Problem: AppLocker Rules Still Enforced After the Service is Stopped

  • Article

Updated: July 14, 2011

Applies To: Windows 7, Windows Server 2008 R2

This topic describes steps to remedy a particular problem when the AppLocker rules remain enforced even though the service has been stopped and the rules have been deleted from the user interface.

Explanation

For AppLocker to stop enforcing its rules two things need to happen in sequence:

  1. The effective policy on the client computer is empty

  2. The AppLocker service is disabled

The condition when the AppLocker rules remain enforced even though the service has been stopped and the rules have been deleted from the user interface happens when a Group Policy administrator deletes all AppLocker rules and disables the AppLocker service in a single Group Policy update. The effect of this is that the AppLocker service is disabled before it can update the effective policy on the client computer and as a result AppLocker rules continue to be enforced.

Solution

The solution to this condition, where you want to remove all AppLocker rules and stop the service, is to delete all the AppLocker rules in the GPO, push out that update to allow the empty AppLocker policy to be applied on the client computers, and then separately disable the service on those client computers.

To terminate AppLocker rule enforcement

  1. Backup the Group Policy Object (GPO) that contains the currently applied AppLocker rules.

  2. Delete all the AppLocker rules on that GPO. For steps how to do this, see the topics in AppLocker Policy Procedures.

  3. Push out the GPO that now contains the empty AppLocker policy to the affected client computers. For steps how to do this, see Refresh an AppLocker Policy.

  4. Disable the AppLocker service (appidsvc) on all the affected client computers. Optionally, you can restart the service. For steps how to do this, see Configure the Application Identity Service. Alternatively, you can disable the AppLocker service using Group Policy instead of locally.

  5. Optionally, if you want to update the computers with another set of AppLocker rules (and the service has been enabled), you force a Group Policy update for the revised AppLocker policy. For steps how to do this, see Refresh an AppLocker Policy.