Windows 10: AppLocker: Deny one app for all except Publisher/another App

Hi,

Windows 10 1809 Enterprise (corporate install)

I need 2 versions of Java RE installed: an older version for a bespoke app and the latest version. The old version must only be able to be used when called by the bespoke app and nothing else. And the new version must be used for all other apps but never by the bespoke app.

Is this possible with AppLocker?

Thanks

:)

 

AppLocker Blocks Windows Store Apps Downloads

For those of you who are suffering from the AppLocker issue...

First, to set context. AppLocker is a built in security mechanism that allows you to control (Block or Allow) "stuff" from running on your computer. In the context of Modern Apps and the Store, it does not prohibit the use of the store, rather the download,
installation, and launch of Modern\Universal Applications.

At our company we have a good number of Windows 8.1 machines in the environment. We use AppLocker to restrict the use of all unknown "Modern Apps" by creating a global Deny rule. In order for all of the "built-in" Windows apps to load correctly (at fist
login and on update), we had to configure the global deny rule with a wildcard(*) exceptions (you do this that have a values of "*" in the scope of the ). This is similar to a typical firewall configuration where you block everything then make your exceptions
of stuff you want to allow. Once you have allowed exceptions, you need to have "allow" rules to pass through the global "deny" rule. That means that you have to create specific allow rules for the apps you want users to be able to download, install, and
launch.

We also have an allow rule for a specific user group that has '*' as the scope. This rule is necessary if you want to give certain users, such as your Desktop Admins, the ability to download, install, and run all modern apps. This was also an important piece
for Developers trying to debug a modern app that they are developing. Without this rule developer will not be able to run their modern apps in Visual Studio. This all worked beautifully with Windows 8.1...along comes Windows 10...

When we first starting building Windows 10 computers, at the time it was 1511, we added new rules to allow all of the new built-in apps. Life was good...or so it seemed. What we found was that any time a modern (or universal app) was trying to update,
that the updates were being blocked with an 0x80073CF9 error in the store. There was also a corresponding event in the AppLocker logs about the blocked attempt.

When 1607 came out we tested the issue again hoping that we'd find that it was magically resolved. As we starting re-testing this AppLocker issue when we found that users who were in the "Allow All Apps" group were getting denied the right to "install"
software by Applocker (I put "install" in quotes intentionally. After doing some troubleshooting and testing on both 1511 and 1607, I found that on both versions the steps to install a modern app are slightly different than they were in Windows 8.1 and that
AppLocker does not like the changes. In W10 and W8.1 when the apps from the store are first downloaded before they are installed. In Windows 8.1, the app is download under the logged in users context. In Windows 10, the download occurs under local SYSTEM
and is then passed over to the user context to perform the install. I figured this my looking closely at the user whom the AppLocker log was written for.

Since "SYSTEM" is not a member of the group that is allowed to use the app (download, install, and run), the action is not allowed to pass through the deny rule exception and AppLocker stops the download process resulting in the 0x80073CF9 error. Just to
prove my theory I added a test rule to allow "NT AUTHORITY\SYSTEM" and everything stared working as they did in Windows 8.1. I was able to update installed apps and new apps from the store.

Additionally, we happen to have a Microsoft consultant onsite so I had him run the same exact tests in his lab. He had the same exact issue. This was not a problem caused by a configuration or policy in our environment.

The bottom line is that Microsoft changed the behavior of how apps are downloaded and installed from the Windows Store. This change broke the way AppLocker works. I REALLY hop that Microsoft fixes this. What I have mentioned in this post is not an acceptable
workaround...I did this as a test.

For security reasons, I HIGHLY DISCOURAGE anyone from giving "NT AUTHORITY\SYSTEM" permissions to install ANYTHING from the store.

 

applocker publisher information cannot extracted Windows 10 only

Hi,

In order for us to know where the issue is coming from, we'd like to get the following information:

• Is this the first time that you'll be using AppLocker in Windows 10?
• Have you made any changes or applied an update to your device before the issue occurred?
• What troubleshooting steps have you tried so far?
• If possible, kindly send us a screenshot of the complete error message you're getting and the AppLocker you're using.

Looking forward to your response.

 

AppLocker Blocks Windows Store Apps Downloads

It's now March 2017, this problem is dragging on since August 2015. I've installed Windows 10 Pro in total 4 times on two machines because of this issue.

My conclusion is that some installer changes the working of AppLocker. But, Windows 10 Pro lacks the ability to change AppLocker settings (you cannot even switch on or off its identity service).

Interestingly, the many people here on 'answers'.microsoft.com trying to answer this question all come up with the same suggestions that do not work (in my case):

• wsreset.exe or run the troubleshooter for apps (https://support.microsoft.com/en-us...790db/run-the-troubleshooter-for-windows-apps)
• Adjust the settings of AppLocker in Local Security Policy (in secpol.msc). This obviously does not work because Windows 10 Pro is not supposed to have AppLocker at all. AppLocker is only available in Enterprise versions.
• Fiddle around with permission settings
• Create c:\Windows\AppReadiness
• Reinstall Windows 10 Pro

The Pro in Windows 10 Pro stands for Probably.: Probably you need to reinstall.

For Microsoft (if you want to do something):

a. The trouble shooter mentions a 'possible' problem with the Store cache. But is does not offer/is unable to do a repair

b. Doing a harddisk chkdsk could result in a blue screen of death and a subsequent repair of Windows (to a previous version).

c. Sometimes (at least in my current installed system), it is possible to add a new user to the system, but that user's settings are defected. That user cannot use the start-menu at all, looks like an even more serious problem there.