Export (0) Print
Expand All

Problem: Users can run an application or other executable file that they should not be able to run

Updated: November 9, 2009

Applies To: Windows 7, Windows Server 2008 R2

This topic describes steps to remedy the problem when users can unintentionally run applications that were blocked by AppLocker.

Verify that there is not an allow rule that specifically allows the application to run. You can export the AppLocker rules to an XML file or use an AppLocker PowerShell cmdlet to review the existing rules. If there is a rule that allows the application, you must edit it or delete it.

  1. Find the rule

    Use either of the following methods to find the rule that you need to modify:

    • Export AppLocker rules to an XML file

      When the policy with all the rules is listed in the XML file, use a text editor to search for the application or rule name. To perform the export procedure, see Export an AppLocker Policy to an XML File.

    • Use the Test_AppLockerPolicy cmdlet to find the rule for the application

      The Test-AppLockerPolicy cmdlet uses the specified AppLocker policy to test whether a specified list of files is allowed to run on the local computer for a specific user. To perform this procedure, see Test an AppLocker Policy by Using Test-AppLockerPolicy.

  2. Modify the rule

    • How you edit the rule depends upon the rule collection type. For information about how to perform these procedures, see Edit AppLocker Rules.

    • Delete the rule. For information about how to perform this procedure, see Delete an AppLocker Rule.

Verify that there is not an exception in a rule with a deny action that allows the application to run. For instructions to locate the rule exception and edit the rule, see There is an allow action on the rule that allows the application to run.

The Application Identity service is not configured to run by default in Windows. You can use Group Policy to set the properties of the service, which ensures that the service is always running on client computers.

For information about how to start the Application Identity service, see Configure the Application Identity Service.

If the enforcement mode is not configured, AppLocker enforces rules by default. You can also manually configure enforcement to either enforce rules or audit rules.

For information about how to configure enforcement for rule collections, see Enforce AppLocker Rules. For information about how to configure the enforcement setting for a Group Policy object (GPO), see Configure an AppLocker Policy for Enforce Rules.

When an AppLocker rule has been changed and you need to force a policy refresh by using Group Policy, you can use the gpupdate command. For information about how to perform this procedure, see Refresh an AppLocker Policy.

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

ADD
Show:
© 2014 Microsoft