Applocker - 게시자 규칙이 작동하지 않습니다.

이제 개인 저장소를 사용하고 있으므로 Applocker 패키지 앱 규칙의 수를 조금 줄여 보겠습니다. 게시자 전용 규칙을 조사 중입니다(현재는 Microsoft Store 애플리케이션당 1개의 규칙이 있습니다).

우리는 모든 Microsoft 애플리케이션에 대해 하나의 규칙을 적용하고 싶습니다. (규칙의 90%를 줄이는 데 도움이 됨)

내 게시자 전용 규칙이 작동하지 않는 이유를 알아내려고 합니다.

단순화를 위해 Windows 스토어에만 규칙을 적용했습니다. 실행되고 잘 열립니다.

    <AppLockerPolicy Version="1">
  <RuleCollection Type="Appx" EnforcementMode="NotConfigured">
    <FilePublisherRule Id="963d36c4-c0dd-4831-b4f4-240bd4b75813" Name="Packaged app: Microsoft.WindowsStore, version 12001.1001.1.0, from Microsoft Corporation" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">
      <Conditions>
        <FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.WindowsStore" BinaryName="*">
          <BinaryVersionRange LowSection="0.0.0.0" HighSection="*" />
        </FilePublisherCondition>
      </Conditions>
    </FilePublisherRule>
  </RuleCollection>
  <RuleCollection Type="Dll" EnforcementMode="NotConfigured" />
  <RuleCollection Type="Exe" EnforcementMode="NotConfigured" />
  <RuleCollection Type="Msi" EnforcementMode="NotConfigured" />
  <RuleCollection Type="Script" EnforcementMode="NotConfigured" />
</AppLockerPolicy>

이 정책 규칙(모든 Microsoft 서명 앱 허용)을 적용하면 스토어가 차단됩니다.

<AppLockerPolicy Version="1">
  <RuleCollection Type="Appx" EnforcementMode="NotConfigured">
    <FilePublisherRule Id="939fb295-f744-4298-bc31-be2e6178c15e" Name="Signed by Microsoft Corporation" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">
      <Conditions>
        <FilePublisherCondition PublisherName="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="*" BinaryName="*">
          <BinaryVersionRange LowSection="*" HighSection="*" />
        </FilePublisherCondition>
      </Conditions>
    </FilePublisherRule>
  </RuleCollection>
  <RuleCollection Type="Dll" EnforcementMode="NotConfigured" />
  <RuleCollection Type="Exe" EnforcementMode="NotConfigured" />
  <RuleCollection Type="Msi" EnforcementMode="NotConfigured" />
  <RuleCollection Type="Script" EnforcementMode="NotConfigured" />
</AppLockerPolicy>

그런 다음 스토어와 모든 Microsoft 게시 앱을 활성화하면 스토어가 표시되지만 Microsoft에서 선별된 앱은 허용되지 않습니다.

<AppLockerPolicy Version="1">
  <RuleCollection Type="Appx" EnforcementMode="NotConfigured">
    <FilePublisherRule Id="963d36c4-c0dd-4831-b4f4-240bd4b75813" Name="Packaged app: Microsoft.WindowsStore, version 12001.1001.1.0, from Microsoft Corporation" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">
      <Conditions>
        <FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.WindowsStore" BinaryName="*">
          <BinaryVersionRange LowSection="0.0.0.0" HighSection="*" />
        </FilePublisherCondition>
      </Conditions>
    </FilePublisherRule>
    <FilePublisherRule Id="939fb295-f744-4298-bc31-be2e6178c15e" Name="Signed by Microsoft Corporation" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">
      <Conditions>
        <FilePublisherCondition PublisherName="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="*" BinaryName="*">
          <BinaryVersionRange LowSection="*" HighSection="*" />
        </FilePublisherCondition>
      </Conditions>
    </FilePublisherRule>
  </RuleCollection>
  <RuleCollection Type="Dll" EnforcementMode="NotConfigured" />
  <RuleCollection Type="Exe" EnforcementMode="NotConfigured" />
  <RuleCollection Type="Msi" EnforcementMode="NotConfigured" />
  <RuleCollection Type="Script" EnforcementMode="NotConfigured" />
</AppLockerPolicy>

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\SrpV2\Appx 2 규칙 - Store 및 모든 Microsoft에서 내 레지스트리는 다음과 같습니다.