This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
- The Google for Education Community Platform
- Primary and Secondary Education Communities
- ELP Admin Community
- Discussions
- Peer-Peer Topics
- Windows Endpoint Management - Applocker policies f...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Windows Endpoint Management - Applocker policies fail to push
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-29-2023 08:46 AM
I am working with Google on this, but wanted to check here and see if anyone has some insight to my problem.
I am attempting to push some Applocker policies to devices, but it fails every time, based on which type I send (MSI, EXE, Script).
The script policy fails (with error code shown on Google console) : 516
Anyone encountered these failures? Fixed it?
Here is a specific one, which is a default policy as far as I can tell:
./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/Group3/Script/Policy
<AppLockerPolicy Version="1">
<RuleCollection Type="Script" EnforcementMode="Enabled">
<FilePathRule Id="06dce67b-934c-454f-a263-2515c8796a5d" Name="(Default Rule) All scripts located in the Program Files folder" Description="Allows members of the Everyone group to run scripts that are located in the Program Files folder." UserOrGroupSid="S-1-1-0" Action="Allow">
<Conditions>
<FilePathCondition Path="%PROGRAMFILES%\*" />
</Conditions>
</FilePathRule>
<FilePathRule Id="9428c672-5fc3-47f4-808a-a0011f36dd2c" Name="(Default Rule) All scripts located in the Windows folder" Description="Allows members of the Everyone group to run scripts that are located in the Windows folder." UserOrGroupSid="S-1-1-0" Action="Allow">
<Conditions>
<FilePathCondition Path="%WINDIR%\*" />
</Conditions>
</FilePathRule>
<FilePathRule Id="ed97d0cb-15ff-430f-b82c-8d7832957725" Name="(Default Rule) All scripts" Description="Allows members of the local Administrators group to run all scripts." UserOrGroupSid="S-1-5-32-544" Action="Allow">
<Conditions>
<FilePathCondition Path="*" />
</Conditions>
</FilePathRule>
</RuleCollection>
</AppLockerPolicy>
Topics:
- Topics:
-
Device Management
2 REPLIES 2
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-29-2023 08:53 AM
Our baseline policies are:
./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/Group1/EXE/Policy
<RuleCollection Type="Exe" EnforcementMode="Enabled">
<FilePathRule Id="921cc481-6e17-4653-8f75-050b80acca20" Name="(Default Rule) All files located in the Program Files folder" Description="Allows members of the Everyone group to run applications that are located in the Program Files folder." UserOrGroupSid="S-1-1-0" Action="Allow">
<Conditions>
<FilePathCondition Path="%PROGRAMFILES%\*" />
</Conditions>
</FilePathRule>
<FilePathRule Id="a61c8b2c-a319-4cd0-9690-d2177cad7b51" Name="(Default Rule) All files located in the Windows folder" Description="Allows members of the Everyone group to run applications that are located in the Windows folder." UserOrGroupSid="S-1-1-0" Action="Allow">
<Conditions>
<FilePathCondition Path="%WINDIR%\*" />
</Conditions>
</FilePathRule>
<FilePathRule Id="fd686d83-a829-4351-8ff4-27c7de5755d2" Name="(Default Rule) All files" Description="Allows members of the local Administrators group to run all applications." UserOrGroupSid="S-1-5-32-544" Action="Allow">
