Windows 10 AppLocker Policies still affect after disabling the service

Pirate,

from time to time I consult customers in the configuration of Windows 10 AppLocker. I really love AppLocker because it’s super simple, reliable and enterprise ready in terms of administrative overhead. Furthermore it’s the recommended tool for the configuration of unwanted / not needed apps within Windows 10. But sometimes AppLocker kind of “breaks” my Windows 10 start menu and stops Apps from strarting up. Although the AppLocker enforcement is disabled.

 

 

This szenario happened very often to me because I handled AppLocker in the wrong way after my workshops. When I was done with the demo I just deleted the policies and disabled the service in one step which is the actual cause that AppLocker kind of breaks afterwars. The explanation can be found in the below TechNet article

Problem: AppLocker Rules Still Enforced After the Service is Stopped

But what can we do? There are several ways that can resolve this issue.

 

Option 1: Create Default Rules

When you enforce AppLocker to run but don’t want anything to be restricted yet you will probably start whith this step anyway. So click on each of the categories “Executable Rules”, “Windows installer Rules”, “Script Rules”, “Packaged app Rules” and “Create Default Rules”.

 

COMPUTER > Policies > Windows Settings > Security Settings > Application Control Policies > AppLocker > Packaged app Rules

 

Right-click and choose Create Default Rules.
That allows Everyone to run All signed packaged apps.

 

 

After that configure AppLocker policies to be enforced and restart the computer.

 

 

After reboot open up services.msc search for “Application Identity” service and make sure it’s in “running” -state.

 

 

There is a chance that this has fixed your client.

 

Option 2: DISM – Restore Health

It has never fixed the problem for me, but some of my collegues told me, that another way is to use DISM with the parametes /Cleanup-Image and /RestoreHealth so open an elevated PowerShell console and type in:

 

DISM /Online /Cleanup-Image /RestoreHealth

This will scan the image to check for corruption (further information can be found here). Depending on the size and performance of the machine this can take very long. Afterwads you need to do a reboot.

 

 

Option 3: Clean up AppLocker Directory and delete AppLocker rules:

This szenario is the most effective one but be careful it will delete all your previously created AppLocker rules!

First you need to stop the enforcement of AppLocker Policies by unchecking the “Configured” option:

 

 

Then reboot the Computer.

After the reboot open up Local Securtiy Policy again. Navigate to AppLocker, right-click and “Clear Policy”. Then again reboot the machine.

Afterwards we will use the Set-AppLockerPolicy cmdlet with the -XMLPolicy parameter to clear what is still remaining. Open a Notepad and paste the below:

 

<AppLockerPolicy Version="1">

<RuleCollection Type="Exe" EnforcementMode="NotConfigured" />

<RuleCollection Type="Msi" EnforcementMode="NotConfigured" />

<RuleCollection Type="Script" EnforcementMode="NotConfigured" />

<RuleCollection Type="Dll" EnforcementMode="NotConfigured" />

</AppLockerPolicy>

 

Save the file as “clear.xml” in a directory (for example C:\temp).

Then open PowerShell with elevated rights and navigate to C:\temp

Import the AppLocker PoSh module with the below command:

import-module AppLocker

 

And execute the Set-App Locker Policy command to clean everything up.

Set-AppLockerPolicy -XMLPolicy .\clear.xml

 

Reboot the machine.

Afterwards let’s say in 90% of the scenarios the machine will work as before AppLocker was enabled. In some very though circumstances where this didn’t resolve the issue I had to clean up the AppLocker directory manually.

Navigate to the directory:

%windir%\System32\AppLocker\

Delete everything (AppCahce.dat will not be deleted as it is in use):

Rerun the above PowerShell cleanup and reboot the machine.

 

Additional information can be found on TechNet: Delete an AppLocker rule

Hope that helps.

 

Sail ho!

*Cpt

  1. the last solution works perfect for me. Thanks

    Reply
  2. Wow, I thought I had completely hosed my machine — I was testing Applocker a few months ago, and recently removed and readded my computer to the domain and suddenly couldn’t run certain programs like calc.exe and Windows Defender. I did all the steps and the last step worked for me as well.

    Reply
  3. Thank you very much. Youve saved my… day 😉
    The applocker seems to be a nice idea, but it is SO broken.
    My client wanted to limit the user access only to a ERP app, so I did some testing with Applocker, but it messed up the newly installed system so badly. The rules weren cleaned and they were applied even after deleting.
    BAD BAD microsoft here…

    Reply
  4. How to deactivate AppLocker in my computer windows10

    Reply
    • You can clear all policies

      Reply
  5. You pretty much saved my complete environment. I accidentally remove the default application rules from my domain wide AppLocker policy…
    So ALL programs stopped working after updating the policy. Including such programs as shutdown gpupdate and such. Deleting the contents of the applocker folder let me repair those clients which restarted before windows pulled the new policy which included the default rules.

    So thanks!

    Reply
  6. Thanks, you saved me also, the last step of clearing out the applocker folder was required so that I didn’t get stuck with a black screen. Many thanks.

    Reply
  7. Guys … I tried writing a script to disabled the applocker through command prompt but it failed … If we can remove this , it’s so much more easier ^^

    Reply
  8. Holy **** after ripping my hair out for hours, deleting the files from %windir%\System32\AppLocker\ finally fixed my issue. If you ever go from rules defined in GPO applied to the wrong machine, and then fix the GPO rule to exclude that machine, no amount of hackery ever gets it back apparrently!

    Reply
  9. Thank you! Option 3 got me back to normal. I won’t touch AppLocker again.

    Reply
  10. Option 2 DISM – Restore Health worked like a charm. Thank you 🙂

    Reply
  11. #3 fixed it for me…. extremely weird that AppLocker worked even without AppIDSvc running in the background….

    Reply
  12. man, you are great! your solutions helped. thanks a lot!

    Reply
  13. Damn, thank you so much for this post. This saved my day! I enabled applocker on Windows 11 not realizing it was a whitelist tool. I initially enabled the default policies, but realized it wasn’t doing what I expected. Machine rebooted at some point and my taskbar, windows search, and start menu were trashed. Took a bit of digging to figure out it was the app locker policies. Deleting the files from the system32\applocker folder ended up fixing it for me.

    Thank you again!!!

    Reply
  14. Its the packaged apps part of Applocker that causes this.

    Just having the Applocker GPO enabled and applied, despite nothing inside it being enforced or turned on, was enough to break Windows 10 start menu apps on the client machine.

    I think this was caused by a previous applocker GPO having been deleted outright, instead of being disabled first.

    Either way, the solution I found was to create default rules in ‘packaged app rules’ and then configure/enforce packaged app rules.

    But this was to fix a client machine on a local domain. Running applocker directly on Win10 may be different.

    Reply
  15. Option 3 got me back, I love you, GOD it wanted to ruin my day 🙂

    Reply
  16. The third option fixed the problem but after deleting the files inside Windows\System32\AppLocker and re-run the clear powershell, just to mention that I had this problem in windows 11 (after upgrading from windows 10), Thank you so much for your help.

    Reply
  17. thanks this worked but i recommend everyone perform every step. i stopped short of the final step of deleting the files in the system32 directory because it looked like windows was behaving again (the fundamental issues were fixed anyway like start menu etc) but a couple days later i tried to run a tool in my PATH in cmd and i got a group policy block alert! so i came back here and did the final step and now everything seems fine

    Reply

Submit a comment on “Windows 10 AppLocker Policies still affect after disabling the service”

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

© 2022 IT-Pirate