Debugging on why the Intune AppLocker Device Configuration Policy failed to be enforced to enrolled Windows 10 Computers

AhDSuper 0

I am running an Intune managed network of Windows 10 computers. We have an initial APP Lockdown policy deployed by Custom OMA-URI Setting: We used the following XML file:

</Conditions>

</FilePathRule>

</Conditions>

</FilePublisherCondition>

</FilePublisherCondition>

</FilePublisherCondition>

</FilePublisherCondition>

</FilePublisherCondition>

</Exceptions>

</FilePathRule>

</RuleCollection> It works fine for this XML file.

However, we woud like to remove the blocking of CMD.exe from this policy. We then created another policy with this XML file but with the lines related to CMD.exe removed

</Conditions>

</FilePathRule>

</Conditions>

</FilePublisherCondition>

</FilePublisherCondition>

</FilePublisherCondition>

</FilePublisherCondition>

</Exceptions>

</FilePathRule>

</RuleCollection>

We have a test device prepared by removing from the previous old policy and applied with this newly revised Policy. After successful deployment, we have found out that the new policy have absolutely no effect on the test device.

It looks like now everything is not blocked for the test device. Have we missed anything? We just copied the old content to create the XML file in Notepad (in UTF-8 format) from the Intune Mangement GUI and deleted the several lines relatd to blocking the CMD.exe. Saved the revised XML file and used it to create the revised policy and applied to the test device. Anyone can help point us to some possible reasons why the revised policy does not work?

1 answer

Rudy Ooms 596 Reputation points MVP

2024-05-11T05:53:40.2733333+00:00

Hi... as i am mentioning here... the applocker configuration files should get deployed to your device

https://call4cloud.nl/2021/01/applocker-the-meltdown/

Can you spot them in the mdm applocker folder, are they the same as how you configured them?

DId you also opened the applocker event log, does that log mentions anything at all?

Did you also checked the application identity service? that service needs to be started (it should but i have seen issues in which it just wasn't started)

https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/applocker/configure-the-application-identity-service
Please sign in to rate this answer.
AhDSuper 0 Reputation points

2024-05-11T19:23:27.4566667+00:00

Thanks for your suggestion. So may be we should check them first in the folder:
c:\windows\system32\applocker\MDM.

When the new configuration policy had no effect on the test machine, we then tested by applying back the old policy to the test machine and immediately we have found the old policy exercises the control on the test machine again. ( So the application identity service should be running)

So we didn't understand why the new policy did not work.. After reading your blog
https://call4cloud.nl/2021/01/applocker-the-meltdown/

we now supsect that there must be something like duplicated entires under the MDM folder in the above file path. It is because the test machine has been applied with the old Applocker configuration policy. We just took it out of the old policy and reapplied with the new one. What if the old polciy entries still exisit under the MDM folder? Would there be the conflict?

We have to wait two weeks before we go again to our customer site to check with the test machine. Will revert with our findings.

But if there is really duplicated entries under the MDM folder, could we consider this is the bug of Intune?
Sign in to comment

Share via

Debugging on why the Intune AppLocker Device Configuration Policy failed to be enforced to enrolled Windows 10 Computers

1 answer