete all rules and recreate them manually.
AppLocker Rule Storage Locations: Local Group Policy vs XML Import
| Item | Local Group Policy (gpedit.msc) | XML Import (PowerShell or MMC) |
|---|---|---|
| Storage location | Registry under SrpV2 key | Flat XML file on disk |
| Enforcement method | Automatic on policy refresh | Requires manual import and service restart |
| Service dependency | Application Identity must be running | Application Identity must be running |
| Error detection | Event ID 8004 if parsing fails | Event ID 8004 if parsing fails |
| Best for | Single machine or small workgroup | Bulk deployment across multiple machines |
AppLocker rules ignored on Windows 11 Pro for Workstations are almost always caused by the Application Identity service being stopped or the policy not being applied. After starting the service and forcing a Group Policy update, check the event logs for parsing errors. If the problem persists, reset the policy using secedit and reapply rules through gpedit.msc. As an advanced tip, use the PowerShell cmdlet Get-AppLockerPolicy -Effective to verify which rules are currently active on the machine without opening the Group Policy editor.