from time to time I consult customers in the configuration of Windows 10 AppLocker. I really love AppLocker because it’s super simple, reliable and enterprise ready in terms of administrative overhead. Furthermore it’s the recommended tool for the configuration of unwanted / not needed apps within Windows 10. But sometimes AppLocker kind of “breaks” my Windows 10 start menu and stops Apps from strarting up. Although the AppLocker enforcement is disabled.
This szenario happened very often to me because I handled AppLocker in the wrong way after my workshops. When I was done with the demo I just deleted the policies and disabled the service in one step which is the actual cause that AppLocker kind of breaks afterwars. The explanation can be found in the below TechNet article
But what can we do? There are several ways that can resolve this issue.
Option 1: Create Default Rules
When you enforce AppLocker to run but don’t want anything to be restricted yet you will probably start whith this step anyway. So click on each of the categories “Executable Rules”, “Windows installer Rules”, “Script Rules”, “Packaged app Rules” and “Create Default Rules”.
COMPUTER > Policies > Windows Settings > Security Settings > Application Control Policies > AppLocker > Packaged app Rules
Right-click and choose Create Default Rules.
That allows Everyone to run All signed packaged apps.
After that configure AppLocker policies to be enforced and restart the computer.
After reboot open up services.msc search for “Application Identity” service and make sure it’s in “running” -state.
There is a chance that this has fixed your client.
Option 2: DISM – Restore Health
It has never fixed the problem for me, but some of my collegues told me, that another way is to use DISM with the parametes /Cleanup-Image and /RestoreHealth so open an elevated PowerShell console and type in:
DISM /Online /Cleanup-Image /RestoreHealth
This will scan the image to check for corruption (further information can be found here). Depending on the size and performance of the machine this can take very long. Afterwads you need to do a reboot.
Option 3: Clean up AppLocker Directory and delete AppLocker rules:
This szenario is the most effective one but be careful it will delete all your previously created AppLocker rules!
First you need to stop the enforcement of AppLocker Policies by unchecking the “Configured” option:
Then reboot the Computer.
After the reboot open up Local Securtiy Policy again. Navigate to AppLocker, right-click and “Clear Policy”. Then again reboot the machine.
Afterwards we will use the Set-AppLockerPolicy cmdlet with the -XMLPolicy parameter to clear what is still remaining. Open a Notepad and paste the below:
<AppLockerPolicy Version="1"> <RuleCollection Type="Exe" EnforcementMode="NotConfigured" /> <RuleCollection Type="Msi" EnforcementMode="NotConfigured" /> <RuleCollection Type="Script" EnforcementMode="NotConfigured" /> <RuleCollection Type="Dll" EnforcementMode="NotConfigured" /> </AppLockerPolicy>
Save the file as “clear.xml” in a directory (for example C:\temp).
Then open PowerShell with elevated rights and navigate to C:\temp
Import the AppLocker PoSh module with the below command:
And execute the Set-App Locker Policy command to clean everything up.
Set-AppLockerPolicy -XMLPolicy .\clear.xml
Reboot the machine.
Afterwards let’s say in 90% of the scenarios the machine will work as before AppLocker was enabled. In some very though circumstances where this didn’t resolve the issue I had to clean up the AppLocker directory manually.
Navigate to the directory:
Delete everything (AppCahce.dat will not be deleted as it is in use):
Rerun the above PowerShell cleanup and reboot the machine.
Additional information can be found on TechNet: Delete an AppLocker rule
Hope that helps.