locked
Applocker blocks associated Office applications when opening Outlook attachment RRS feed

  • Question

  • I have sequenced Office 2010 with package root Q:\OFFICE.TMP and published in App-v Management Server with AD group "Office Users" having full access to this package.

    I have created Applocker EXE rule with AD group "Office Users" being able to run Q:\OFFICE.TMP\*

    A user who is member of AD group "Office Users" can run all apps from Office package fine, either from start menu or by association.

    But when user tries to open Outlook email attachment containing docx, xlsx, pptx or other file directly from Outlook, applocker blocks Excel, Word, or another corresponding program from Office package.

    Log Name:      Microsoft-Windows-AppLocker/EXE and DLL
    Source:        Microsoft-Windows-AppLocker
    Date:          5/31/2011 8:18:15 PM
    Event ID:      8004
    Task Category: None
    Level:         Error
    Keywords:     
    User:          DOMAIN\User
    Computer:      SERVER1.DOMAIN.COM
    Description:
    Q:\OFFICE.TMP\OFFICE\OFFICE14\EXCEL.EXE was prevented from running.

    Does anyone have any idea why?

    My Applocker configuation doesnt have Deny rules, only Allow with exceptions. All default rules are created.

    I tried to modify Applocker rule and allow to run everything from Q:\OFFICE.TMP\* to Everyone group, then it works fine. Could this mean that App-V executes Excel call from Outlook under some other credentials (like SYSTEM)?

    This affects only programs from Office package. For example attachment with pdf file opens fine in Acrobat Reader, which is sequenced in another package.






    Tuesday, May 31, 2011 6:14 PM

Answers

  • Like always, as soon as you post a question in forum, you find answer yourself :)

    Looks like this has nothing to do with App-V and problem is caused by Protected View in Word, Excel, PowerPoint. When attachment is opened directly from Outlook by default Word, Excel and PowerPoint opens in Protected View mode. And Applocker blocks executables when they open in Protected View, unless there is a rule allowing Everyone group to run executables from Office installation folder.

    Now to find out how to configure Applocker without allowing Everyone group to run Office apps and keep Protected View feature.

     


    Wednesday, June 1, 2011 5:56 AM
  • See this KB article and hotfix: http://support.microsoft.com/kb/2568041/

    This forum post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.
    • Proposed as answer by znack Thursday, May 3, 2012 11:43 AM
    • Marked as answer by Aaron.ParkerModerator Friday, November 16, 2012 11:06 PM
    Friday, August 12, 2011 10:35 PM
    Moderator
  • Hi,

    same problem over here. Proposed hotfix doesn't fix it.

    We have a Citrix XenApp 6.5 environment and this behavior happens on a Published Desktop.

    But when we launch Outlook as an Published application, it works fine!

    Update: After contact with MS Support and installing http://support.microsoft.com/kb/2532445 the issue was solved!


    • Edited by PatrickB77 Thursday, May 10, 2012 1:42 PM Issue solved
    • Proposed as answer by PatrickB77 Thursday, May 10, 2012 1:42 PM
    • Marked as answer by Aaron.ParkerModerator Friday, November 16, 2012 11:06 PM
    Monday, May 7, 2012 3:00 PM

All replies

  • Like always, as soon as you post a question in forum, you find answer yourself :)

    Looks like this has nothing to do with App-V and problem is caused by Protected View in Word, Excel, PowerPoint. When attachment is opened directly from Outlook by default Word, Excel and PowerPoint opens in Protected View mode. And Applocker blocks executables when they open in Protected View, unless there is a rule allowing Everyone group to run executables from Office installation folder.

    Now to find out how to configure Applocker without allowing Everyone group to run Office apps and keep Protected View feature.

     


    Wednesday, June 1, 2011 5:56 AM
  • I had the same issue but *only* with Office 2010 SP1 and it was not virtualized. What's worse is the system reported no Applocker events. I put a test machine in an OU with no policies applied and protected view worked. At that point I started linking policies one by one until it stopped working. It ended up pointing me to our Applocker policy which is when I found this post. For me, I created an Applocker Path rule for office 14 for the Everyone group as stated above and protected view started working again. Remember this was only when SP1 was applied to Office 2010. If SP1 was removed, protected view started working. I think changing the MSFT Publisher rule to Everyone would also achieve the same result and skip the new path rule. (unless for some reason the protected view exe (if there is such a thing) is not signed by MSFT but I would expect applocker event logs if that were the case). I expected applocker logs regardless and they just weren't there.

    In my research I found the only difference between Authenticated Users and Everyone is the guest account (which is disabled anyway) so this resolution is quite mysterious.

    Now for the 64 thousand dollar question. Why is it that Authenticated Users works for every other applocker rule except for this one?

    I think SP1 is definitely to blame but only with regards to Applocker and rule scoping. I hope MS looks into this.

    Let me know if anyone has any questions.

    Thanks.

    Friday, August 12, 2011 7:43 PM
  • See this KB article and hotfix: http://support.microsoft.com/kb/2568041/

    This forum post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.
    • Proposed as answer by znack Thursday, May 3, 2012 11:43 AM
    • Marked as answer by Aaron.ParkerModerator Friday, November 16, 2012 11:06 PM
    Friday, August 12, 2011 10:35 PM
    Moderator
  • Hi,

    I have come across exactly the same issue. Authenticated users are given access to all Microsoft certified applications through AppLocker policies, but the preview panes within Office Outlook 2010 (SP1) is blocked unless I created and apply a specific policy allowing 'Everyone' access to Microsoft Office certified by Microsoft. I've applied the above hotfix (KB2568041) to my Win7SP1 (x64) machine, then removed the 'Everyone' policy but this made no difference - it was still disallowed.

    Any further help or links to a know issue or bug would be useful.

    Thanks.

    • Proposed as answer by znack Thursday, May 3, 2012 11:43 AM
    • Unproposed as answer by Aaron.ParkerModerator Thursday, May 3, 2012 7:35 PM
    Tuesday, May 1, 2012 12:15 PM
  • Hi,

    same problem over here. Proposed hotfix doesn't fix it.

    We have a Citrix XenApp 6.5 environment and this behavior happens on a Published Desktop.

    But when we launch Outlook as an Published application, it works fine!

    Update: After contact with MS Support and installing http://support.microsoft.com/kb/2532445 the issue was solved!


    • Edited by PatrickB77 Thursday, May 10, 2012 1:42 PM Issue solved
    • Proposed as answer by PatrickB77 Thursday, May 10, 2012 1:42 PM
    • Marked as answer by Aaron.ParkerModerator Friday, November 16, 2012 11:06 PM
    Monday, May 7, 2012 3:00 PM