At this point, you should have a list of AppLocker rules that you’re ready to test. Part 3 of this AppLocker guide shows you how.

Go back into your GPO and go to Computer Configuration > Policies > Windows Settings > Security Settings > Application Control Policies > AppLocker. Right-click on AppLocker and choose Properties. Check the box next to Configured for each area of AppLocker that you’ll be testing and change the pull-down to Audit only. This will log all of the rule results to the Event Log without actually blocking any applications.

AppLocker - Properties Audit

AppLocker - Properties Audit

I like to keep my AppLocker rules in a dedicated GPO. If you’re setting up AppLocker the same way, you can now link your GPO to an OU for testing. At this point, I haven’t configured what to do with the Application Identity Service (AppIDSvc). When I tested initially, I applied the GPO to a few volunteers’ computers (with the rules in Audit mode) and manually started AppIDSvc remotely and left the Startup type as Manual. I asked the users to let me know if they rebooted their computers so I could also restart AppIDSvc. With the rules in Audit mode, nothing should be blocked. But why take anything to chance? Should a user have problems with AppLocker, simply rebooting will disable AppLocker.

Now, you wait. After a few days, you can check the Event Log to see what’s getting blocked. Microsoft has a dedicated area of the Event Log just for AppLocker that makes things easy. In the Event Viewer, go to Applications and Services Logs > Microsoft > Windows > AppLocker and you should see “EXE and DLL” and “MSI and Script.” You should be able to skim through these events and see Warnings where things would be blocked by AppLocker if the rules were not in Audit. On my test system, you’ll see that the user ATL\testuser ran Google Chrome that is installed in the user’s profile in AppData. Since I’m looking to block applications from users’ profiles, this is the expected behavior I’m looking for.

AppLocker - AppLocker Event Log Blocked App

AppLocker - AppLocker Event Log blocked app

After you’ve gotten comfortable with your rules, you can move on to enforcing them. First off, I still haven’t set the Application Identity Service (AppIDSvc) settings anywhere in Group Policy. The AppIDSvc service is disabled by default. By starting the service manually on the client computer, the end user has the fallback position of rebooting to disable AppLocker should the rules break something. Go back into the GPO and go to Computer Configuration > Policies > Windows Settings > Security Settings > Application Control Policies, right-click on AppLocker, and choose Properties. Make sure Configured is still checked and change the pull-down to Enforce Rules. Since we’re testing the policy, you can run a quick gpupdate on the client to refresh the Group Policy.

AppLocker - AppLocker Enforce Rules

AppLocker - AppLocker Enforce Rules

Once you’ve made sure that AppIDSvc is running and still set to Manual, you’re back to waiting. The good news is that now your customer is going to see the block messages in addition to the entry you’ll see in the Event Log. The end user will be told that, “This program is blocked by group policy. For more information, contact your system administrator.”

AppLocker - End User Message for Blocked App

AppLocker - End user message for blocked app

Back in the Event Viewer, you’ll see that the Warnings are now Errors that AppLocker is enforcing rules.

AppLocker - Event Viewer Application Blocked

AppLocker - Event Viewer application blocked

You should now be at the point where you have a pretty good idea of what works and what doesn’t work for your AppLocker rules. In the next, and final, part of this series, I’ll discuss the best way to enable the Application Identity Service for your computers and some of the common issues I’ve seen during an AppLocker implementation.

2 Comments
  1. Roel 7 years ago

    2015-03-04 Checked out this article, liked it now and seeing this event 8008 in event log?
    Event ID: 8008

    appidsvc.dll: AppLocker component not available on this SKU.

    appid.sys: AppLocker component not available on this SKU.

    This means that you are not running Windows 8 enterprise. Sad but true
    Windows 7 home/pro/ent or windows 8 pro do not support Applocker.
    http://technet.microsoft.com/en-us/library/hh831440.aspx#BKMK_Diffs

    • Yes, AppLocker is only supported on the Enterprise SKU's. You have a slight error in your comment... Windows 7 Enterprise does support AppLocker.

Leave a reply

Please enclose code in pre tags

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2021

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account