Windows 10: AppLocker GPOs marked as applied but Rules are not enforced

Hi Community,


We have been experiencing a problem with AppLocker GPOs in a Windows 10 Environment.

The Domain functionality level is: Server 2012R2

Domain Controllers are running: Windows Server 2016

Workstations are running: Windows 10 Enterprise Build 17134


We have 2 GPOs; one containing DLL AppLocker Rules and one containing EXE, Script, Appx etc.. Rules.


When running a gpupdate /force on an affected workstation and getting the gpresult the GPOs appear to be applied and are marked as winning however the contents of C:\Windows\system32\Applocker files are not being updated and recent rules added to both GPOs are not being applied. i.e. a new application which has been whitelisted will not run for the user albeit being specified in the applied GPO.


Can someone please shed some light into this issue?


Help is highly appreciated!


Kind regards,


Jason

:)

 

Start menu/ms-settings not working Windows 10

Yes I can see that, but I'm running Windows 10 Home edition.

To terminate AppLocker rule enforcement

• 
  Backup the Group Policy Object (GPO) that contains the currently applied AppLocker rules.
  
• 
  Delete all the AppLocker rules on that GPO. For steps how to do this, see the topics in
  
  AppLocker Policy Procedures.
  
• 
  Push out the GPO that now contains the empty AppLocker policy to the affected client computers. For steps how to do this, see
  
  Refresh an AppLocker Policy.
  
• 
  Disable the AppLocker service (appidsvc) on all the affected client computers. Optionally, you can restart the service. For steps how to do this, see
  
  Configure the Application Identity Service. Alternatively, you can disable the AppLocker service using Group Policy instead of locally.
  
• 
  Optionally, if you want to update the computers with another set of AppLocker rules (and the service has been enabled), you force a Group Policy update for the revised AppLocker policy. For steps how to do this, see
  
  Refresh an AppLocker Policy.
  

There is no Group policy object editor available here. Also
AppIDSvc is stopped and can't be manually started. Error: "The operation could not be completed. The dependency service or group failed to start" due to fact, that AppLocker is not available in Home and Pro edition.

So why is it blocking the reinstallation, I don't know?

 

Applocker not blocking -- Win10Pro, Applocker configured, AppIDsvc run

• OS: Win10Pro
• Applocker: configured blocking of apps and executables
• Applocker rules: set to enforcing
• Service: AppIDSvc is running

I've been trying to get Edge and a couple other utilities blocked on the laptop to keep distractions to a minimum for my child who uses the computer to study.
However, even after rules are defined, and they are set to enforcing as blocked, the apps and executables are still available to them -- even after a reboot.

I have followed the instructions here: https://social.technet.microsoft.com...10itprogeneral
However, there is still no blocking of the apps or the executables.
Thank you for your consideration.

 

AppLocker FileHash

Hi All,

I have an issue which I can't find a proper solution for. I'm using AppLocker in an environment which also contains a SIEM solution. What I want to forward to the SIEM solution is 'blocked applications by AppLocker'. The issue is that I don't have enough
information from the standard events. There's a filename, location etc. but what I really would like is a hash of the file which is blocked. So if mimikatz is renamed to client.exe and run in C:\Temp I can use the hash to see if it's malicious.

There's an "audit-mode" option in AppLocker which logs the fileHash, but then it doesn't block the application since it's auditing only. I can't create two GPO's which one GPO is set to enforced and the other to audit, because enforced takes precedence over
the audit and no audit gets logged.

How do I get the hash of the file and AppLocker to work at the same time?

I know the "fileHash" property in AppLocker is an Authenticode Hash of the file and I can't get my head around why Microsoft doesn't log a SHA hash for every blocked application.

With kind regards,