1

We have a Windows Server 2019 operating system image with a set of local AppLocker rules defined for the server itself. We are observing that AppLocker is not enforcing any of the rules when we open applications on the server.

We have checked/attempted the following:-

  • The Application Identity Service has been set to auto startup and is running
  • Set the rule groups to use Audit mode (nothing being logged in the Windows event viewer)
  • Tweaked/reset the rules to no avail (gpupdate being run after every change)
  • The same XML policy file has been applied to a vanilla Windows Server 2019 installed in a virtual machine where it behaved as expected

Our Windows Server 2019 operating system image is deployed with a number of Group Policy settings so that it is hardened. There is the possibility that one of these could be interacting with AppLocker, but I cannot seem to find any info on which ones could be of interest.

Pirate Adam
  • 111

2 Answers2

1

For AppLocker to works it needs a service called Application Identity (id = AppIDSvc), so just open the services window and search for "Application Identity" > Properties > then make sure that the service is running. Probably yours is disabled so activate it.

Another important thing is that the "Application Identity" is set to manual start so switch it to auto. Sometimes changing some rules on the process window will be blocked (I don't know why, even if I use the admin account with the all the admin privileges and it still blocks me from editing some process settings like switching to start mode to auto) so here what you need to do to fix that as well:

1 - open cmd

2 - type the command >

sc config "AppIDSvc" start= auto
Dave M
  • 4,494
Souhail Benlhachemi
  • 111
0

For diagnosis, open powershell and use test-applockerpolicy

Bernd Schwanenmeister
  • 552