locked
AppLocker Blocking Signed App RRS feed

  • Question

  • I have a packaged app rule that allows all signed packaged apps and is in auditonly mode. When the application is launched I get Event ID 8021 (indicating the app would have been blocked if in enforcement mode) with the following details:
    PolicyName: APPX
    RuleId: {00000000-0000-0000-0000-000000000000}
    RuleName: -

    Normally, when an application or executable is blocked, these fields are populated. I am guessing the all 0 RuleId means the application in question was blocked because of a lack of rule (not whitelisted). So I created a rule to explicitly allow the application in question and I get the same result.

    Furthermore, the event says "was allowed to run but would have been prevented from running if the AppLocker policy were enforced." which is odd because normally this event is formatted as "<App Name> was allowed to run but..." where the app name is included. In my case there's just nothing there.

    OS: Windows 10 Enterprise
    Build: 19041.508

    Thoughts?

    UPDATE 1: I reinstalled Windows and the problem went away (the app was no longer being blocked and its name was included in the AppLocker events). It was working fine until I connected to the internet and then the exact same problem came back. The app in question is a custom one (it's signed) so I wonder if this is somehow related to Microsoft's reputation based protections. I tried turning reputation based protections off in Windows Defender as an experiment and it didn't make a difference.
    • Edited by benavidezb Tuesday, September 29, 2020 10:53 PM
    Tuesday, September 29, 2020 7:54 PM

Answers

  • It turns out the intermediate and root CA were missing from the system's certificate stores. I used the solution from this SO post to check the certificate chain: https://stackoverflow.com/questions/28101140/get-chain-of-certificates-for-a-file-with-powershell. The last certificate listed in the list of certs must be included in the Trusted Root Certification Authorities store.

    After including the necessary certificates, the AppLocker cache needs to be deleted (C:\Windows\System32\AppLocker\AppCache.dat) after which previously blocked apps who use those certs should run without issue.

    It's interesting that the AppLocker logs omit the name of the application when the root CA of the signed package can't be found. It would be useful to include the name of the application and even go so far as include the reason the AppLocker rule failed e.g. <app name> was prevented from running. Signature was not trusted". It would also be useful if Test-AppLockerPolicy identified these issues since, in my case, it claimed the application was "Allowed".
    Wednesday, September 30, 2020 8:23 PM

All replies

  • It turns out the intermediate and root CA were missing from the system's certificate stores. I used the solution from this SO post to check the certificate chain: https://stackoverflow.com/questions/28101140/get-chain-of-certificates-for-a-file-with-powershell. The last certificate listed in the list of certs must be included in the Trusted Root Certification Authorities store.

    After including the necessary certificates, the AppLocker cache needs to be deleted (C:\Windows\System32\AppLocker\AppCache.dat) after which previously blocked apps who use those certs should run without issue.

    It's interesting that the AppLocker logs omit the name of the application when the root CA of the signed package can't be found. It would be useful to include the name of the application and even go so far as include the reason the AppLocker rule failed e.g. <app name> was prevented from running. Signature was not trusted". It would also be useful if Test-AppLockerPolicy identified these issues since, in my case, it claimed the application was "Allowed".
    Wednesday, September 30, 2020 8:23 PM
  • Hi,

    Thank you for taking the time to share the details.

    In general, we would recommend you to post on Microsoft Q&A forum to discussing question about AppLocker, with tag windows-server, relate product supporter will provide you detail suggestion:
    https://docs.microsoft.com/en-us/answers/topics/windows-server.html

    Thank you for your understanding. 

    Best Regards,
    Eve Wang

    "Windows Server General Forum" forum will be migrating to a new home on Microsoft Q&A!

    We invite you to post new questions in the "Windows Server General Forum"  forum's new home on Microsoft Q&A!

    For more information, please refer to the sticky post.

    Thursday, October 1, 2020 1:21 AM