Applocker Randomly Blocking Microsoft Signed Applications on Windows 10 1909

Question

We have implemented Applocker whitelisting via GPO on Windows 10 Enterprise (currently 1909). We have experienced some instances where Applocker will randomly block Microsoft applications that were signed by the Microsoft CA even though there is a publisher rule in place allowing these exes. Examples we have seen are Outlook.exe, iexplore.exe, excel.exe, etc being blocked. When the random block occurs, it tends to only be one Microsoft application that is impacted even though all the exes are signed with the same certificate.

I had an end user call yesterday where Excel was blocked on her system. Outlook, Powerpoint, and Word were fine. The Applocker logs showed that Excel was being blocked. Running Get-AppLockerPolicy -Effective | Test-ApplockerPolicy -Path "C:\Program Files (x86)\Microsoft Office\root\Office16\excel.exe" -User username returned that Excel was allowed based on the effective policy yet it was being blocked. Doing a run-as on the application with an account that has a * bypass rule allows it to launch.

I ended up adding a path rule to the Office directory for the time being but I would like to understand why certain signed Microsoft apps are being blocked despite having a publisher rule in place.

Answer 1

Hi,
Welcome to share here!
I would recommend you enable the gpsvc log to check more details about the GPO .
For how to use it , you can refer to:
https://blogs.technet.microsoft.com/askds/2015/04/17/a-treatise-on-group-policy-troubleshootingnow-with-gpsvc-log-analysis/
It is not suggested to post the log here due to the security reason.

If you still can't find the reason, I would suggest you contact Microsoft Customer Services and Support to get an efficient solution:
https://support.microsoft.com/en-in/hub/4343728/support-for-business

Best Regards,