none
Applocker not working

    Question

  • Hi there, I am creating my first user lock down policy for Windows 10 clients in a test lab, I must say I'm finding windows 10 terrible to secure with the metro apps and search functions acting like a run command

    So far my policy has worked for my standard lockdowns (control panel, run etc) but now I'm trying to block the windows store apps (store policy has worked, despite being windows 10 pro) I have attempted to do this through app locker, by blocking candy crush etc which hasn't worked, despite the policy applying. In addition I've tried to block command prompt, mmc and mstsc which also has not worked. 

    I have been having issues with the policy applying full stop, whilst now I have some applied it hasn't been refreshing with gpupdate /force , whilst it states it's applied successfully it actually hasn't. I don't know if fast boot is to blame, so I disabled it. And enabled a 60 second wait time as the system boots for group policy sync. 

    I'm really stuck, when I did server 2008 and windows 7 group policy was instant, and just seemed to work, yet server 2012 r2, windows 10 and check clients seem to just be working horribly, I've never had as many issues with group policy before.

    Generally, should u be doing a gpupdate /force on a DC prior to a client as well? I mught be a but rusty on that front

    Thanks :-)

    Thursday, June 30, 2016 10:54 AM

Answers

All replies

  • First, you probably want to enable the following GP settings:

    Computer Configuration\Policies\Admin Templates\Windows Components\Cloud Content\Turn off Microsoft consumer experiences. This will turn off those links in the start menu to things like candy crush.

    Back to your problem though. If you run a gpresult /h report.htm command, do you see the policies being applied in the report.htm file?


    If my answer helped you, check out my blog: Deploy Happiness

    Thursday, June 30, 2016 11:16 AM
  • Indeed I do, hence why I'm so puzzled
    Thursday, June 30, 2016 12:41 PM
  • > In addition I've tried to block command prompt, mmc and mstsc which also
    > has not worked.
     
    So a RSoP report shows your GPOs are applied, and it also show the
    AppLocker rules? The Application Identity service is set to "automatic"
    and running?
     
    Any errors in the group policy eventlog? Any helpful entries in the
    AppLocker eventlogs?
     
    --
    Greetings/Grüße, Martin -
    Mal ein gutes Buch über GPOs lesen? -
    Good or bad GPOs? My blog - http://evilgpo.blogspot.com
    And if IT bothers me? Coke bottle design refreshment -
     
    Thursday, June 30, 2016 1:44 PM
  • In Windows 10 (1607) the Application Identity service is a manually triggered service and cannot be set to automatic start, it doesn't let you.

    Initially when I was testing this policy I thought the policy was not applying the settings correctly, but then realized that I did not change the rules from the default of audit mode to enforced mode.  Once I change the packages app rules to enforced it started blocking them.

    You can set this by highlighting applocker in the policy and clicking the 'configure rule enforcement' link in the right pane

    Friday, November 04, 2016 7:23 PM
  • That is NOT true!

    Elevated Command Prompt

    sc config appidsvc start=auto
    as per this
    • Edited by scerazy Wednesday, June 28, 2017 10:27 AM
    Wednesday, June 28, 2017 10:27 AM
  • It seems the last two are both required... enforcing the policy AND enabling the service. That being said i've been screwing around with this crap system for hours and still havent had success. One of these denied packaged app rules breaks the start menu for me, either causing it not to open when you click on it or its frozen when you open it and you cant click anything. 

    Why does M$ make it SO DIFFICULT for sysadmins to manage how they want their company computers configured?!?!!? Do they hate us? Do they hate our money? I swear if there was a true, full featured Linux based alternative to AD and GPO's i'd drop M$ faster than you can scratch your own butt. Managing policies is getting more and more difficult with each Windows OS. I want to like Windows 10, I really, really do... but it is the enemy of sysadmins and power users.

    Friday, August 18, 2017 10:19 PM