Deployment Of The AppX Package Was Blocked By The Policy

 1title: Deployment Of The AppX Package Was Blocked By The Policy
 2id: e021bbb5-407f-41f5-9dc9-1864c45a7a51
 3status: test
 4description: |
 5    Detects an appx package deployment that was blocked by the local computer policy.
 6    The following events indicate that an AppX package deployment was blocked by a policy:
 7    - Event ID 441: The package deployment operation is blocked by the "Allow deployment operations in special profiles" policy
 8    - Event ID 442: Deployments to non-system volumes are blocked by the "Disable deployment of Windows Store apps to non-system volumes" policy."
 9    - Event ID 453: Package blocked by a platform policy.
10    - Event ID 454: Package blocked by a platform policy.    
11references:
12    - https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting
13    - https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWEventsList/CSV/Windows11/22H2/W11_22H2_Pro_20220920_22621.382/Providers/Microsoft-Windows-AppXDeployment-Server.csv
14author: frack113
15date: 2023-01-11
16tags:
17    - attack.defense-evasion
18logsource:
19    product: windows
20    service: appxdeployment-server
21detection:
22    selection:
23        EventID:
24            - 441 # The package deployment operation is blocked by the "Allow deployment operations in special profiles" policy
25            - 442 # Deployments to non-system volumes are blocked by the "Disable deployment of Windows Store apps to non-system volumes" policy."
26            - 453 # Package blocked by a platform policy
27            - 454 # Package blocked by a platform policy
28    condition: selection
29falsepositives:
30    - Unlikely, since this event notifies about blocked application deployment. Tune your applocker rules to avoid blocking legitimate applications.
31level: medium