The best way to get started on a migration from AppLocker to AppControl is to use the AppLocker policy converter and convert your AppLocker XML into AppControl XML. Note that there are some significant differences between the two that you will need to consider when reviewing your converted policy. The two main ones are:

1. AppLocker rules are scoped to a user or group by default. AppControl policies apply machine wide and don't allow for reduced scoping based on user.
2. AppLocker signer rules don't actually chain up to the root certificate in the signature's certificate chain. AppControl, on the other hand, requires the complete chain. So, when we convert AppLocker rules, they end up chaining to our "Dummy Well-known root" for the certs that comprise the AuthRoot cert store. These are all of the cross-signed roots from certificate authorities which are members of Microsoft's Trusted Root Program.

Generally, the conversion works quite well and gets you most of the way. But you'll want to test your converted policy thoroughly before deploying to your endpoints.

Good luck on your migration!

Jeffrey