Problem: Users cannot run an application or other executable file that they should be able to run

Applies To: Windows 7, Windows Server 2008 R2

This topic describes steps to remedy the problem when users cannot run an application that they should be able to run on a computer that has had AppLocker policies applied.

Explanation

The AppLocker rules may be too restrictive, causing AppLocker to block the application. There are four possible causes:

• The rule collection does not include an allow rule for the application

• The application is included in the list of exceptions for an allow rule

• There is an explicit deny rule for the application

• There is a deny rule in a GPO that is applied first

• Office applications cannot open on a network share

Solution

The rule collection does not include an allow rule for the application

Verify that the rule collection includes a rule to allow the application to run. You can export the AppLocker rules to an XML file or use a Windows PowerShell cmdlet to review the existing rules. If a deny action is found that does not allow the application to run, create a rule that allows the application to run.

To export AppLocker rules to an XML file

1. Click Start, type secpol.msc in the Search programs and files box, and then press ENTER.

2. In the console tree, expand Application Control Policies, right-click AppLocker, and then click Export Policy.

The Test-AppLockerPolicy cmdlet uses the specified AppLocker policy to test whether a specified list of files are denied to run on the local computer for a specific user.

To use the Test-AppLockerPolicy cmdlet

1. If they are not already installed, install the AppLocker Windows PowerShell cmdlets. To do this, see Using the AppLocker Windows PowerShell Cmdlets.

2. Click Start, type PowerShell in the Search programs and files box, and then press ENTER to open the Windows PowerShell window.

3. At the Windows PowerShell prompt, type the following, and then press ENTER.

   Test-AppLockerPolicy -XMLPolicy policyfile.xml –Path EXEToTest.exe –User <Domain\UserAccount>
   

If no rule exists in the rule collection that allows the application to run, you must create one. For steps to create an AppLocker rule, see one of the following:

• Create a Rule that Uses a Publisher Condition

• Create a Rule that Uses a File Hash Condition

• Create a Rule that Uses a Path Condition

The application is included in the list of exceptions for an allow rule

Verify that there is not an allow rule that includes the application in the list of exceptions. You can export the AppLocker rules to an XML file or use an AppLocker cmdlet to review the existing rules.

• To allow the application to run for all users, remove the application name from the list of exceptions. For the procedure to do this, see Configure Exceptions for an AppLocker Rule.

• To allow the application to run for specific users, create a new allow action for the rule for those users. For the procedure to do this, see Edit AppLocker Rules.

For information about how to export AppLocker rules to an XML file, how to use the Test-AppLockerPolicy cmdlet, and how to create a new rule, see The rule collection does not include an allow rule for the application.

There is an explicit deny rule for the application

Check the event log to determine whether there is an explicit deny rule for the application or if there is no rule for the application. For information about the AppLocker logs, see View the AppLocker Log in Event Viewer. For information about viewing events by using Windows PowerShell, see Review AppLocker Events with Get-AppLockerFileInformation.

If there is a deny action on the rule that is preventing the program from running, reevaluate the rules in the rule collection. In most cases, you can use exceptions to prevent users from running an application or other executable file. For example, you can create a rule specifying that any file signed by Microsoft is allowed, except the Registry Editor. You can create a second rule to allow the Registry Editor for a select group of users, such as Helpdesk. For information about how to create an exception, see Configure Exceptions for an AppLocker Rule.

There is a deny rule in a GPO that is applied first

AppLocker policies in a Group Policy object (GPO) are applied in a predetermined order, and the deny action might be applied first in a GPO. For information about how policies are applied, see Understanding AppLocker Rules and Enforcement Setting Inheritance in Group Policy. Use the Test-AppLockerPolicy cmdlet to evaluate the effective AppLocker policy. For information about using this cmdlet, see Test an AppLocker Policy by Using Test-AppLockerPolicy.

Office applications cannot open on a network share

When opening some Microsoft Office documents, such as Word, Excel or PowerPoint, from a network share using the fully qualified domain name name you might receive error messages as follows:

• Word experienced an error trying to open the file.

• Microsoft Excel cannot open or save an more documents because there is not enough available memory or disk space.

• PowerPoint found an error that it can't correct. You should save presentations, quite, and then restart PowerPoint.

These applications are starting under a reduced token that does not have the group membership enabled for the AppLocker rules to allow it to start.

You can resolve this problem by adding the network locations from where you are opening the documents to the Trust Center in the Office applications. This can be accomplished using the Office 2010 Administrative Template files (ADM, ADMX/ADML) and Office Customization Tool. See the Microsoft Download Center for more information and downloads.