Understanding AppLocker allow and deny actions on rules
This article explains the differences between allow and deny actions on AppLocker rules.
Allow action versus deny action on rules
Each AppLocker rule collection functions as an explicit allowlist of files. You can only run files that are covered by one or more allow rules within the rule collection. You can also create rules that explicitly deny some files from running. All other files not covered by an explicit Allow or Deny rule are implicitly blocked from running. Understanding this block by default, allow by exception behavior is critical when analyzing how your policy affects users in your organization.
When AppLocker applies rules, it first checks whether any explicit deny actions are specified in the rule list. If you deny a file from running in a rule collection, the deny action takes precedence over any allow action and can't be overridden. Then, AppLocker checks for any explicit allow actions for the file. Because AppLocker functions as an allowlist by default, if no rule explicitly allows or denies a file from running, AppLocker's default deny action blocks the file.
Using AppLocker to implement a blocklist
Although you can use AppLocker to create an explicit blocklist policy, this approach doesn't scale well for most organizations and isn't recommended as a practical application control strategy. However, if you choose to do so, be sure to include an "allow *" rule within the rule collection so that all other files run.
Important
If you don't include allow rules for all required apps, including Windows system files, within a rule collection, you will cause unexpected results because your policy will implicitly deny all other files on the computer from running.