In the last implementation of this tutorial I will give you some tips on how to deploy AppLocker.

Now that you’ve established your rules, tested them in Audit mode, and also tested them in Enforce mode, you’re ready to start deploying AppLocker to all of your computers. In your GPO, go to Computer Configuration > Policies > Windows Settings > Security Settings > System Services and find the Application Identity Service. Double-click it, click the checkbox next to Define this policy setting, and set the startup mode to Automatic. This will change the Application Identity Service so that it starts automatically and will start the service at the next policy refresh.

AppLocker - Enable Application Identity Service in GPMC

AppLocker – Enable Application Identity Service in GPMC

I mentioned in a previous article that I like to keep my AppLocker settings in a separate GPO. There are two reasons I do it this way: First, if you need to disable AppLocker quickly, all you need to do is delete or disable the link without having to make changes to all of your new AppLocker rules.

The second reason is because of the Application Identity Service. I like to make sure that the setting to enable the Application Identity Service is in the same GPO as all of my AppLocker rules. This ensures that at the next policy refresh that the Application Identity Service startup is set to Manual along with the AppLocker rules being removed from the computer.

That’s it. You’re ready to start linking your new AppLocker GPO to computer OU’s for deployment! Before you just go linking the GPO, I highly recommend letting end users know about this change. You may be surprised by the number of users that have installed applications into non-standard locations, their profile, or USB drives.

Publisher digital signatures ^

Eventually, you’re going to be burned by a vendor’s digital signature. Some vendors are better than others about signing ALL of their executable files. Unfortunately, there’s no real way to handle that problem until you come across one that isn’t signed.

Some vendors use multiple certificates for signing their software. Citrix is a good example: They use one that has “Citrix Systems, Inc.” and another that has “Citrix Online.” The big difference between the two is that one is used by Citrix GoToMeeting and the other by the parent company.

AppLocker - Citrix Systems Digital SignatureAppLocker - Citrix Online (Go To Meeting)

AppLocker – Citrix Systems Digital Signature | AppLocker – Citrix Online (Go To Meeting)

Customize the block message (sort of) ^

One of my complaints with AppLocker is the message that is shown to the end user. The biggest problem I have is the “contact your system administrator,” part. It would be really nice if you could customize the text to say whatever you want. Unfortunately you can’t. You can, however, add a link to a web site on this dialog box. To do so, in your GPO, go to Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Explorer > Set a support web page link. Set the policy to Enabled and enter your URL.

AppLocker - Support Site Policy

AppLocker – Support Site Policy

When a user has an application blocked, they’ll get the same error message, but will also be presented with a link they can visit to get more information.

AppLocker - Block Message with Link

AppLocker – Block Message with Link

Users with Admin Rights ^

AppLocker rules will still apply to users with Admin rights just like any other user. The big difference is that users with Admin rights can circumvent AppLocker pretty easily. All an Admin would need to do is create a Path rule for the path * for ‘Everyone’ and now AppLocker is effectively disabled. If you’re still giving end users Admin rights, consider changing the practice.

UAC and default rules ^

I know I’ve already mentioned this, but because of some of the problems it has caused for me, I feel the need to repeat it. Users with Admin rights are probably going to see deny messages if you only use the default rules. The default AppLocker rule that allows all executables for Builtin\Administrators assumes that a user with Admin rights has used elevated privileges. This means that any Admin will need to right-click and choose “Run as Administrator” any time they need the allow Builtin\Administrators to run all executables rule. Where would this apply? Let’s say you download some kind of installer to C:\downloads. C:\downloads isn’t covered by the default rule for Program Files or Windows. If you double-click the executable as an Admin, you’ll get a deny message.

There are really only two ways around this: One is to make sure your people with Admin rights know they need elevated credentials when they need Admin rights. The other way around this is to create a Path rule that uses * as the path and a Group that you specify. You can essentially duplicate the ‘All files’ rule for BUILTIN\Administrators and just change the group. Just be aware that this is removing the AppLocker protections for this group. Do this very sparingly.

I hope this series on AppLocker has been helpful to you!

1 Comment
  1. ron 5 years ago

    Good article. It works…

Leave a reply

Your email address will not be published.


© 4sysops 2006 - 2022


Please ask IT administration questions in the forums. Any other messages are welcome.


Log in with your credentials


Forgot your details?

Create Account