none
Applocker doesnt apply RRS feed

  • Question

  • Having strange issue on my Windows 10 enterprise client. We have setup a PAW solution. Want to block the Ivanti Portal Manager application from being run so that users should not be able to install any software using Ivanti Portal Manager.

    I can modify group policies.

    Initially, when i setup applocker, forgot to add default rules. At that time, everything got blocked on my Win10. including the weired behivor of taskbar and start menu. Portal Manager was also blcoked.

    i had to revert it to enable these things.

    Followed few forums and cleaned up applocker GPO and local applied settings. Then someone suggested, enable all default rules first, and make sure they applies. Done. They apply.

    Then added EXE rule for portal manager. However, i dont see any files being getting created in system32\applocker folder. 

    i can confirm, gpresult /h shows that GPO and rules are successfully applied.

    Get-applockerpolicy can verify that rules are applied on computer.

    Test-applocker also confirms that EXE rule is applied and it should be blocked.

    App identity service is running and fine.

    What else can be goofy?

    Thursday, April 4, 2019 8:44 AM

All replies

  • Let’s understand AppLocker’s allow action & deny action on rules firstly:

    Unlike Software Restriction Policies (SRP), each AppLocker rule collection functions as an allowed list of files. Only the files that are listed within the rule collection are allowed to run. This configuration makes it easier to determine what will occur when an AppLocker rule is applied.

    You can also create rules that use the deny action. When applying rules, AppLocker first checks whether any explicit deny actions are specified in the rule list. If you have denied a file from running in a rule collection, the deny action will take precedence over any allow action, regardless of which Group Policy Object (GPO) the rule was originally applied in. Because AppLocker functions as an allowed list by default, if no rule explicitly allows or denies a file from running, AppLocker's default deny action will block the file.

    You can use AppLocker to create a rule to allow all files to run and then use rules to deny specific files(Portal Manager).

    How to Use AppLocker to Allow or Block Executable Files from Running in Windows 10

    https://www.tenforums.com/tutorials/124008-use-applocker-allow-block-executable-files-windows-10-a.html

    Please Note: Since the website is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.

    Regards


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, April 5, 2019 2:13 AM
    Moderator
  • PS C:\windows\system32> Get-ChildItem 'C:\Program Files (x86)\LANDesk\LDClient\' –filter *.exe –Recurse | Convert-Path | Test-AppLockerPolicy –XMLPolicy C:\temp\curr2.xml –User domain\user_paw  –Filter Denied,DeniedByDefault

    FilePath                                                         PolicyDecision MatchingRule
    --------                                                         -------------- ------------
    C:\Program Files (x86)\LANDesk\LDClient\LANDeskPortalManager.exe         Denied LANDESKPORTALMANAGER.EXE, version 11...

    Attaching GPO screenshots.

    stil i am able to open portal manager.

    Blue shaded is a group for which my laptop user is member of. user_paw.

    Friday, April 5, 2019 9:50 AM
  • Anyone else to help here please?
    Tuesday, April 23, 2019 12:19 PM