none
Applocker policy is enforced on Windows 2012 but not on Windows 2008 r2

    Question

  • I have a GPO deployed which blocks internet browsers on servers using the applocker feature.

    The issue is, the Applocker rules are working as expected on windows 2012 servers but not working on Windows Servers 2008 r2 servers.

    I have a path based rule, enforced in GPO; 

    the GPO was created using a Windows 2008 R2 Domain Controller.


    Abhiayu

    Monday, March 23, 2015 3:43 PM

Answers

  • Thanks Martin, 

    I came to find out that the Windows 2008 R2 server was restored using an old backup. May be that is the reason for this unusual behavior.


    Abhiayu

    Tuesday, March 24, 2015 11:28 AM

All replies

  • > The issue is, the Applocker rules are working as expected on windows
    > 2012 servers but not working on Windows Servers 2008 r2 servers.
     
    Did you set the application identity service (AppIDSvc) to start
    automatically?
     

    Greetings/Grüße, Martin

    Mal ein gutes Buch über GPOs lesen?
    Good or bad GPOs? - my blog…
    And if IT bothers me - coke bottle design refreshment (-:
    Monday, March 23, 2015 3:48 PM
  • yes the service is set to Automatic.. 

    as i said, the policy is working fine on 2012 servers and not on Windows 2008 r2. 

    (both servers are part of the same OU, where policy is linked)


    Abhiayu

    Monday, March 23, 2015 3:54 PM
  • Infact, I have confirmed it is in Enforced status. 

    see the event logs from both machine; we are talking here about the same policy.

    from Windows 2008 R2 machine: (IEXPLORE.EXE was allowed to run but would have been prevented from running if the AppLocker policy were enforced)

    from Windows 2012 machine: IEXPLORE.EXE was prevented from running.


    Abhiayu



    • Edited by abhiayu Monday, March 23, 2015 4:00 PM
    Monday, March 23, 2015 3:59 PM
  • > from Windows 2008 R2 machine: (IEXPLORE.EXE was allowed to run but would
    > have been prevented from running if the AppLocker policy were enforced)
    > from Windows 2012 machine: IEXPLORE.EXE was prevented from running.
     
    Did you check a RSoP report for the origin of the rules on both OS
    versions? MiIght be a conflicting GPO with a WMI or security filter,
    built in the past due to testing :)
     

    Greetings/Grüße, Martin

    Mal ein gutes Buch über GPOs lesen?
    Good or bad GPOs? - my blog…
    And if IT bothers me - coke bottle design refreshment (-:
    Monday, March 23, 2015 4:43 PM
  • Thanks Martin, 

    I have checked, there is no conflicting GPO. I am the only one testing this. 

    Plus I have verified with GPO modelling, the settings are reflecting with this GPO only being the winning one.

    what bothers me is , how come the same GPO is working as enforced on 2012 and Audit only on Windows 2008 R2 


    Abhiayu

    Monday, March 23, 2015 4:48 PM
  • > what bothers me is , how come the same GPO is working as enforced on
    > 2012 and Audit only on Windows 2008 R2
     
    Yes. I have no explanation for this behavior :(
     

    Greetings/Grüße, Martin

    Mal ein gutes Buch über GPOs lesen?
    Good or bad GPOs? - my blog…
    And if IT bothers me - coke bottle design refreshment (-:
    Tuesday, March 24, 2015 8:41 AM
  • Thanks Martin, 

    I came to find out that the Windows 2008 R2 server was restored using an old backup. May be that is the reason for this unusual behavior.


    Abhiayu

    Tuesday, March 24, 2015 11:28 AM