Hey everyone! I'm currently rolling out Applocker and it's mostly functioning well, except for an issue I've stumbled upon. I have a particular exe file that's being blocked even though I have an Allow rule set up for it. To clarify:
- My rule allows execution for the Publisher and applies to Everyone, with no exceptions.
- There are no Deny rules in place that could be overriding this Allow rule.
- I verified that the correct Group Policy, including the Applocker policy, was deployed to my machine using gpresult.
- Other exe files from the same Publisher work fine, even from the same location in appdata/local.
- I've confirmed that the signature for both the blocked file and the allowed file matches using the "Get-AuthenticodeSignature" command in Powershell.
It seems like there's something I'm overlooking, so I would appreciate any tips you might have! We have a bunch of Allow rules because, generally, only Administrators are allowed to execute files based on the Default rule. Thanks a lot!
2 Answers
Have you checked the file properties of the blocked exe? Sometimes they can be blocked by Windows. Make sure to unblock it if it is!
It’s worth noting that some software comes with many EXEs. Just allowing one may not be sufficient. Ideally, you'd create a Publisher rule that permits all EXEs from that Publisher. Have you checked the Event Viewer under Applications and Services Logs > Microsoft > Windows > AppLocker? It might shed some light on why it's being blocked.
I did set a Publisher Rule to allow all exe files, and I double-checked—both the working and non-working files share the exact same Publisher and signature. The Event Viewer noted: [Path/To/File] was prevented from running, with Event ID 8004, but no useful details in the specifics.