Applocker: The Meltdown

Last Updated on May 12, 2024 by rudyooms

This short blog will discuss what to do when you have locked yourself out of your device when implementing Intune Applocker device configuration policies. Some time ago, I blogged about how a not configured DLL rule can break your devices.

The Appocker Dilemma – Call4Cloud

At that time, just changing the Applocker device config inside Intune did the job. But what if the new Applocker policy won’t sync to the device, and the old policies still apply?

UPDATE 09-06-2021. Added a weird issue which can also be solved by following the steps above. So I will show you both problems/issues in this blog

In this blog, I will show you 2 issues and how to solve them

  1. Old lingering Applocker policy
  2. Better 1 Applocker policy than having 2

1. The Old lingering Applocker Policy

At the same company, there was still one device left that had the old Applocker policy. Inside this policy, the DLL rule was set to not be configured, as I showed in the blog above. It didn’t matter what we tried; the new working Applocker policy just did not apply.

So you have your device, which only shows a nice black screen, and there is nothing you can do about it. Or could there be some other solution to fix this problem?

Of course, there is… you will need to have access to the drive. In our example, we use N-able remote background to do the job.

When you still fancy your old fashioned domain controller. The Applocker policy will be stored on the workstations inside the SrvpV2 registry key:

HKLM:\Software\Policies\Microsoft\Windows\SrpV2

But with Intune… there is no such key. As I showed in one of my last blogs about Applocker, the information is also stored inside the c:\windows\system32\applocker\MDM folder.

The first step to get your device working again:

  1. Trash the contents of the MDM folder itself. (not the Applocker folder itself!)
  2. Make a note of the time stamp
  3. Delete the .policy files inside the Applocker folder with the same timestamp.
  4. Reboot the device

After a reboot, check the Applocker event log, you will notice the same warning you will have when you want to run/enforce Applocker without Intune on a Windows 10 pro device.

But for now, it’s excellent, you can log in again without Applocker. But your Applocker device config is gone… for now.  The quickest way to get Applocker back working is to just run the scheduled tasks.

Or just trigger a device sync from your Company Portal

After a few minutes, you will notice the new working Applocker policy will be created inside the MDM folder.

2. Better one Applocker policy than having 2

We also encountered a very weird problem, which can be solved by following the steps to resolve the first issue.

We were asked to allow a click to run KPN app, so we allowed this KPN tool by adding a publisher rule to the app locker policy.

Of course, we tested it in our test environment before we called the customer. On the device that really needed the KPN tool, it didn’t work at first.

We still received the Applocker block error

The Event log showed us the same. The famous Applocker event 8004

So, just like at the first issue I showed you we checked if this issue could be the same.

But instead of finding an un-updated Applocker XML, we noticed two Applocker folders. One had the new settings, but the other still had the old settings. Did you notice the timestamps?

Having 2 Applocker policies, fighting for the win will give you some weird behavior.

Like the first issue, we deleted the Applocker folder and synced the device. A new Applocker policy arrived on the device within a few minutes, and the KPN tool worked as it should.

Conclusion:

Even when everything seems broken, you can still fix the problem by deleting the whole folder… click click deleted!

Deleted GIFs | Tenor

3 thoughts on “Applocker: The Meltdown

  1. guys, just so you are aware, deleted the whole Applocker folder and restarted – device is bricked, black screen.
    will test just deleting MDM folders

    1. Deleting the applocker folder itself isnt a good idea :)… the mdm folders and the file it should be more than enough

      1. panic mode ๐Ÿ™‚
        is there a right and confirmed way of removing applocker policies via intune? Removing device from the config keeps the policies in place.
        M$ is on about creating an xml file that contains only, however with intune CSP not quite sure where to stick it.
        Sorry if you’ve already covered this scenario in your posts, but I couldn’t find it ๐Ÿ™

Leave a Reply

Your email address will not be published. Required fields are marked *

8  +  1  =