none
AppLocker Blocking OneDrive Next Generation Client

    Question

  • It appears that onedrive.exe which is used for the Next Generation Client for OneDrive for Business, is located in the users profile appdata/local/Microsoft/ondrive folder and/or subfolders. (It doesn't go in program files???????)

    I have tried to use the AppLocker variables to create a path rule to whitelist. The %appdata% maps to the roaming subfolder automatically so I cannot use it to create a path. I have tried the other variables as well to create a path but none of them are "valid".

    Is there a way to whitelist the OneDrive.exe using an APPLOCKER rule? We want to use APPLOCKER .exe rules at our school but this is preventing implementation.

    Wednesday, October 19, 2016 5:33 PM

Answers

  • > Is there a way to whitelist the OneDrive.exe using an APPLOCKER rule? We want to use APPLOCKER .exe rules at our school but this is preventing implementation.
     
    How about onedrive.exe ? (No path at all...) If not, you'd go for
     
    %OSDRIVE%\Users\*\AppData\Local\Microsoft\OneDrive\OneDrive.exe
     
    (You cannot use "standard" Env Vars in AppLocker)
     
    • Marked as answer by David Hoeft Friday, December 02, 2016 4:26 PM
    Friday, December 02, 2016 9:24 AM
  • > %OSDRIVE%\Users\*\AppData\Local\ = %LocalAppData%
    > -> %LocalAppData%\Microsoft\OneDrive\OneDrive.exe
     
    AppLocker does not accept any environment variables, neither user nor system variables. It only can use a (very limited) set of special AppLocker path variables like %OSDRIVE% and %WINDIR%.
     
     
    The reason for that is that a user has write access to its variables. If you use such a variable in AppLocker, the user could easily change the variable to point to a location of his choice.
     
    • Marked as answer by David Hoeft Friday, December 02, 2016 4:25 PM
    Friday, December 02, 2016 2:25 PM

All replies

  • Hi,

    Thanks for your post.

    A rule can be configured to use either an allow or deny action:

    • Allow. You can specify which files are allowed to run in your environment and for which users or groups of users. You can also configure exceptions to identify files that are excluded from the rule.
    • Deny. You can specify which files are not allowed to run in your environment and for which users or groups of users. You can also configure exceptions to identify files that are excluded from the rule.

    Please go through the following article to get more information:

    Understanding AppLocker Rules

    https://technet.microsoft.com/en-us/library/dd759068(v=ws.11).aspx

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, October 20, 2016 5:37 AM
    Moderator
  • Hi,

    Just checking in to see if the information provided was helpful. Please let us know if you would like further assistance.

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, October 24, 2016 5:28 AM
    Moderator
  • If I cannot create a path that works I cannot create a deny or allow rule.

    I need to know a path statement that will address onedrive.exe in each users appdata folder that works. I cannot create a rule that I cannot create a path to. It would be much better if the onedrive.exe was in the program files folder instead of the appdata folder that is different for every user that logs into the device. I have tried to figure out a path using variables like %SystemDrive%\ but cannot find a variable path that works for the unique path for each user that logs into a device.

    %SystemDrive%\FilePath

    What am I overlooking in the documentation that can assist me with this path statement.



    Friday, December 02, 2016 2:22 AM
  • I need a path statement that will work to access the onedrive.exe file in the APPDATA folder of each user. It is different for each one. I cannot create a deny or allow rule if I cannot create the path statement.
    Friday, December 02, 2016 2:23 AM
  • > Is there a way to whitelist the OneDrive.exe using an APPLOCKER rule? We want to use APPLOCKER .exe rules at our school but this is preventing implementation.
     
    How about onedrive.exe ? (No path at all...) If not, you'd go for
     
    %OSDRIVE%\Users\*\AppData\Local\Microsoft\OneDrive\OneDrive.exe
     
    (You cannot use "standard" Env Vars in AppLocker)
     
    • Marked as answer by David Hoeft Friday, December 02, 2016 4:26 PM
    Friday, December 02, 2016 9:24 AM
  • That * in the path worked! The path it creates when you browse gives you most of it. Just need to replace the user folder with a * to include any user folder and that is the solution.

    %OSDRIVE%\Users\*\AppData\Local\Microsoft\OneDrive\OneDrive.exe

    Thanks

    Friday, December 02, 2016 12:56 PM
  • Am 02.12.2016 um 13:56 schrieb David Hoeft:
    > %OSDRIVE%\Users\*\AppData\Local\
     
    %OSDRIVE%\Users\*\AppData\Local\ = %LocalAppData%
     
    -> %LocalAppData%\Microsoft\OneDrive\OneDrive.exe
     
    Mark
    --
    Mark Heitbrink - MVP Group Policy - Cloud and Datacenter Management
     
    Homepage:  http://www.gruppenrichtlinien.de - deutsch
     
    Friday, December 02, 2016 1:07 PM
  • > %OSDRIVE%\Users\*\AppData\Local\ = %LocalAppData%
    > -> %LocalAppData%\Microsoft\OneDrive\OneDrive.exe
     
    AppLocker does not accept any environment variables, neither user nor system variables. It only can use a (very limited) set of special AppLocker path variables like %OSDRIVE% and %WINDIR%.
     
     
    The reason for that is that a user has write access to its variables. If you use such a variable in AppLocker, the user could easily change the variable to point to a location of his choice.
     
    • Marked as answer by David Hoeft Friday, December 02, 2016 4:25 PM
    Friday, December 02, 2016 2:25 PM
  • I tried %LocalAppData% and apparently that is not a valid variable for APPLOCKER.

    Friday, December 02, 2016 4:25 PM
  • Am 02.12.2016 um 15:25 schrieb Martin Binder [MVP]:
    > AppLocker does not accept any environment variables,
     
    right thanks. I just saw the path and thaught it could be easier ...
     
    Mark
    --
    Mark Heitbrink - MVP Group Policy - Cloud and Datacenter Management
     
    Homepage:  http://www.gruppenrichtlinien.de - deutsch
     
    Friday, December 02, 2016 4:37 PM