none
AppLocker Blocking OneDrive Next Generation Client

    Question

  • It appears that onedrive.exe which is used for the Next Generation Client for OneDrive for Business, is located in the users profile appdata/local/Microsoft/ondrive folder and/or subfolders. (It doesn't go in program files???????)

    I have tried to use the AppLocker variables to create a path rule to whitelist. The %appdata% maps to the roaming subfolder automatically so I cannot use it to create a path. I have tried the other variables as well to create a path but none of them are "valid".

    Is there a way to whitelist the OneDrive.exe using an APPLOCKER rule? We want to use APPLOCKER .exe rules at our school but this is preventing implementation.

    Wednesday, October 19, 2016 5:33 PM

Answers

  • > Is there a way to whitelist the OneDrive.exe using an APPLOCKER rule? We want to use APPLOCKER .exe rules at our school but this is preventing implementation.
     
    How about onedrive.exe ? (No path at all...) If not, you'd go for
     
    %OSDRIVE%\Users\*\AppData\Local\Microsoft\OneDrive\OneDrive.exe
     
    (You cannot use "standard" Env Vars in AppLocker)
     
    • Marked as answer by David Hoeft Friday, December 2, 2016 4:26 PM
    Friday, December 2, 2016 9:24 AM
  • > %OSDRIVE%\Users\*\AppData\Local\ = %LocalAppData%
    > -> %LocalAppData%\Microsoft\OneDrive\OneDrive.exe
     
    AppLocker does not accept any environment variables, neither user nor system variables. It only can use a (very limited) set of special AppLocker path variables like %OSDRIVE% and %WINDIR%.
     
     
    The reason for that is that a user has write access to its variables. If you use such a variable in AppLocker, the user could easily change the variable to point to a location of his choice.
     
    • Marked as answer by David Hoeft Friday, December 2, 2016 4:25 PM
    Friday, December 2, 2016 2:25 PM

All replies

  • Hi,

    Thanks for your post.

    A rule can be configured to use either an allow or deny action:

    • Allow. You can specify which files are allowed to run in your environment and for which users or groups of users. You can also configure exceptions to identify files that are excluded from the rule.
    • Deny. You can specify which files are not allowed to run in your environment and for which users or groups of users. You can also configure exceptions to identify files that are excluded from the rule.

    Please go through the following article to get more information:

    Understanding AppLocker Rules

    https://technet.microsoft.com/en-us/library/dd759068(v=ws.11).aspx

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, October 20, 2016 5:37 AM
    Moderator
  • Hi,

    Just checking in to see if the information provided was helpful. Please let us know if you would like further assistance.

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, October 24, 2016 5:28 AM
    Moderator
  • If I cannot create a path that works I cannot create a deny or allow rule.

    I need to know a path statement that will address onedrive.exe in each users appdata folder that works. I cannot create a rule that I cannot create a path to. It would be much better if the onedrive.exe was in the program files folder instead of the appdata folder that is different for every user that logs into the device. I have tried to figure out a path using variables like %SystemDrive%\ but cannot find a variable path that works for the unique path for each user that logs into a device.

    %SystemDrive%\FilePath

    What am I overlooking in the documentation that can assist me with this path statement.



    Friday, December 2, 2016 2:22 AM
  • I need a path statement that will work to access the onedrive.exe file in the APPDATA folder of each user. It is different for each one. I cannot create a deny or allow rule if I cannot create the path statement.
    Friday, December 2, 2016 2:23 AM
  • > Is there a way to whitelist the OneDrive.exe using an APPLOCKER rule? We want to use APPLOCKER .exe rules at our school but this is preventing implementation.
     
    How about onedrive.exe ? (No path at all...) If not, you'd go for
     
    %OSDRIVE%\Users\*\AppData\Local\Microsoft\OneDrive\OneDrive.exe
     
    (You cannot use "standard" Env Vars in AppLocker)
     
    • Marked as answer by David Hoeft Friday, December 2, 2016 4:26 PM
    Friday, December 2, 2016 9:24 AM
  • That * in the path worked! The path it creates when you browse gives you most of it. Just need to replace the user folder with a * to include any user folder and that is the solution.

    %OSDRIVE%\Users\*\AppData\Local\Microsoft\OneDrive\OneDrive.exe

    Thanks

    Friday, December 2, 2016 12:56 PM
  • Am 02.12.2016 um 13:56 schrieb David Hoeft:
    > %OSDRIVE%\Users\*\AppData\Local\
     
    %OSDRIVE%\Users\*\AppData\Local\ = %LocalAppData%
     
    -> %LocalAppData%\Microsoft\OneDrive\OneDrive.exe
     
    Mark
    --
    Mark Heitbrink - MVP Group Policy - Cloud and Datacenter Management
     
    Homepage:  http://www.gruppenrichtlinien.de - deutsch
     
    Friday, December 2, 2016 1:07 PM
  • > %OSDRIVE%\Users\*\AppData\Local\ = %LocalAppData%
    > -> %LocalAppData%\Microsoft\OneDrive\OneDrive.exe
     
    AppLocker does not accept any environment variables, neither user nor system variables. It only can use a (very limited) set of special AppLocker path variables like %OSDRIVE% and %WINDIR%.
     
     
    The reason for that is that a user has write access to its variables. If you use such a variable in AppLocker, the user could easily change the variable to point to a location of his choice.
     
    • Marked as answer by David Hoeft Friday, December 2, 2016 4:25 PM
    Friday, December 2, 2016 2:25 PM
  • I tried %LocalAppData% and apparently that is not a valid variable for APPLOCKER.

    Friday, December 2, 2016 4:25 PM
  • Am 02.12.2016 um 15:25 schrieb Martin Binder [MVP]:
    > AppLocker does not accept any environment variables,
     
    right thanks. I just saw the path and thaught it could be easier ...
     
    Mark
    --
    Mark Heitbrink - MVP Group Policy - Cloud and Datacenter Management
     
    Homepage:  http://www.gruppenrichtlinien.de - deutsch
     
    Friday, December 2, 2016 4:37 PM
  • This is something I've come up against as well. I've put in a publisher rule instead, it looks like this:

    Publisher: O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US
    Product Name: MICROSOFT ONEDRIVE
    File Name: *
    File Version: 18.44.0.0 And Above

    This lets the OneDrive client run but doesn't unlock the entire OneDrive folder in the process like a path rule would.

    Wednesday, April 25, 2018 1:34 PM