Applocker GPO not working

Hutch 1 Reputation point
2021-10-27T21:32:11.797+00:00

Servers are 2016, workstation is Windows 11 Enterprise. Application Identity Service is running.

I have created an Applocker GPO and applied it to the OU that contains the workstation. Gpresult shows that the GPO is applied. Running the Group Policy Results wizard in GPMC shows that the policy is applied and lists the rules, but "Application Control Policies" is absent in RSOP and Applocker is not working.

There is nothing in Event Viewer except "The AppLocker policy was applied successfully to this computer." "the program was allowed to run" No denials even though the policy has the default rules enforced and I am running downloaded executables from my desktop.

I think this is the same behavior that you can expect from applying an Applocker GPO to Windows Pro but I am running Enterprise. This was a Windows 10 Pro computer that I re-activated with an Enterprise license and then did an in place upgrade to Windows 11.

Help?

  • EDIT: I have applied this policy to two Windows 10 Enterprise computers as well and have the same problem with them, so it's not a Win11 issue.
  • EDIT 2: It looks like AppLocker is working, just not the way I expected and I still don't see it in rsop.msc. One of the files I'm using to test is an exe installation file which extracts a msi to the %localappdata%\Temp folder. I have a publisher rule to allow the installation and the exe and msi are both signed with the same certificate. The exe runs as expected but the msi fails and AppLocker generates an error in event viewer just saying the msi was prevented from running. If I copy the msi to my desktop, I am able to run it no problem. I have no path rules blocking the %localappdata%\Temp folder. Why is it being blocked in the Temp folder?
  • Edit 3: It seems all unsigned executables are blocked, but anything signed is allowed to run from my desktop even though I have no allow rule for that behavior. How can I prevent this? I
Windows
Windows
A family of Microsoft operating systems that run across personal computers, tablets, laptops, phones, internet of things devices, self-contained mixed reality headsets, large collaboration screens, and other devices.
5,796 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Andreas Glaubitz 1 Reputation point
    2021-10-28T13:44:04.857+00:00

    Check if service "Application Identity" is running....


  2. Limitless Technology 39,806 Reputation points
    2021-10-29T16:36:35.807+00:00

    Hello @Hutch ,

    Thank you for your question and reaching out.

    To solve this you need to create a Packaged App rules in Applocker group policy. To do this follow these steps:

    1. Go to Computer Configuration / Policies / Windows Settings / Security Settings / Application Control Policies / Applocker
    2. Right-Click Packaged App Rules and select Create Default Rules
    3. After the policy is applied to Windows 10 workstation, Start button will work again.

    Other note , I believe it is easier if you used an exe policy filter by file hash.

    These are the steps:

    1 copy the executable you want to block on a USB stick;

    2 https://technet.microsoft.com/en-us/library/dd759075(v=ws.11).aspx to create a rule;

    3 when you get to the exe rule conditions, go for the "File hash" option;

    4 Browse to your exe and feed it to this dialog. It will compute the hash and add it as a condition;

    5 apply the policy and this exe will not run again on the machines.

    6 However, if the exe is updated, you need to check and do this operation again, adding the updated file hash.

    Also, We have a similar subject with a problem similar to this, I recommend that you consult it to better understand how to solve it, go to it on the link below
    https://learn.microsoft.com/en-us/answers/questions/411921/applocker-rules-not-applied-on-windows-10.html

    -------

    --If the reply is helpful, please Upvote and Accept as answer--


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.