![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 24%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EHI%3C/text%3E%3C/svg%3E)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(0, 61%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EHP%3C/text%3E%3C/svg%3E)
Hello Ismail,
What’s happening here is that AppLocker is enforcing script rules and blocking your legacy logon script because it’s running outside the approved execution path. Since AppLocker evaluates publisher, path, and hash rules, anything in \\domain\netlogon or redirected folders that isn’t explicitly whitelisted will be denied.
The clean way forward is to either sign the script and create a publisher rule to allow it, or move it into a trusted path that your AppLocker policy permits. If you can’t change the script location, you’ll need to add a specific path rule in the AppLocker GPO for that logon script directory. Avoid simply disabling enforcement, as that defeats the security model. Once the rule is updated and applied, the onboarding pipeline will run again without breaking your AppLocker protections.