146 questions
We are starting to see the same behavior in our enviornment.
Applocker Rules Disappearing
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Anonymous
It happens occasionally that when we add new policy rules to Applocker (which is distributed through domain group policy) that occasionally all rules will disappear and all rules will be gone. I am trying to identify why this is happening and if there is a log of this event occurring so we can proactively handle this situation if it occurs.
Windows for business | Windows Server | Directory services | Deploy group policy objects
Locked Question. This question was migrated from the Microsoft Support Community. You can vote on whether it's helpful, but you can't add comments or replies or follow the question. To protect privacy, user profiles for migrated questions are anonymized.
{count} votes
14 answers
Sort by: Most helpful
-
Anonymous
2024-04-05T18:36:18+00:00 -
Anonymous
2024-04-05T19:38:31+00:00 JJ,
This does not help to identify the cause for the issue. However one element that we have added is to routinely export our existing rules so they can be quickly re-imported if we discover the issue.
-
Anonymous
2024-04-11T06:48:39+00:00 Hello
You can use Event Viewer to monitor AppLocker activity. In Windows Event Viewer, select Applications and Services Logs > Microsoft > Windows > AppLocker. Listed here are some AppLocker-related events, such as policy translation failure, policy application successfully, files allowed or blocked from running, etc. You can review these events to determine if any automatically generated rules are not included or if there are other issues.
View the AppLocker logs in Windows Event Viewer: Using Event Viewer with AppLocker - Windows Security | Microsoft Learn
I hope the information above is helpful.
Best Regards,
Yanhong Liu
============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.
-
Anonymous
2024-04-18T16:59:44+00:00 Im not sure that this information get to the heart of the problem. From the link you provided all of the event IDs listed represent whether or not a policy was applied OR whether or not a file was run on the target machine. This is not expressly where I am experiencing my trouble. As noted in my description we apply applocker rules to workstations via group policy. These policies are not applied to the servers (domain controllers) that govern the group policy being deployed. As such the server where the policies are listed do not get events regarding whether a policy was applied or whether a file was run. In addition to this, the issue is that occasionally and seemingly without reason All the rules will disappear. This is the circumstance i am trying to catch/understand.
-
Anonymous
2024-05-23T16:28:50+00:00 Just to be clear based on your original post and one of your replies to another user: Your rules are disappearing from within the AppLocker policy itself (GP Management / GP Management Editor)?
I am asking as I was lead to this post researching why some of my domain machines just 'loose' AppLocker. I have 3 machine in front of me, all in the same OU/same policies and one of them has zero AppLocker rules and the AppLocker event logs has "0" entries for each of the 4 rule sets. Driving me nuts.