Applocker: The Meltdown

Applocker: The Meltdown

This short blog will be about what to do when you have locked yourself out of your device when implementing Intune Applocker device configuration policies. Some time ago I blogged about how a not configured DLL rule can break your devices.

The Appocker Dilemma – Call4Cloud

At that time, just changing the Applocker device config inside Intune did the job. But what if the new Applocker policy just won’t sync to the device and the old policies still apply.

At the same company, there was still 1 device left that had still the old Applocker policy. Inside this policy, the DLL rule was set to not configured like I was showing in the blog above. It didn’t matter what we tried, the new working Applocker policy just did not apply.

So you have got your device, which only shows you a nice black screen and there is nothing you can do about it.  Or could there be some other solution to fix this problem?

Of course, there is… you will need to have access to the drive. In our example, we are using N-able remote background to do the job.

When you have your old fashioned domain controller and clients the Applocker configuration is stored inside the SrvpV2 registry key:

HKLM\Software\Policies\Microsoft\Windows\SrpV2

But with Intune… there is no such key. As I showed in one of my last blogs about Applocker, the information is also stored inside the c:\windows\system32\applocker\MDM folder.

The first step to get your device working again:

  1. Trash the contents of the MDM folder itself.
  2. Make a note of the time stamp
  3. Delete the .policy files inside the Applocker folder which have the same timestamp.
  4. Reboot the device

After a reboot, check the Applocker event log, you will notice the same warning you will have when you want to run/enforce Applocker without Intune on a Windows 10 pro device.

But for now, it’s great, you can log in again without Applocker. But your Applocker device config is gone… for now.  The quickest way to get Applocker back working is to just simply run the scheduled tasks.

After some few minutes, you will notice the new working Applocker policy will be created inside the MDM folder.

Conclusion:

Even when everything seems broken, you can still fix the problem. In one of my next blogs, I will show you one of the options you got for monitoring Applocker block notifications.

Leave a Reply

Your email address will not be published. Required fields are marked *

  +  25  =  34