<Conditions>
<FilePathCondition Path="*" />
</Conditions>
</FilePathRule>
<FilePublisherRule Id="462940ad-85aa-4bb6-afbe-cceab15fbed1" Name="Signed by O=LOOM, INC., L=SAN FRANCISCO, S=CA, C=US" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">
<Conditions>
<FilePublisherCondition PublisherName="O=LOOM, INC., L=SAN FRANCISCO, S=CA, C=US" ProductName="*" BinaryName="*">
<BinaryVersionRange LowSection="*" HighSection="*" />
</FilePublisherCondition>
</Conditions>
</FilePublisherRule>
<FilePublisherRule Id="6f0088e0-796d-4de8-826d-15af91718148" Name="Signed by O=ZOOM VIDEO COMMUNICATIONS, INC., L=SAN JOSE, S=CALIFORNIA, C=US" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">
<Conditions>
<FilePublisherCondition PublisherName="O=ZOOM VIDEO COMMUNICATIONS, INC., L=SAN JOSE, S=CALIFORNIA, C=US" ProductName="*" BinaryName="*">
<BinaryVersionRange LowSection="*" HighSection="*" />
</FilePublisherCondition>
</Conditions>
</FilePublisherRule>
<FilePublisherRule Id="b86a6638-ede4-4f0d-be6d-edc0c9cf126f" Name="Signed by O=GOOGLE LLC, L=MOUNTAIN VIEW, S=CA, C=US" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">
<Conditions>
<FilePublisherCondition PublisherName="O=GOOGLE LLC, L=MOUNTAIN VIEW, S=CA, C=US" ProductName="*" BinaryName="*">
<BinaryVersionRange LowSection="*" HighSection="*" />
</FilePublisherCondition>
</Conditions>
</FilePublisherRule>
<FilePublisherRule Id="75f5793b-0fef-4517-9c9c-2410f52572f8" Name="Signed by O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">
<Conditions>
<FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="*" BinaryName="*">
<BinaryVersionRange LowSection="*" HighSection="*" />
</FilePublisherCondition>
</Conditions>
</FilePublisherRule>
<FilePublisherRule Id="72527ee9-a2a8-4d9f-9761-aefe038ae16b" Name="Signed by O=ADOBE INC., L=SAN JOSE, S=CA, C=US" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">
<Conditions>
<FilePublisherCondition PublisherName="O=ADOBE INC., L=SAN JOSE, S=CA, C=US" ProductName="*" BinaryName="*">
<BinaryVersionRange LowSection="*" HighSection="*" />
</FilePublisherCondition>
</Conditions>
</FilePublisherRule>
<FilePublisherRule Id="d8fc8c12-58bc-4495-be11-4c2901cead41" Name="Signed by O=LOGMEIN, INC., L=BOSTON, S=MASSACHUSETTS, C=US" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">
<Conditions>
<FilePublisherCondition PublisherName="O=LOGMEIN, INC., L=BOSTON, S=MASSACHUSETTS, C=US" ProductName="*" BinaryName="*">
<BinaryVersionRange LowSection="*" HighSection="*" />
</FilePublisherCondition>
</Conditions>
</FilePublisherRule>
<FilePublisherRule Id="4fb964e0-43ec-4b42-a2af-c10ee424ede1" Name="Signed by O=ZWIFT, INC., L=LONG BEACH, S=CALIFORNIA, C=US" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">
<Conditions>
<FilePublisherCondition PublisherName="O=ZWIFT, INC., L=LONG BEACH, S=CALIFORNIA, C=US" ProductName="*" BinaryName="*">
<BinaryVersionRange LowSection="*" HighSection="*" />
</FilePublisherCondition>
</Conditions>
</FilePublisherRule>
<FilePublisherRule Id="6fa008eb-d90e-4aff-ba4b-b2f53a64e682" Name="Signed by O=ESSEX COUNTY COUNCIL, L=CHELMSFORD, S=ESSEX, C=GB" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">
<Conditions>
