facing the exact same issue , no SCCM is configured we used intune instead . any solution for this ?
AppLocker policies not applying
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(35.2, 79%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EFH%3C/text%3E%3C/svg%3E)
Fayraz Hussain
16
Reputation points
Hi,
We are currently looking at deploying AppLocker to our Windows 10 Enterprise devices via group policy, the issue we have is that the policies keeps reverting to the local AppLocker policy on the machine instead of taking the settings from the group policy.
By this I mean we get dummy rules added and I am not sure where they are coming from?
I can clear these local policies by running this PowerShell script and this clears all local policies and if anything else have been applied to the machine:
Import-Module
Set-AppLockerPolicy -XMLPolicy ClearLocal.xml
Set-AppLockerPolicy -XMLPolicy clearAppLocker.xml
appidtel.exe stop [-mionly]
sc.exe config appid start=demand
sc.exe config appidsvc start=demand
sc.exe config applockerfltr start=demand
sc.exe stop applockerfltr
sc.exe stop appidsvc
sc.exe stop appid
Set-Location -Path 'HKLM:\SOFTWARE\TEWVApps'
New-Item -Name 'AppLocker' -Force
New-ItemProperty -Path 'HKLM:\SOFTWARE\Apps\AppLocker' -Name 'Cleared' -Value 1
And then I apply the group policy I would like and it works for about a week and then we see the dummy rules again which starts getting blocks in the event log even though things are allowed.
Only thing I can think which may be causing this behaviour is we used to have WDAC running through Config Manager but we have now put that into Audit mode and my test machines I have put in an exclusion group.
Has anyone else see the dummy rule apply to their machines?
Thanks
Microsoft Security | Intune | Configuration Manager | Other
Windows for business | Windows Client for IT Pros | User experience | Other
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(64, 7.000000000000001%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EHJ%3C/text%3E%3C/svg%3E)
Haupt, Joseph 0 Reputation points2023-08-16T13:48:44.84+00:00 Did you ever determine the cause of this or find a permanent fix? Currently seeing the exact same issue in our environment.
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(57.599999999999994, 70%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EHP%3C/text%3E%3C/svg%3E)
Hans Peter Zweifel 0 Reputation points2023-09-13T09:06:37.8633333+00:00 Same here...seems to be connected to SCCM. Happens on servers...errors logged although set to only audit. Behaviour changed about 2-3 month ago. Was ok before. Looks like it could come from a SCCM Client update.
Deleting the dummy rules doesn't solve the errors beeing reported. Even allowing every exe and dll doesn't stop the errors, although files can be executed. It is then first reported as allowed to run just to be reported to be not allowed to run in the next event.
We're on version for components 5.00.9078.1000 for the most but three that are on 5.00.9078.1005
Client Version is reported as 5.00.9078.1025
-
Jatin Makhija 1,176 Reputation points2023-10-31T10:39:04.56+00:00 I have used Intune as well for several clients. It's easier using Intune than GPO. Here's a Step-by-Step guide you can follow: How to Implement Applocker using Intune.
Sign in to comment
1 answer
Sort by: Most helpful
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(246.4, 43%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EST%3C/text%3E%3C/svg%3E)
Shams Tabrez (Strata) 0 Reputation points2023-10-27T10:51:27.1133333+00:00 -
Jatin Makhija 1,176 Reputation points
2023-10-31T10:33:18.48+00:00 I have Implemented Applocker for several clients. Here's a step-by-step guide you can follow: How to Implement Applocker using Intune.
Sign in to comment -