Applocker

Sometimes Applocker gets itself into a knot and gets stuck in Enforcing Mode. Here are the full steps to reset Applocker and set it up properly.

To fix this, follow the steps attached from https://en.it-pirate.eu/windows-10-applocker-policies-still-affect-disabling-service/

Then, follow these steps:

1. Log in as Administrator.

2. Windows + R > services.msc > double-click Application Identity > change Startup type to "Manual".

3. Reset applocker (from https://en.it-pirate.eu/windows-10-applocker-policies-still-affect-disabling-service/)

4. Insert the Default Windows Rules to make sure you don't cut yourself off:

   1. Windows + R > secpol.msc > Application Control Policies > AppLocker

   2. Executable Rules > Create Default Rules

   3. Windows Installer Rules > Create Default Rules

   4. Script Rules > Create Default Rules

   5. Packaged App Rules > Create Default Rules

5. Unblock AppLocker for Local Administrator user only (if required):

   1. Executable Rules > right-click "(Default) Allow All" > change user to "Administrator"

   2. Windows Installer Rules > right-click "(Default) Allow All" > change user to "Administrator"

   3. Script Rules > right-click "(Default) Allow All" > change user to "Administrator"

6. Turn on and test in Audit Mode:

   1. Windows + R > secpol.msc > Application Control Policies > AppLocker > Configure Rule enforcement > change all to "Audit rules".

   2. Windows > "Command" > right-click "Command" > Run as Administrator > type "gpupdate /force" and press enter.

   3. Reboot computer. <-- Make sure you do this step!!

   4. Log in as Administrator.

   5. Windows + R > services.msc > right-click Application Identity > Start

   6. Copy c:\windows\write.exe to desktop.

   7. On the desktop, double-click write.exe. Write will open.

   8. Log in as User.

   9. Copy c:\windows\write.exe to desktop.

   10. On the desktop, double-click write.exe. Write will open.

   11. Windows + R > eventvwr.msc > Applications and Services Logs > Microsoft > Windows > AppLocker

   12. Check the log to see if write.exe was blocked. If so, then Applocker is working correctly.

   13. Check the log to make sure that Administrator executables are not being blocked. If so then start from Step 1.

   14. Log out of User.

   15. Log in as Administrator.

7. Turn on Enforcing Mode:

   1. Windows + R > secpol.msc > Application Control Policies > AppLocker > Configure Rule enforcement > change all to "Enforce rules".

   2. Windows > "Command" > right-click "Command" > Run as Administrator > type "gpupdate /force" and press enter.

   3. Reboot computer. <-- Make sure you do this step!!

   4. Log in as Administrator.

   5. Windows + R > services.msc > right-click Application Identity > Start

   6. On the desktop, double-click write.exe. Write will open.

   7. Log in as a User.

   8. On the desktop, double-click write.exe. Write will NOT open and an AppLocker block dialog box will appear. If so, then AppLocker is working properly.

   9. Log out of User.

8. Add any additional path rules for applications that are not in Program Files:

   1. Log in as Administrator.

   2. Windows + R > secpol.msc > Application Control Policies > AppLocker > Executable Rules

   3. Add any extra executables here.

   4. Windows > "Command" > right-click "Command" > Run as Administrator > type "gpupdate /force" and press enter.

   5. Reboot computer. <-- Make sure you do this step!!

   6. Log in as Administrator.

   7. Windows + R > services.msc > right-click Application Identity > Start

   8. Ensure that no applications are blocked.

   9. Log in as User.

   10. Check that the required applications work.

9. Add ACSC block rules (see https://www.cyber.gov.au/resources-business-and-government/maintaining-devices-and-systems/system-hardening-and-administration/system-hardening/implementing-application-control):

10. After you are sure things are working, you can turn on Applocker automatically on boot. WARNING this has the potential to block you from ever accessing the computer. Ensure you have a full backup before performing this step.

    1. Windows + R > services.msc > double-click Application Identity > change Startup type to "Automatic".

    2. Windows > "Command" > right-click "Command" > Run as Administrator > type "gpupdate /force" and press enter.

    3. Reboot computer. <-- Make sure you do this step!!

    4. Log in as Administrator.

    5. Ensure that no applications are blocked.

    6. Log in as a general user.

    7. Check that the required applications work.