<FilePublisherCondition PublisherName="O=ESSEX COUNTY COUNCIL, L=CHELMSFORD, S=ESSEX, C=GB" ProductName="*" BinaryName="*">
<BinaryVersionRange LowSection="*" HighSection="*" />
</FilePublisherCondition>
</Conditions>
</FilePublisherRule>
<FilePublisherRule Id="bf6b505c-e6b6-4ab6-b34c-f8d8c1a3c405" Name="Signed by O=CISCO WEBEX LLC, L=SAN JOSE, S=CALIFORNIA, C=US" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">
<Conditions>
<FilePublisherCondition PublisherName="O=CISCO WEBEX LLC, L=SAN JOSE, S=CALIFORNIA, C=US" ProductName="*" BinaryName="*">
<BinaryVersionRange LowSection="*" HighSection="*" />
</FilePublisherCondition>
</Conditions>
</FilePublisherRule>
<FilePublisherRule Id="31d5888c-65d2-4610-8189-3d089cf355c6" Name="RUNASSPC.EXE, in RUNASSPC, from O=OLIVER HESSING, L=STUTTGART, S=BADEN W�RTTEMBERG, C=DE" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">
<Conditions>
<FilePublisherCondition PublisherName="O=OLIVER HESSING, L=STUTTGART, S=BADEN W�RTTEMBERG, C=DE" ProductName="RUNASSPC" BinaryName="RUNASSPC.EXE">
<BinaryVersionRange LowSection="*" HighSection="*" />
</FilePublisherCondition>
</Conditions>
</FilePublisherRule>
<FilePublisherRule Id="a4c338eb-8a41-43a4-9a73-c7b4f7e9ab0d" Name="SETUP.EXE, in LADIBUG3.0, from O=LUMENS DIGITAL OPTICS INC., L=HSINCHU, S=TAIWAN, C=TW" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">
<Conditions>
<FilePublisherCondition PublisherName="O=LUMENS DIGITAL OPTICS INC., L=HSINCHU, S=TAIWAN, C=TW" ProductName="LADIBUG3.0" BinaryName="SETUP.EXE">
<BinaryVersionRange LowSection="*" HighSection="*" />
</FilePublisherCondition>
</Conditions>
</FilePublisherRule>
<FilePublisherRule Id="2ca85e89-17b3-44e2-8212-738c570e0c3c" Name=""", in OPENSHOT VIDEO EDITOR, from O=OPENSHOT STUDIOS, LLC, L=ROCKWALL, S=TEXAS, C=US" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">
<Conditions>
<FilePublisherCondition PublisherName="O=OPENSHOT STUDIOS, LLC, L=ROCKWALL, S=TEXAS, C=US" ProductName="OPENSHOT VIDEO EDITOR" BinaryName="">
<BinaryVersionRange LowSection="*" HighSection="*" />
</FilePublisherCondition>
</Conditions>
</FilePublisherRule>
<FilePublisherRule Id="524be818-df37-48f9-91c8-7cb9457711d0" Name="Mendeley" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">
<Conditions>
<FilePublisherCondition PublisherName="O=ELSEVIER LTD, L=KIDLINGTON, C=GB" ProductName="*" BinaryName="*">
<BinaryVersionRange LowSection="*" HighSection="*" />
</FilePublisherCondition>
</Conditions>
</FilePublisherRule>
<FilePublisherRule Id="66652289-5bfa-4a6a-b77f-11868c203437" Name="Widget" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">
<Conditions>
<FilePublisherCondition PublisherName="O=SYMBOLS WORLDWIDE LTD., L=LEAMINGTON SPA, S=WARWICKSHIRE, C=GB" ProductName="*" BinaryName="*">
<BinaryVersionRange LowSection="*" HighSection="*" />
</FilePublisherCondition>
</Conditions>
</FilePublisherRule>
<FilePathRule Id="9352e338-9fd0-4b66-a537-729741e5fc76" Name="Salto" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">
<Conditions>
<FilePathCondition Path="%OSDRIVE%\SALTO\*" />
</Conditions>
</FilePathRule>
<FilePathRule Id="1d1a7093-08a1-49ab-bfb7-2c203f686069" Name="EdgeBlock" Description="" UserOrGroupSid="S-1-1-0" Action="Deny">
<Conditions>
<FilePathCondition Path="%PROGRAMFILES%\Microsoft\Edge\*" />
</Conditions>
</FilePathRule>
