question

jdbst56-3575 avatar image
0 Votes"
jdbst56-3575 asked BrechtMo-4790 edited

Applocker Randomly Blocking Microsoft Signed Applications on Windows 10 1909

We have implemented Applocker whitelisting via GPO on Windows 10 Enterprise (currently 1909). We have experienced some instances where Applocker will randomly block Microsoft applications that were signed by the Microsoft CA even though there is a publisher rule in place allowing these exes. Examples we have seen are Outlook.exe, iexplore.exe, excel.exe, etc being blocked. When the random block occurs, it tends to only be one Microsoft application that is impacted even though all the exes are signed with the same certificate.

I had an end user call yesterday where Excel was blocked on her system. Outlook, Powerpoint, and Word were fine. The Applocker logs showed that Excel was being blocked. Running Get-AppLockerPolicy -Effective | Test-ApplockerPolicy -Path "C:\Program Files (x86)\Microsoft Office\root\Office16\excel.exe" -User username returned that Excel was allowed based on the effective policy yet it was being blocked. Doing a run-as on the application with an account that has a * bypass rule allows it to launch.

I ended up adding a path rule to the Office directory for the time being but I would like to understand why certain signed Microsoft apps are being blocked despite having a publisher rule in place.

windows-10-generalwindows-10-securitywindows-group-policy
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

We are having a similar issue with teams.exe in the appdata folder. Executable is signed just fine but it is blocked on one specific computer. But it seems like there are issues with group policy / domain connectivity on that computer which might cause applocker to play up.

0 Votes 0 ·

1 Answer

FanFan-MSFT avatar image
0 Votes"
FanFan-MSFT answered

Hi,
Welcome to share here!
I would recommend you enable the gpsvc log to check more details about the GPO .
For how to use it , you can refer to:
https://blogs.technet.microsoft.com/askds/2015/04/17/a-treatise-on-group-policy-troubleshootingnow-with-gpsvc-log-analysis/
It is not suggested to post the log here due to the security reason.

If you still can't find the reason, I would suggest you contact Microsoft Customer Services and Support to get an efficient solution:
https://support.microsoft.com/en-in/hub/4343728/support-for-business

Best Regards,

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.