While working on the environment I had to implement a simple logoff script (written in vb). Well you all now how it works. Setup a policy configure the script to the logoff section in the policy (User hyve) and link it to the OU you want to have the logoff script working in. Now everytime a popup appears when you logoff. The policy is preventing the script to execute. After troubleshooting i had to create 3 seperate rules in Applocker.

1: Allow the vbs in the netlogon directory to run for all users

2: Allow wscript.exe in c:\windows\system32 to run for all users

3: Allow the policy! to run.

To explain nr3, you have to open GPMC and check the Unique ID in the details pane. You have to enter the full path in the applocker rule \\domain.com\sysvol\domain\policies\{4A8D38C3-F917-4D50-B93A-0A2256C76388}\*

 

The easy dirty way is to allow \\domain.com\sysvol\domain.com\policies\*  to the allow list. In the policy you have to ID's. When you check the details pane but also when you edit the policy and go to the logoff section and choose 'Show files' you see the entire string to a policy ID {string}. That ID is not the one you want to use :)

Hope this helps you when you having trouble with enabeling a logon or logoff script and have applocker enabled