<FilePathRule Id="d696237d-f2c0-4bee-b451-d1a5ea88fd0c" Name="InVentry" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">
<Conditions>
<FilePathCondition Path="\\10.42.236.31\InVentry\V4\Console\*" />
</Conditions>
</FilePathRule>
<FileHashRule Id="853e2140-5422-457b-9ba0-409c73275d48" Name="Total Lock" Description="USB drive encryption software." UserOrGroupSid="S-1-1-0" Action="Allow">
<Conditions>
<FileHashCondition>
<FileHash Type="SHA256" Data="0xA23D77A118DB829CBD21B5CE0A9883C2661DAC796ECCB9D3C175582358EE8C6A" SourceFileName="TotalLock.exe" SourceFileLength="9913344" />
</FileHashCondition>
</Conditions>
</FileHashRule>
<FilePublisherRule Id="6be7c34e-9a1d-4abd-998c-0108d40217a6" Name="4Matrix" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">
<Conditions>
<FilePublisherCondition PublisherName="O=NEW MEDIA LEARNING LTD, L=LEIGH-ON-SEA, S=ESSEX, C=GB" ProductName="*" BinaryName="*">
<BinaryVersionRange LowSection="*" HighSection="*" />
</FilePublisherCondition>
</Conditions>
</FilePublisherRule>
<FilePublisherRule Id="8067d315-2f60-4c76-b6e1-0a587345f9e8" Name="Surpass Viewer" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">
<Conditions>
<FilePublisherCondition PublisherName="O=BTL GROUP LTD, L=SHIPLEY, S=WEST YORKSHIRE, C=GB" ProductName="*" BinaryName="*">
<BinaryVersionRange LowSection="*" HighSection="*" />
</FilePublisherCondition>
</Conditions>
</FilePublisherRule>
<FilePublisherRule Id="0c0b2f03-9330-4f69-8076-05afe7402929" Name="POS Admin" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">
<Conditions>
<FilePublisherCondition PublisherName="O=BIOSTORE LTD, L=HEXHAM, S=NORTHUMBERLAND, C=GB" ProductName="*" BinaryName="*">
<BinaryVersionRange LowSection="*" HighSection="*" />
</FilePublisherCondition>
</Conditions>
</FilePublisherRule>
</RuleCollection>./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/Group2/MSI/Policy
<RuleCollection Type="Msi" EnforcementMode="Enabled">
<FilePublisherRule Id="b7af7102-efde-4369-8a89-7a6a392d1473" Name="(Default Rule) All digitally signed Windows Installer files" Description="Allows members of the Everyone group to run digitally signed Windows Installer files." UserOrGroupSid="S-1-1-0" Action="Allow">
<Conditions>
<FilePublisherCondition PublisherName="*" ProductName="*" BinaryName="*">
<BinaryVersionRange LowSection="0.0.0.0" HighSection="*" />
</FilePublisherCondition>
</Conditions>
</FilePublisherRule>
<FilePathRule Id="5b290184-345a-4453-b184-45305f6d9a54" Name="(Default Rule) All Windows Installer files in %systemdrive%\Windows\Installer" Description="Allows members of the Everyone group to run all Windows Installer files located in %systemdrive%\Windows\Installer." UserOrGroupSid="S-1-1-0" Action="Allow">
<Conditions>
<FilePathCondition Path="%WINDIR%\Installer\*" />
</Conditions>
</FilePathRule>
<FilePathRule Id="64ad46ff-0d71-4fa0-a30b-3f3d30c5433d" Name="(Default Rule) All Windows Installer files" Description="Allows members of the local Administrators group to run all Windows Installer files." UserOrGroupSid="S-1-5-32-544" Action="Allow">
<Conditions>
<FilePathCondition Path="*.*" />
</Conditions>
</FilePathRule>
<FilePublisherRule Id="8fe8eccb-700f-4dc5-954e-01c34b802412" Name="Signed by O=CISCO WEBEX LLC, L=SAN JOSE, S=CALIFORNIA, C=US" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">
