none
AppLocker not blocking denied programs

    Question

  • I set up a small virtual lab with a domain controller with Windows Server 2012 and a client with Windows 7 that I joined the domain. My objective is to block with App Locker some application that comes from a specific publisher.

    I created a group policy with some rules in the "Executable Rules". I added the default rules and then I denied the run of C:\Windows\System32\Notepad by path and also by publisher, also I denied another program by publisher.

    Also, in the same GPO I enabled the Application Identity Service and I set it to automatic start.

    On the client computer I checked that the policy is being applied, also with Powershell I follow the instructions found here Test an AppLocker Policy by Using Test-AppLockerPolicy and the results show that the programs should be blocked.

    Here is the XML obtained with the Get-AppLockerPolicy –Effective –XML command effective.xml.

    And these are the two CSV obtained with the Test-AppLockerPolicy command testapplocker.csv testapplocker2.csv.

    It seems that both Notepad.exe and MSIPackageBuilderEnterprise.exe should be blocked, but nonetheless they are not.

    I need your help to understand why it is not working.

    PS: this is my second try, the first one was in our production Active Directory domain but it didn't worked anyway.

    Wednesday, March 8, 2017 11:20 AM

Answers

  • > I am using Windows 7/10 Professional. Have I to use Windows 7/10 Enterprise/Ultimate?
     
    Yes. AppLocker is not available in home user SKUs...
     
    Thursday, March 9, 2017 11:30 AM

All replies

  • Did you link the group policy object to an OU that has clients for testing? Is the Application Identity -service running on the clients? What does AppLocker's  eventlog (Applications and Services Logs -> Microsoft -> AppLocker) tell you?
    Wednesday, March 8, 2017 4:11 PM
  • I have published a simple troubleshooter diagram at http://www.grouppolicy.biz/2013/04/how-to-troubleshoot-applocker/ this will help you figure out most configuration issues with AppLocker.

    Hope it helps


    Alan Burchill (MVP)
    http://www.grouppolicy.biz

    @alanburchill

    Wednesday, March 8, 2017 11:42 PM
  • Did you link the group policy object to an OU that has clients for testing? Is the Application Identity -service running on the clients? What does AppLocker's  eventlog (Applications and Services Logs -> Microsoft -> AppLocker) tell you?

    I linked the GPO to the OU, yes the Application Identity service is running.

    The event viewer shows these warnings:

    appidsvc.dll: AppLocker component not available on this SKU.

    Thursday, March 9, 2017 8:14 AM
  • I have published a simple troubleshooter diagram at http://www.grouppolicy.biz/2013/04/how-to-troubleshoot-applocker/ this will help you figure out most configuration issues with AppLocker.

    Hope it helps


    Alan Burchill (MVP)
    http://www.grouppolicy.biz

    @alanburchill

    I am using Windows 7/10 Professional. Have I to use Windows 7/10 Enterprise/Ultimate?

    Thursday, March 9, 2017 8:16 AM
  • > I am using Windows 7/10 Professional. Have I to use Windows 7/10 Enterprise/Ultimate?
     
    Yes. AppLocker is not available in home user SKUs...
     
    Thursday, March 9, 2017 11:30 AM
  • > I am using Windows 7/10 Professional. Have I to use Windows 7/10 Enterprise/Ultimate?
     
    Yes. AppLocker is not available in home user SKUs...
     
    Ok, thank you. Can you recommend to me some third-party software that has the same functionality?
    Thursday, March 9, 2017 11:59 AM
  • > Ok, thank you. Can you recommend to me some third-party software that has the same functionality?
     
    AppSense afair. Or you can try Software Restriction Policies (precedessor of Applocker, available in all Windows versions).
     
    Thursday, March 9, 2017 12:38 PM