Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Tuesday, March 5, 2019 7:44 PM | 1 vote
Since updating some machines in our enterprise to Windows 10 1809, AppLocker's default rule for Packaged App Execution is randomly blocking Calculator intermittently. We only have the default rule for Packaged App Execution being enforced, which allows all signed packaged apps to run, yet if I view the event log for AppLocker when the problem occurs, the event id that is logged clearly indicates AppLocker is not working properly. Instead of being filled out with details about the app, everything is blank. The RuleID is a series of zeros, the RuleName is blank, and on the general screen where the name of the app should be listed, it just says (blank) " was prevented from running" without the app name. The strangest thing about the issue is that if the user waits and tries again later, it will start working again - without even rebooting or logging off. Looking at event logs, it is probably working 99% of the time, it just randomly does this 1% of the time then returns to normal.
It does not appear to affect any other app except Calculator that I have seen, although we do not use many UWP apps. We do not have any issues with any other AppLocker rules for executables, etc., just Calculator, and only since installing 1809. I have cleared the AppLocker policy and re-applied the default rule and that had no effect on the problem. We have multiple machines exhibiting this issue so I believe this may be a bug.
Here is a sample of the event id 8022 that is generated during this issue:
General:
" was prevented from running."
PolicyNameLength 4
PolicyName APPX
RuleId {00000000-0000-0000-0000-000000000000}
RuleNameLength 1
RuleName -
RuleSddlLength 1
RuleSddl -
TargetUser (User SID Redacted)
TargetProcessId 12460
PackageLength 0
Package
FqbnLength 1
Fqbn -
And here is a sample 8020 for Calculator when it was allowed to run from the very same machine.
General:
"MICROSOFT.WINDOWSCALCULATOR was allowed to run."
PolicyNameLength 4
PolicyName APPX
RuleId {0ff4dd23-7c87-489b-a3b8-cb2b35e5eadf}
RuleNameLength 24
RuleName All signed packaged apps
RuleSddlLength 81
RuleSddl D:(XA;;FX;;;S-1-1-0;((Exists APPID://FQBN) && ((APPID://FQBN) >= ({"*\\",0}))))
TargetUser (User SID Redacted)
TargetProcessId 6624
PackageLength 27
Package MICROSOFT.WINDOWSCALCULATOR
FqbnLength 129
Fqbn CN=MICROSOFT CORPORATION, O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT.WINDOWSCALCULATOR\APPX\10.1811.3241.00
All replies (6)
Wednesday, March 6, 2019 6:20 AM
Checked out this policy: Computer Configuration>Policies>Administrative Templates>Windows Components/Store> "Disable all apps from Windows Store".
Make sure this GPO is Not Configured.
Try to create the default packaged app rule in AppLocker and enforce this rule. It seems that Windows 10 Modern Apps are packaged app according to AppLocker and need to be authorized. Calculator belongs to modern app since 1607.
Regards
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Wednesday, March 6, 2019 2:31 PM
We do not have that policy configured. I have already recreated the default rules.
Tuesday, April 9, 2019 8:11 AM
Would you mind letting me know the update of the problem? If you need further assistance, feel free to let me know.
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Friday, April 12, 2019 2:15 PM
Unfortunately we are still seeing this issue intermittently. Again, 99% of the time it works fine, but at random times a user will have the problem, then it will go away on its own sometime after.
Here is another example event that happened yesterday:
in "PackagedApp-Execution" : Event ID 8022
General:
" was prevented from running."
Details:
| - | System |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| - | UserData |
|
Monday, April 15, 2019 7:34 PM
Just to add a little more detail, I also noticed that when the issue occurred, another event is generated in the System log as well:
Event ID 10001: DistributedCOM
Unable to start a DCOM Server: Microsoft.WindowsCalculator_10.1811.3241.0_x64__8wekyb3d8bbwe!App as Unavailable/Unavailable. The error:
"0"
Happened while starting this command:
"C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1811.3241.0_x64__8wekyb3d8bbwe\Calculator.exe" -ServerName:App.AppXsm3pg4n7er43kdh4qp4e79f1j7am68r8.mca
Wednesday, April 17, 2019 5:04 PM
I too am experiencing this issue.
@Teemo Tang, how do you recommend we progress this issue to a solution?