none
Applocker Group Policy Blocking non-blocked programs in Windows Server 2012 & R2 Servers

    Question

  • Hi,

    I created Applocker for Blocking chrome and firefox browsers in windows servers. This policy working perfectly in Windows Server 2008 R2 & 2008 and working in windows 7 client also. But, In windows server 2012 & 2012 R2 servers blocking non-block programs like SSMS.exe and adobereader.

    Any ideas.??? Please Help.....

    Regards,

    Arun C


    Thursday, August 4, 2016 9:34 AM

Answers

  • > I created Applocker for Blocking chrome and firefox browsers in windows
    > servers.
     
    Hm - by default, Applocker does not "block specific programs", but it
    blocks ALL programs. You need to explicitly allow exceptions.
     
    Check the applocker eventlog for information and verify your exception
    rules against blocked programs.
     
    Thursday, August 4, 2016 2:01 PM
  • Hi Arun,
    As Martin said, when an AppLocker rule for a specific rule collection is created, only the files explicitly allowed in a rule are permitted to run. A rule can be configured to use either allow or deny action. We can use a combination of allow actions and deny actions. However, it is recommended that we use allow actions with exceptions because deny actions override allow actions in all cases. Deny actions can also be circumvented. If you join a computer running Windows Server 2012 or Windows 8 to a domain that already enforces AppLocker rules for Executables, users will not be able to run any packaged apps unless you also create rules for packaged apps. If you want to allow any packaged apps in your environment while continuing to control Executables, you should create the default rules for packaged apps and set the enforcement mode to Audit-only for the packaged apps rule collection.
    Please see details from:
    Working with AppLocker Rules
    http://technet.microsoft.com/en-us/library/hh994621.aspx
    Regards,
    Wendy

    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, August 5, 2016 8:15 AM
    Moderator

All replies

  • > I created Applocker for Blocking chrome and firefox browsers in windows
    > servers.
     
    Hm - by default, Applocker does not "block specific programs", but it
    blocks ALL programs. You need to explicitly allow exceptions.
     
    Check the applocker eventlog for information and verify your exception
    rules against blocked programs.
     
    Thursday, August 4, 2016 2:01 PM
  • Hi Arun,
    As Martin said, when an AppLocker rule for a specific rule collection is created, only the files explicitly allowed in a rule are permitted to run. A rule can be configured to use either allow or deny action. We can use a combination of allow actions and deny actions. However, it is recommended that we use allow actions with exceptions because deny actions override allow actions in all cases. Deny actions can also be circumvented. If you join a computer running Windows Server 2012 or Windows 8 to a domain that already enforces AppLocker rules for Executables, users will not be able to run any packaged apps unless you also create rules for packaged apps. If you want to allow any packaged apps in your environment while continuing to control Executables, you should create the default rules for packaged apps and set the enforcement mode to Audit-only for the packaged apps rule collection.
    Please see details from:
    Working with AppLocker Rules
    http://technet.microsoft.com/en-us/library/hh994621.aspx
    Regards,
    Wendy

    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, August 5, 2016 8:15 AM
    Moderator