Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Friday, July 14, 2017 1:42 PM
Hi!
I am trying to use AppLocker throught GPO on a Windows 10 Enterprise 1703 with Windows Server 2012 R2. I have created the AppLocker policies, set to audit mode or enforced mode. I also added the default executable rules and then block rule for a specefic path location for an application in program files.
When I start (manually or automatic on boot) the Application Identity service, everything starts being blocked. I see the blocking events in the Event Viewer for any application in any location being blocked. Even though it is in Audit only mode. If I stop the Application Identity service, nothing change... I need to reboot my computer (with the service set to manual only, because if it's on automatic mode, this just caused windows to crash) to be able to do something... I tried to delete this registry keys before starting the service, and everything works until Computer group policies applied (and this recreate these keys...): HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\SrpV2\Exe There is no bad entries or something curious in there...
So, AppLocker blocks everything, without any reasons... Can somebody help me with this problem? Is this an issue with Win10 1703? Thank you very much!
All replies (4)
Monday, July 17, 2017 11:11 PM ✅Answered
So, I've finally found what I've been doing wrong... I created the default packaged app rule in AppLocker and I enforced this rule... Everything is fine now! Well, I suppose that Windows 10 ModernUI Apps are packaged app according to AppLocker and need to be authorized there.
Thank you for your help and for your time.
Monday, July 17, 2017 3:04 AM
Hi,
According to the following contents of App Locker document:
Each AppLocker rule can be configured to use either an allow or deny action:
Unlike many rule-based access control products, the ordering of AppLocker rules is not significant. “Deny” rules are always processed first, and so take precedence if a conflict occurs with an “Allow” rule. If a Subject / Object pair does not match any “Deny” rules, “Allow” rules are processed until a match is found, and then the action is allowed. If no “Allow” rules are matched, the action is denied. This is referred to as “default deny” mode and is the only mode that AppLocker can operate in – objects are implicitly denied unless explicitly allowed.
Your current problem probably caused by file path incorrectly in App Locker policy settings. Please check it.
In addition, the Program Files path variable is %PROGRAMFILES%, but in App Locker policy, you should set its path is %PROGRAMFILES%\. Therefore, please check if it is path name problem.
Understanding AppLocker Rules
https://technet.microsoft.com/en-us/library/dd759068(v=ws.11).aspx
Regards
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Monday, July 17, 2017 3:06 AM
Working with AppLocker policies
/en-us/windows/device-security/applocker/working-with-applocker-policies
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Monday, July 17, 2017 6:16 PM
Hi Teemo,
Thank you very much for the details. I made a little mistake in my post. After verification, not everything is blocked by the AppLocker but only Windows ModernUI Apps... without any apparent reasons (I made my previous test with calculator and Edge...). This cause Windows to crash sometime, Cortana or Start menu don't like that. I get those error messages in the event logs when I try to open one of them:
Event ID 5990: Activation via contract helper of the app Microsoft.WindowsCalculator_8wekyb3d8bbwe!App for the Windows.Launch contract failed with This program is blocked by group policy. For more information, ocntact your system administrator..
Event ID 5963: Activation of the app Microsoft.WindowsCalculator_8wekyb3d8bbwe!App for the Windows.Launch was blocked by policy. Contact your administrator for more information.
My Windows 10 Education 1703 is actually up-to-date (build 15063.483). I configured AppLocker locally with local GPO on a non-domain joined computer and I get the same error messages. I reinstalled Windows on another computer in another language, but, same problem. I didn't found any good solution for this problem. Default rules are present and unchanged:
Allow - Everyone - %PROGRAMFILES%\
Allow - Everyone - %WINDIR%\
Allow - BULTIN\Administrators - *
I also tried to allow everyone to %PROGRAMFILES%\WindowsApps\...