Score:1

AppLocker is not enforcing rules that have been defined

pl flag

We have a Windows Server 2019 operating system image with a set of local AppLocker rules defined for the server itself. We are observing that AppLocker is not enforcing any of the rules when we open applications on the server.

We have checked/attempted the following:-

  • The Application Identity Service has been set to auto startup and is running
  • Set the rule groups to use Audit mode (nothing being logged in the Windows event viewer)
  • Tweaked/reset the rules to no avail (gpupdate being run after every change)
  • The same XML policy file has been applied to a vanilla Windows Server 2019 installed in a virtual machine where it behaved as expected

Our Windows Server 2019 operating system image is deployed with a number of Group Policy settings so that it is hardened. There is the possibility that one of these could be interacting with AppLocker, but I cannot seem to find any info on which ones could be of interest.

Score:0
au flag

For diagnosis, open powershell and use test-applockerpolicy

pl flag
Test-AppLockerPolicy is correctly reporting the policy decision as 'Denied' for an executable where I have set up a 'DENY' rule when I run the following: `Get-AppLockerPolicy -Local | Test-AppLockerPolicy -Path <exe> -User <user>` No message is shown by Windows and I am able to run the executable for that user. The Local Security Policy shows that rule enforcement is enabled. I see nothing logged in the Windows event viewer.
Bernd Schwanenmeister avatar
au flag
Then it's buggy behavior. Have seen that once myself. Had to turn off applocker and turn it on again and it started to work again. Another approach would be to run an inplace upgrade for windows (to the same build) and then reconfigure applocker.
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.