"Rules cannot be created for the following files" error message in AppLocker when you try to select certain files

Applies to: Windows Server 2012 R2 DatacenterWindows Server 2012 R2 StandardWindows Server 2012 Datacenter More

Symptoms


When you try to use AppLocker, the AppLocker rule wizard GUI does not let you select a file that has a file name extension other than any of the following:
  • Executable files (.exe,.com)
  • Scripts (.js, .ps1, .vbs, .cmd, .bat)
  • Windows Installer files (.msi, .msp)
  • DLL files (.dll, .ocx)
For any file that has a file name extension that is not included on this list, if you try to use the new-applockerpolicy AppLocker Windows PowerShell cmdlet to create a file path rule, you receive the following error message:

Rules cannot be created for the following files: <filename>
Note Files that have file name extensions other than those that are on this list are blocked by AppLocker if there are no ALLOW rules to enable these files to run. For example, Windows PowerShell .psm1 script files and Adobe .aip files are blocked.

Cause


This behavior occurs because AppLocker checks the file header information and not the file name extension during policy checking. For example, .psm1 files are treated as scripts, and .aip files are treated as DLLs. This behavior is by design.

Applocker tools currently do not let you manage individual files that have a file name extension other than those that are listed in the "Symptoms" section.

Workaround


To work around this behavior, create ALLOW rules that are based on the folder location of these files.

Note You can directly type the full file path in the AppLocker wizard. However, we do not recommended that you do this. If you create individual rules for each file, the large number of rules that results can adversely affect the performance of Windows.

Status


This behavior is by design.

More Information


For more information about how to create rules in AppLocker, see the following Microsoft TechNet topic: