Problem: Users can run an application or other executable file that they should not be able to run

  • Article

Applies To: Windows 7, Windows Server 2008 R2

This topic describes steps to remedy the problem when users can unintentionally run applications that were blocked by AppLocker.

Explanation

The AppLocker rules may not be restrictive enough and AppLocker is not blocking the application. This might be the result of one or more of the following causes:

  • There is an allow action on the rule that allows the application to run

  • There is an exception in a deny action on the rule that allows the application to run

  • The Application Identity service is not running

  • The AppLocker enforcement mode is set to Audit only

  • The AppLocker policy has not been refreshed on the affected computer

Solution

There is an allow action on the rule that allows the application to run

Verify that there is not an allow rule that specifically allows the application to run. You can export the AppLocker rules to an XML file or use an AppLocker PowerShell cmdlet to review the existing rules. If there is a rule that allows the application, you must edit it or delete it.

  1. Find the rule

    Use either of the following methods to find the rule that you need to modify:

    • Export AppLocker rules to an XML file

      When the policy with all the rules is listed in the XML file, use a text editor to search for the application or rule name. To perform the export procedure, see Export an AppLocker Policy to an XML File.

    • Use the Test_AppLockerPolicy cmdlet to find the rule for the application

      The Test-AppLockerPolicy cmdlet uses the specified AppLocker policy to test whether a specified list of files is allowed to run on the local computer for a specific user. To perform this procedure, see Test an AppLocker Policy by Using Test-AppLockerPolicy.

  2. Modify the rule

    • How you edit the rule depends upon the rule collection type. For information about how to perform these procedures, see Edit AppLocker Rules.

    • Delete the rule. For information about how to perform this procedure, see Delete an AppLocker Rule.

There is an exception in a deny action on the rule that allows the application to run

Verify that there is not an exception in a rule with a deny action that allows the application to run. For instructions to locate the rule exception and edit the rule, see There is an allow action on the rule that allows the application to run.

The Application Identity service is not running

The Application Identity service is not configured to run by default in Windows. You can use Group Policy to set the properties of the service, which ensures that the service is always running on client computers.

For information about how to start the Application Identity service, see Configure the Application Identity Service.

The AppLocker enforcement mode is set to Audit only

If the enforcement mode is not configured, AppLocker enforces rules by default. You can also manually configure enforcement to either enforce rules or audit rules.

For information about how to configure enforcement for rule collections, see Enforce AppLocker Rules. For information about how to configure the enforcement setting for a Group Policy object (GPO), see Configure an AppLocker Policy for Enforce Rules.

The AppLocker policy has not been refreshed on the affected computer

When an AppLocker rule has been changed and you need to force a policy refresh by using Group Policy, you can use the gpupdate command. For information about how to perform this procedure, see Refresh an AppLocker Policy.