How to Troubleshoot AppLocker

image5AppLocker is a great new feature that was introduced in Windows 7 that allowed IT Admins to prevent the running of certain application in their corporate environment (e.g. Chrome). However there are a number of steps and pre-requisites for this feature to work that seem to catch people up quite often. So below is a simple troubleshooting flow chart that should help you go through the common issues that happen when setting up an AppLocker rule in your environment.

Note: This workflow is a check list for ensuring that your environment is configured correctly so that the AppLocker rule will actually apply as they are configured.

image

Rule Tip: It’s also worth mentioning to NEVER just configure a single Deny rule without the “Default Rules” also configured as this will have the affect of blocking ALL programs and thus breaking your computer.

If you are looking for a more detail step by step setup guide for AppLocker then I would definitely recommend check out my other blog post How to configure AppLocker Group Policy in Windows 7 to block third-party browsers

Do you have any other tips for troubleshooting AppLocker? then post them below in the comments.

Author: Alan Burchill

Microsoft MVP (Group Policy)

7 thoughts on “How to Troubleshoot AppLocker

  1. Alan, I’m happy with Applocker, and have it running on a pilot OU. One aspect that seems a little awkward is getting notifications of software that is blocked and then as an admin, being able to add a (publisher) rule for that software into the Applocker GP.

    It seems like the only way to do it is to (1) get a notification from the user (2) obtain a copy of the .exe (3) scan the exe in the Applocker Rule Editor and (4) create new rule.

    Is there a better way? For example, a way to have all Applocker Deny event forwarded to a central place, which would also contain details of the publisher so that new rules could be made more easily? It just seems a bit awkward at the moment.

  2. Got event in Applocker Eventlog id: 8000 – AppID policy conversion failed. Status The requested operation was made in the context of a transaction that is no longer active..
    Users with week accounts cannot log in, because %SYSTEM32%\USERINIT.EXE was prevented from running.
    Any hint how to repair Applocker please? Application identity service is running fine

  3. I wonder if this is a good site to post an Applocker problem just in case there’s a simple solution. We’re using it for the first time; we have no prior experience. It’s configured on 2000+ servers. We are only using “8003” event-records to report violations. Example problem: we have a company policy to disallow Chrome to execute on servers regardless of whether it is installed. When it’s executed directly, the violation comes through correctly as a 8003 record. When it’s called from another program, or indirectly, it comes through as a 8002 record. Is there a simple XML configuration-line we’re missing that will trap indirect and direct executions?

Leave a Reply