The Men who stare at the AppLocker event log

Patch My Pc | install & update thousands of apps

In this blog, we’ll delve into the curious interplay between AppLocker, MSI installers, Intune, and event logs. We’ll explore how to configure and monitor AppLocker policies, the limitations imposed by Intune, and what to expect from your event logs when blocking applications. Let’s get started!


1. Introduction to AppLocker

AppLocker is a powerful tool for administrators to control what applications users can run on their devices. By creating rules that govern executable files, scripts, MSI installers, and packaged apps, AppLocker allows you to enforce security policies and mitigate the risks of unapproved software running in your environment.

You might already know that deploying AppLocker policies manually can be done fairly quickly using PowerShell. It takes just a few minutes to roll out an AppLocker baseline across multiple devices. If you’re unfamiliar with this process, I recommend checking out this guide for a quick overview of deploying AppLocker via PowerShell.

Before diving deeper, let’s take a moment to understand where AppLocker stores its configurations when not using Intune.

  • File System:
    Navigate to C:\Windows\System32\AppLocker to view all your AppLocker policies. If you’re using Intune, these policies will be moved to the MDM folder.
WHen the applocker policy from intune arrives on the device it will end up in the system32\applocker\mdm folder
  • Registry (without Intune):
    AppLocker stores its settings in the registry under
    HKLM\Software\Policies\Microsoft\Windows\SrpV2.
    Notice “SRPV2”? That stands for Software Restriction Policy V2.

A useful tip here: If you’ve ever accidentally locked yourself out due to an AppLocker misconfiguration, you can remotely adjust the settings by editing(deleting) those registry and file paths.


2. Configuring AppLocker to Block CMD and PowerShell

Now that we’ve touched on how to view your AppLocker settings, it’s time to test its functionality by configuring a few basic rules. For this example, we’ll block command prompt (CMD) and PowerShell.

If you need help setting up these rules, here’s a step-by-step guide to configure AppLocker to block administrative tools like CMD and PowerShell through Intune.

Once you’ve applied the necessary rules, try opening CMD. You should be greeted with an AppLocker notification, warning that the application has been blocked by the administrator.

When an application is blocked with Applocker, it will show the message: this app has been blocked by your system administrator

This is the first sign that your baseline configuration is working as expected.


3. Monitoring AppLocker Events: The Case of the Blocked EXE

After successfully blocking CMD or PowerShell, the next step is to inspect the logs. Open Event Viewer and navigate to the EXE and DLL AppLocker event log. Here, you’ll see an Event ID 8004, confirming that AppLocker blocked the execution attempt.

Besides the applocker notification the user gets, we could also spot event 8004 in the applocker event log mentioning that cmd was prevented from running

Event logs are crucial for monitoring AppLocker activity, and integrating this with your monitoring tools, such as SolarWinds, can provide ongoing insight into the behavior of restricted applications.

However, things get more interesting when you attempt to block MSI files or scripts. Unlike executables, the event logging behavior for MSIs under Intune-managed AppLocker is a bit different—and far more perplexing.


4. The Case of the Blocked MSI: Where Did the Logs Go?

AppLocker also includes the ability to block MSI and script files, which you can monitor via the MSI and Script AppLocker event log. At least, that’s how it’s supposed to work. When AppLocker is deployed via Intune, this section of the event log can often seem completely empty.

Here’s the curious part: When I configured AppLocker through Intune to block MSI files, I noticed no AppLocker notification when I tried to run a blocked MSI. Even more strangely, when I checked the AppLocker logs for MSI and scripts, they were completely silent—no log entries, no trace of blocked actions.

But the mystery doesn’t end there. When I looked in the Application log, I found an Event ID 1007, which is typically associated with Software Restriction Policies (SRP).

When applocker is blocking an MSI, it would not log this event in the applocker event log but in the application event log

This led to an interesting discovery: Microsoft appears to be using the legacy SRP to block MSI files rather than relying on AppLocker’s more modern infrastructure.

event 1007 with the source msiinstaller is showing that the installation is not permitted by software restriction policy (SRP)

This mix of old and new technology makes it tricky to fully understand how MSI and script blocking works when using Intune, as the expected AppLocker logs simply don’t exist in these cases. It’s as if the entire MSI and script blocking feature reverts to SRP—an older, more rudimentary method of restriction—when managed through Intune.


5. Conclusion: Understanding the Limitations of AppLocker and Intune

Deploying AppLocker policies to secure your endpoints is a highly effective strategy, but understanding how AppLocker behaves—especially when using Intune—is essential. While blocking EXEs works as expected and generates logs in the proper location, the handling of MSIs and scripts when deployed via Intune can lead to confusion due to the absence of logs in the expected locations.

In short, AppLocker policies behave differently when deployed via Intune compared to traditional methods, especially when it comes to MSI and script restrictions. While AppLocker is a great tool for application control, keep in mind that certain components may fall back on legacy SRP mechanisms, and you may need to look in unexpected places (like the Application event log) to find evidence of blocked actions.

As a final reminder, if you lock yourself out of a device due to a restrictive AppLocker policy, remember that the SRPV2 registry key can be your lifeline for recovery.

In conclusion, while AppLocker remains a vital tool for securing endpoints, understanding the intricacies of how it operates—especially in the context of Intune—can save you from troubleshooting headaches later on.

Leave a Reply

Your email address will not be published. Required fields are marked *

34  −    =  25

Proudly powered by WordPress | Theme: Wanderz Blog by Crimson Themes.