![]() We have multiple machines exhibiting this issue so I believe ![]() I have cleared the AppLocker policy and re-applied the default rule and that had no effect on the problem. Other AppLocker rules for executables, etc., just Calculator, and only since installing 1809. It does not appear to affect any other app except Calculator that I have seen, although we do not use many UWP apps. Of the time, it just randomly does this 1% of the time then returns to normal. Looking at event logs, it is probably working 99% The strangest thing about the issue is that if the user waits and tries again later, it will start working again - without even rebooting or logging off. Was prevented from running" without the app name. The RuleID is a series of zeros, the RuleName is blank, and on the general screen where the name of the app should be listed, it just says (blank) " Instead of being filled out with details about the app, everything is blank. We only have the default rule for Packaged App Execution being enforced, which allows all signed packaged apps to run, yet if I view the event log for AppLocker when the problem occurs, the event id that is logged clearly indicates AppLocker It would also be useful if Test-AppLockerPolicy identified these issues since, in my case, it claimed the application was "Allowed".Since updating some machines in our enterprise to Windows 10 1809, AppLocker's default rule for Packaged App Execution is randomly blocking Calculator It would be useful to include the name of the application and even go so far as include the reason the AppLocker rule failed e.g. It's interesting that the AppLocker logs omit the name of the application when the root CA of the signed package can't be found. The last certificate listed in the list of certs must be included in the Trusted Root Certification Authorities store.Īfter including the necessary certificates, the AppLocker cache needs to be deleted (C:\Windows\System32\AppLocker\AppCache.dat) after which previously blocked apps who use those certs should run without issue. I used the solution from this SO post to check the certificate chain. It turns out the intermediate and root CA were missing from the system's certificate stores. I tried turning reputation based protections off in Windows Defender as an experiment and it didn't make a difference. The app in question is a custom one (it's signed) so I wonder if this is somehow related to Microsoft's reputation based protections. It was working fine until I connected to the internet and then the exact same problem came back. UPDATE 1: I reinstalled Windows and the problem went away (the app was no longer being blocked and its name was included in the AppLocker events). So I created a rule to explicitly allow the application in question and I get the same result.įurthermore, the event says "was allowed to run but would have been prevented from running if the AppLocker policy were enforced." which is odd because normally this event is formatted as " was allowed to run but." where the app name is included. I am guessing the all 0 RuleId means the application in question was blocked because of a lack of rule (not whitelisted). Normally, when an application or executable is blocked, these fields are populated. When the application is launched I get Event ID 8021 (indicating the app would have been blocked if in enforcement mode) with the following details: I have a packaged app rule that allows all signed packaged apps and is in auditonly mode.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |