View Source

If you use AppLocker, ensure your environment trusts TrueDEM.

If a rule exists where a PublisherCondition is set and configured for the end user allowing all signed applications, no further action is needed (see box).

<FilePublisherCondition PublisherName="*" ProductName="*" BinaryName="*">

If you have individual policies in place, ensure that one is created for TrueDEM based on description below.

Configuration

As an AppLocker Administrator, make sure you have the TrueDEM Agent installed on the Device in which you configure the AppLocker Rule.

Open Group Policy Editor (gpedit.exe)
Open Windows Settings / Security Settings / Application Control Policies / AppLocker / Packaged app Rules
Right click - Create New Rule

Click on Select and search for OfficeExpert. Afterwards Select the Application and move the Slider to Publisher Level (trusting any Package Name and any Package Version from panagenda)

OfficeExpert > AppLocker - Allow Rule > image2025-7-4_8-20-33.png

If necessary, define Exceptions

Give the rule a propoer name and click on Create

OfficeExpert > AppLocker - Allow Rule > image2025-7-4_8-24-36.png

The new App Rule appears now in the list Packaged apps.

OfficeExpert > AppLocker - Allow Rule > image2025-7-4_8-26-29.png

Note: The Rule will not work because the Publisher String gets truncated by the MMC UI. Microsoft confirmed that this is currently a known issue if an app has a PublisherString of more than 260 characters.
Because of that you need to continue with the following steps.

Export the Applocker Policy/Policies
Right click on "AppLocker" and Select Export Policy. Enter a name for the XML file.

The Export contains all Policies you have configured. Look for the TrueDEM rule you created.
If you take a closer look, the PublisherName is truncated and that it ends with "Pr"

OfficeExpert > AppLocker - Allow Rule > image2025-9-25_10-22-4.png

Exchange the String with the following one and save the file.

E=office@panagenda.com, CN=panagenda GmbH, O=panagenda GmbH, STREET=Sonnenfelsgasse 13/9, L=Vienna, S=Vienna, C=AT, OID.1.3.6.1.4.1.311.60.2.1.1=Vienna, OID.1.3.6.1.4.1.311.60.2.1.2=Vienna, OID.1.3.6.1.4.1.311.60.2.1.3=AT, SERIALNUMBER=293516T, OID.2.5.4.15=Private Organization

Depending on how you test the configuration you can either Import this file (the same way you did with the Export) on your local Computer or you put the XML into your OMA-URI Settings configuration in Endpointmanager (former Intune)

OfficeExpert > AppLocker - Allow Rule > image2025-9-25_10-30-40.png

How you verify if the Rule is active on a Computer ?

Open Powershell and issue the following command

Get-AppLockerPolicy -Effective | Select-Object -ExpandProperty RuleCollections

OfficeExpert > AppLocker - Allow Rule > image2025-9-25_10-34-33.png

Check if you see the correct and complete PublisherCondition String