<Conditions>
<FilePublisherCondition PublisherName="O=CISCO WEBEX LLC, L=SAN JOSE, S=CALIFORNIA, C=US" ProductName="*" BinaryName="*">
<BinaryVersionRange LowSection="*" HighSection="*" />
</FilePublisherCondition>
</Conditions>
</FilePublisherRule>
<FilePublisherRule Id="6fa008eb-d90e-4aff-ba4b-b2f53a64e682" Name="Signed by O=ESSEX COUNTY COUNCIL, L=CHELMSFORD, S=ESSEX, C=GB" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">
<Conditions>
<FilePublisherCondition PublisherName="O=ESSEX COUNTY COUNCIL, L=CHELMSFORD, S=ESSEX, C=GB" ProductName="*" BinaryName="*">
<BinaryVersionRange LowSection="*" HighSection="*" />
</FilePublisherCondition>
</Conditions>
</FilePublisherRule>
<FilePublisherRule Id="967be9b5-6777-4acd-993e-7b05be672f44" Name="Webex" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">
<Conditions>
<FilePublisherCondition PublisherName="O=CISCO SYSTEMS, INC., L=SAN JOSE, S=CALIFORNIA, C=US" ProductName="*" BinaryName="*">
<BinaryVersionRange LowSection="*" HighSection="*" />
</FilePublisherCondition>
</Conditions>
</FilePublisherRule>
<FilePublisherRule Id="981b2144-9a6d-453b-81de-bd9d0fb9c5b6" Name="PenPal" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">
<Conditions>
<FilePublisherCondition PublisherName="O=CAMBRIDGE HITACHI-SOLUTIONS EDUCATION LIMITED, L=CAMBRIDGE, S=CAMBRIDGESHIRE, C=GB" ProductName="*" BinaryName="*">
<BinaryVersionRange LowSection="*" HighSection="*" />
</FilePublisherCondition>
</Conditions>
</FilePublisherRule>
</RuleCollection>and finally
./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/Group3/Script/Policy
<RuleCollection Type="Script" EnforcementMode="Enabled">
<FilePathRule Id="06dce67b-934c-454f-a263-2515c8796a5d" Name="(Default Rule) All scripts located in the Program Files folder" Description="Allows members of the Everyone group to run scripts that are located in the Program Files folder." UserOrGroupSid="S-1-1-0" Action="Allow">
<Conditions>
<FilePathCondition Path="%PROGRAMFILES%\*" />
</Conditions>
</FilePathRule>
<FilePathRule Id="9428c672-5fc3-47f4-808a-a0011f36dd2c" Name="(Default Rule) All scripts located in the Windows folder" Description="Allows members of the Everyone group to run scripts that are located in the Windows folder." UserOrGroupSid="S-1-1-0" Action="Allow">
<Conditions>
<FilePathCondition Path="%WINDIR%\*" />
</Conditions>
</FilePathRule>
<FilePathRule Id="ed97d0cb-15ff-430f-b82c-8d7832957725" Name="(Default Rule) All scripts" Description="Allows members of the local Administrators group to run all scripts." UserOrGroupSid="S-1-5-32-544" Action="Allow">
<Conditions>
<FilePathCondition Path="*" />
</Conditions>
</FilePathRule>
</RuleCollection>These all work fine and we slightly modify them for specific OUs to allow certain things to run.
The only obvious thing I can see is you don't need:
<AppLockerPolicy Version="1">
</AppLockerPolicy>
Top and bottom.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-29-2023 09:19 AM
I will try removing those extra bits to see if that makes the difference. I think I added those because when I tested the policy without the "<applockerpolicy.." on a local device using "Test-AppLockerPolicy" it would fail.
Thanks
Subscribe
Related Content
