Applocker Blocking Allowed Applications
Hello! We have begun deploying AppLocker across our network and so far everything has been stellar. However, a few users are complaining that they cannot use Office. Specifically Excel or Word. I have approved the publisher certificate for Microsoft and these users aren't being blocked on other applications that are allowed. The AppLocker logs DO report that the executable was blocked but for the life of me I cannot find a single reason WHY. I created a second rule in AppLocker to use File Hashes of the executables, updated the GPO on the affected systems and they were still blocked. If anyone has any ideas on what could possibly be the root of the problem or where I can begin digging to find the issue, it would be much appreciated.
April 29th, 2011 11:09pm

are there any rules with Deny action level?My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com
Free Windows Admin Tool Kit Click here and download it now
April 30th, 2011 12:21am

No, all my rules are Allow.
May 2nd, 2011 8:26pm

You must ensure that there is no any group policy errors and check whether your rules are correct by using Test-ApplockerPolicy cmdlet (on the target machine).My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com
Free Windows Admin Tool Kit Click here and download it now
May 2nd, 2011 9:54pm

This is the error we are running into, I ran "Test-ApplockerPolicy" in Powershell to see if there were any issues with any of the Office executables and did not receive an error. This only occurs with Excel and Word (so far). A user suggested that this might have been from opening documents/spreadsheets from the network instead of from their workstation, but I have other users who contradict this suggestion.
May 4th, 2011 9:53pm

DLL checking is enforced in your Applocker policy? My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com
Free Windows Admin Tool Kit Click here and download it now
May 4th, 2011 10:13pm

It is, but I checked for DLLs as well and the powershell command returned no errors. The block showing in Event Viewer is WINWORD.exe
May 4th, 2011 10:27pm

can you export your policy and send me it via email — vpodans&sysadmins.lv?My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com
Free Windows Admin Tool Kit Click here and download it now
May 4th, 2011 10:54pm

I'm having the same issue. No DLL blocking, however. This is for both admins with supposedly no restrictions and with for those users with applocker policies applied. I see this mostly in Outlook 2010 attachments, but other users have reported the same issues retrieving Word and Excel files from the network. I just had to disable the AppLocker service in the GPO and reboot (twice) to prevent AppLocker from applying. Interested if anything specific comes out of this thread so I can try again! I ran the Test-ApplockerPolicy command as suggested above and the results looked fine. Windows 7 SP1 and non-SP1/64-bit; Outlook 2010.
May 18th, 2011 12:01am

check this link http://mabdelhamid.wordpress.com/2011/10/23/how-to-configure-applocker-group-policy-to-prevent-software-from-running/Mohamed Abd Elhamid Abd Elaziz Microsoft System Administrator Abdul Samad Al Qurashi Co. My blog: http://Mabdelhamid.wordpress.com/
Free Windows Admin Tool Kit Click here and download it now
October 24th, 2011 5:22am

Are you scoping the applocker rules to "everyone" or "authenticated users"? I've noticed, specifically and only with office 2010 sp1 thus far, that for certain functions of Office to work you must scope the rule to "everyone", authenticated users just doesn't cut it. That is to say, you can re-scope your Signed by MSFT rule to everyone or create a second rule for just the Office path that is set to Everyone. I did the latter as we try to use authenticated users for all of our rules. See this post: http://social.technet.microsoft.com/Forums/en-US/appvclients/thread/04948f57-7cd3-4d41-9da7-a0c7b98c7cca/ There is a hotfix, but I havent tried it yet and I personally don't think the hotfix is related to the problem.
December 8th, 2011 11:08am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics