Windows 10 AppLocker Policies still affect after disabling the service

Pirate,

from time to time I consult customers in the configuration of Windows 10 AppLocker. I really love AppLocker because it’s super simple, reliable and enterprise ready in terms of administrative overhead. Furthermore it’s the recommended tool for the configuration of unwanted / not needed apps within Windows 10. But sometimes AppLocker kind of “breaks” my Windows 10 start menu and stops Apps from strarting up. Although the AppLocker enforcement is disabled.

 

 

This szenario happened very often to me because I handled AppLocker in the wrong way after my workshops. When I was done with the demo I just deleted the policies and disabled the service in one step which is the actual cause that AppLocker kind of breaks afterwars. The explanation can be found in the below TechNet article

Problem: AppLocker Rules Still Enforced After the Service is Stopped

But what can we do? There are several ways that can resolve this issue.

 

Option 1: Create Default Rules

When you enforce AppLocker to run but don’t want anything to be restricted yet you will probably start whith this step anyway. So click on each of the categories “Executable Rules”, “Windows installer Rules”, “Script Rules”, “Packaged app Rules” and “Create Default Rules”.

 

COMPUTER > Policies > Windows Settings > Security Settings > Application Control Policies > AppLocker > Packaged app Rules

 

Right-click and choose Create Default Rules.
That allows Everyone to run All signed packaged apps.

 

 

After that configure AppLocker policies to be enforced and restart the computer.

 

 

After reboot open up services.msc search for “Application Identity” service and make sure it’s in “running” -state.

 

 

There is a chance that this has fixed your client.

 

Option 2: DISM – Restore Health

It has never fixed the problem for me, but some of my collegues told me, that another way is to use DISM with the parametes /Cleanup-Image and /RestoreHealth so open an elevated PowerShell console and type in:

 

DISM /Online /Cleanup-Image /RestoreHealth

This will scan the image to check for corruption (further information can be found here). Depending on the size and performance of the machine this can take very long. Afterwads you need to do a reboot.

 

 

Option 3: Clean up AppLocker Directory and delete AppLocker rules:

This szenario is the most effective one but be careful it will delete all your previously created AppLocker rules!

First you need to stop the enforcement of AppLocker Policies by unchecking the “Configured” option:

 

 

Then reboot the Computer.

After the reboot open up Local Securtiy Policy again. Navigate to AppLocker, right-click and “Clear Policy”. Then again reboot the machine.

Afterwards we will use the Set-AppLockerPolicy cmdlet with the -XMLPolicy parameter to clear what is still remaining. Open a Notepad and paste the below:

 

<AppLockerPolicy Version="1">

<RuleCollection Type="Exe" EnforcementMode="NotConfigured" />

<RuleCollection Type="Msi" EnforcementMode="NotConfigured" />

<RuleCollection Type="Script" EnforcementMode="NotConfigured" />

<RuleCollection Type="Dll" EnforcementMode="NotConfigured" />

</AppLockerPolicy>

 

Save the file as “clear.xml” in a directory (for example C:\temp).

Then open PowerShell with elevated rights and navigate to C:\temp

Import the AppLocker PoSh module with the below command:

import-module AppLocker

 

And execute the Set-App Locker Policy command to clean everything up.

Set-AppLockerPolicy -XMLPolicy .\clear.xml

 

Reboot the machine.

Afterwards let’s say in 90% of the scenarios the machine will work as before AppLocker was enabled. In some very though circumstances where this didn’t resolve the issue I had to clean up the AppLocker directory manually.

Navigate to the directory:

%windir%\System32\AppLocker\

Delete everything (AppCahce.dat will not be deleted as it is in use):

Rerun the above PowerShell cleanup and reboot the machine.

 

Additional information can be found on TechNet: Delete an AppLocker rule

Hope that helps.

 

Sail ho!

*Cpt

  1. the last solution works perfect for me. Thanks

    Reply
  2. Wow, I thought I had completely hosed my machine — I was testing Applocker a few months ago, and recently removed and readded my computer to the domain and suddenly couldn’t run certain programs like calc.exe and Windows Defender. I did all the steps and the last step worked for me as well.

    Reply
  3. Thank you very much. Youve saved my… day 😉
    The applocker seems to be a nice idea, but it is SO broken.
    My client wanted to limit the user access only to a ERP app, so I did some testing with Applocker, but it messed up the newly installed system so badly. The rules weren cleaned and they were applied even after deleting.
    BAD BAD microsoft here…

    Reply
  4. How to deactivate AppLocker in my computer windows10

    Reply
    • You can clear all policies

      Reply

Submit a comment on “Windows 10 AppLocker Policies still affect after disabling the service”

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

© 2017 IT-Pirate