What is the recommended defense against using msxsl.exe to bypass AppLocker?

Administrators should create an AppLocker executable rule that explicitly denies or restricts msxsl.exe. Even if the binary’s path is changed, the rule will prevent it from running. This defense is demonstrated in the article and is part of a broader strategy of controlling all signed binaries that can execute scripts. For further reading, similar techniques are covered in Use xwizard.exe to load dll and Use Logon Scripts to maintain persistence.