Applocker: The Meltdown

Patch My Pc | install & update thousands of apps

This short blog will show you how to fix your Applocker Policies when you have locked yourself out of your device after implementing or updating the Intune Applocker device configuration policies. I will show you how we need to deal with a lingering or duplicate Applocker policy that was left on the device.

    1. The Old lingering Applocker Policy

    Some time ago, I blogged about how a not configured DLL rule can break your devices.

    The Appocker Dilemma – Call4Cloud

    At that time, just changing the Applocker device config inside Intune did the job. But what if the new Applocker policy won’t sync to the device, and the old policies still apply?

    At the same company, one device remained with the old Applocker policy. Inside this policy, the DLL rule was set to not be configured, as I showed in the blog above. It didn’t matter what we tried; the new working Applocker policy just did not apply.

    So you have your device, which only shows a nice black screen, and there is nothing you can do about it. Or could there be some other solution to fix this problem?

    Of course, there is… you will need to have access to the drive. In our example, we use N-able remote background to do the job.

    When you still fancy your old-fashioned domain controller. The Applocker policy will be stored on the workstations inside the SrvpV2 registry key:

    HKLM:\Software\Policies\Microsoft\Windows\SrpV2

    But with Intune… there is no such key. As I showed in one of my last blogs about Applocker, the information is also stored inside the c:\windows\system32\applocker\MDM folder.

    The first step to get your device working again:

    1. Trash the contents of the MDM folder itself. (not the Applocker folder itself!)
    2. Make a note of the time stamp
    3. Delete the .policy files inside the Applocker folder with the same timestamp.
    4. Reboot the device
    Applocker policy files are visible in the system32\applocker folder.
Int the MDM folder we will spot the applocker files with the config in it.

    After a reboot, check the Applocker event log. You will notice the same warning you will get when you want to run/enforce Applocker without Intune on a Windows 10 pro device.

    But for now, it’s excellent, and you can log in again without Applocker. But your Applocker device config is gone… for now.  The quickest way to get Applocker back working is just to run the scheduled tasks.

    Or trigger a device sync from your Company Portal

    After a few minutes, you will notice the new working Applocker policy will be created inside the MDM folder.

    2. Better one Applocker policy than having 2

    We also encountered a very weird problem, which can be solved by following the steps to resolve the first issue.

    We were asked to allow a click to run KPN app, so we allowed this KPN tool by adding a publisher rule to the app locker policy.

    Of course, we tested it in our test environment before we called the customer. On the device that really needed the KPN tool, it didn’t work at first.

    We still received the Applocker block error

    The Event log showed us the same. The famous Applocker event 8004

    applocker event log showing the 8004 error

    So, just like in the first issue I showed you, we checked if this issue could be the same.

    But instead of finding an un-updated Applocker XML, we noticed two Applocker folders. One had the new settings, but the other still had the old settings. Did you notice the timestamps?

    the mdm folder contains a lingering applocker policy which we need to remove.

    Having 2 Applocker policies, fighting for the win will give you some weird behavior.

    Like the first issue, we deleted the Applocker folder and synced the device. Within a few minutes, a new Applocker policy arrived on the device, and the KPN tool worked as it should.

    Conclusion:

    Even when everything seems broken, you can fix the problem by deleting the whole folder… click click deleted!

    Deleted GIFs | Tenor

    3 thoughts on “Applocker: The Meltdown

    1. guys, just so you are aware, deleted the whole Applocker folder and restarted – device is bricked, black screen.
      will test just deleting MDM folders

      1. Deleting the applocker folder itself isnt a good idea :)… the mdm folders and the file it should be more than enough

        1. panic mode ๐Ÿ™‚
          is there a right and confirmed way of removing applocker policies via intune? Removing device from the config keeps the policies in place.
          M$ is on about creating an xml file that contains only, however with intune CSP not quite sure where to stick it.
          Sorry if you’ve already covered this scenario in your posts, but I couldn’t find it ๐Ÿ™

    Leave a Reply

    Your email address will not be published. Required fields are marked *

    25  +    =  27

    Proudly powered by WordPress | Theme: Wanderz Blog by Crimson Themes.