Applocker: The Meltdown

This short blog will show you how to fix your Applocker Policies when you have locked yourself out of your device after implementing or updating the Intune Applocker device configuration policies. I will show you how we need to deal with a lingering or duplicate Applocker policy that was left on the device.

1. The Old lingering Applocker Policy

Some time ago, I blogged about how a not configured DLL rule can break your devices.

The Appocker Dilemma – Call4Cloud

At that time, just changing the Applocker device config inside Intune did the job. But what if the new Applocker policy won’t sync to the device, and the old policies still apply?

At the same company, one device remained with the old Applocker policy. Inside this policy, the DLL rule was set to not be configured, as I showed in the blog above. It didn’t matter what we tried; the new working Applocker policy just did not apply.

So you have your device, which only shows a nice black screen, and there is nothing you can do about it. Or could there be some other solution to fix this problem?

Of course, there is… you will need to have access to the drive. In our example, we use N-able remote background to do the job.

When you still fancy your old-fashioned domain controller. The Applocker policy will be stored on the workstations inside the SrvpV2 registry key:

HKLM:\Software\Policies\Microsoft\Windows\SrpV2

But with Intune… there is no such key. As I showed in one of my last blogs about Applocker, the information is also stored inside the c:\windows\system32\applocker\MDM folder.

The first step to get your device working again:

1. Trash the contents of the MDM folder itself. (not the Applocker folder itself!)
2. Make a note of the time stamp
3. Delete the .policy files inside the Applocker folder with the same timestamp.
4. Reboot the device

After a reboot, check the Applocker event log. You will notice the same warning you will get when you want to run/enforce Applocker without Intune on a Windows 10 pro device.

But for now, it’s excellent, and you can log in again without Applocker. But your Applocker device config is gone… for now.  The quickest way to get Applocker back working is just to run the scheduled tasks.

Or trigger a device sync from your Company Portal

After a few minutes, you will notice the new working Applocker policy will be created inside the MDM folder.

2. Better one Applocker policy than having 2

We also encountered a very weird problem, which can be solved by following the steps to resolve the first issue.

We were asked to allow a click to run KPN app, so we allowed this KPN tool by adding a publisher rule to the app locker policy.

Of course, we tested it in our test environment before we called the customer. On the device that really needed the KPN tool, it didn’t work at first.

We still received the Applocker block error

The Event log showed us the same. The famous Applocker event 8004

So, just like in the first issue I showed you, we checked if this issue could be the same.

But instead of finding an un-updated Applocker XML, we noticed two Applocker folders. One had the new settings, but the other still had the old settings. Did you notice the timestamps?

Having 2 Applocker policies, fighting for the win will give you some weird behavior.

Like the first issue, we deleted the Applocker folder and synced the device. Within a few minutes, a new Applocker policy arrived on the device, and the KPN tool worked as it should.

Conclusion:

Even when everything seems broken, you can fix the problem by deleting the whole folder… click click deleted!