none
AppLocker - Packaged apps rule do not work. Is it because of conjunction Win Server 2012 with Win 8 Pro ?

    Question

  • Hello

    After about two days of struggle I give up !

    I made up home laboratory: Win8 Pro host and Win Server 2012 guest running on VMware

    after yesterday successful sideloading implementation I proceeded to make use of AppLocker in order to block previously installed MySample.appx app on domain users

    Unfortunately it does not work, after login as domain user on host system (Win8 Pro) I can freely run MySample.appx app 

    till now I was thinking that having Windows Server 2012 with workstation joined to domain solves all problems, but now I do not know what to think about it. 

    Question is, do I need Win 8 Enterprise as my workstation os to perform successful blocking ?

    Enlighten me please

    ---------------------------------------------------

    taken steps:

    • created via gpmc.msc, new gpo rule (not in domain controller)
    • turned on Application Identity service
    • created rule which should block shared MySample.appx from running on domain users 
    • after login as domain user on workstation I have made gpupdate /force
    • unfortunately I can run MySample.appx app :(

    -------------------------------------------------------

    I have to mention that I encountered problems with MySample.appx installation through sideloading

    Even after elevated permission I could not install MySample.appx through powershell commands ( import-module appx , add-AppxPackage Path) it always ended with Access Denied.

    One and only way to install MySample.appx from \Domain\Share\MySampleDirectory  was right click on appx script and run in powershell

    --------------------------------------------------------

    I have noticed as well that I could not install MySample.appx app on Server because of Applocker rule. 

    After abolition of this rule I was able to install it on my Server

    Do not understand what is going on

    I am tired as hell, sorry for possible typos and thanks for help !








    • Edited by rozowykubek Monday, August 19, 2013 8:00 PM
    Monday, August 19, 2013 4:46 PM

Answers

  • Hi,

    Thanks for your problem.

    It seems like the gpo didn't apply, what's the output of gpresult ? 

    When a computer running Windows Server 2012 or Windows 8 joins a domain where an AppLocker policy is already configured, users would be allowed to run any Packaged app. This might be contrary to your design.

    To prevent all Packaged apps from running on a newly domain-joined computer, by default AppLocker blocks all Packaged apps on a computer running Windows Server 2012 or Windows 8 if the existing domain policy has rules configured in the Exe rule collection. You must take explicit action to allow Packaged apps in your enterprise. You can allow only a select set of Packaged apps. Or if you want to allow all Packaged apps, you can create a default rule for the Packaged apps collection.

    For more and detail information, please refer to:

    Manage Packaged Apps with AppLocker

    http://technet.microsoft.com/de-de/library/jj161142.aspx

    Regards.


    Vivian Wang
    TechNet Community Support

    Wednesday, August 21, 2013 2:44 AM
    Moderator