1

I'm trying to enable AppLocker on Windows 10 Enterprise.

I have AppID and AppIDSVC enabled and set to automatic start, and everything looks good. However, when I start inserting policy rules into AppLocker (specifically, .dll rules), I get the following error in Event Viewer:

AppID policy conversion failed. Status Access is denied

User: SYSTEM

That's basically all the info I get.

Why is it trying to convert the policy? Where is this policy? How do I give the system access?

If I ignore this error (which is not a good idea unless you're working on a clean machine with recent restore points) and I continue to configure AppLocker, it works for that session. When I reboot, after the BIOS loads, the OS does not, I get a grey screen and need to restore.

This is obviously not good, and I have been working around the clock trying to fix it. I have found nothing that helps on the internet thus far, so insight or advice would be greatly appreciated.

slayernoah
  • 1,570
  • 2
  • 12
  • 19
ztnd13
  • 13
  • 1
  • 4

2 Answers2

2

The description of this error can be found on Microsoft's Technet article Using Event Viewer with AppLocker, and is:

Indicates that the policy was not applied correctly to the computer. The status message is provided for troubleshooting purposes.

The status you're getting is "access denied," which tells you which general direction to look in, as well. Someone else had this issue when LOCAL SERVICE had insufficient rights to modify or delete logs at C:\Windows\System32\config\TxR, so that's the type of permissions issue I'd suspect here as well. (By which I mean, something completely unintuitive and non-obvious.)

To track it down precisely, the best thing I can think of is to to open up Process Monitor from the SysInternals Suite just before you start adding your AppLocker rules, and then filtering through the output to see which file or folder it is that SYSTEM is trying to access when the error is thrown. Once you know where the access is denied, hopefully it's a simple matter of explicitly giving SYSTEM full control to the location.

HopelessN00b
  • 53,385
  • 32
  • 133
  • 208
  • I had a similar issue with the local service account not being able to access c:\windows\system32\AppLocker. Thanks to HopelessN00b's suggestion of utilizing Procmon this was fairly easy to find. I was able to create the AppLocker folder manually and give the Local Service Full Control to the directory and it resolved my issues. – Nathan - Sysadmin Feb 27 '20 at 13:08
0

I've seen posts where a user switched it from LOCAL SERVICE to SYSTEM and the service stopped working. Have you tried switching it back to LOCAL SERVICE? The LOCAL SERVICE is the correct/default account in which to run this service.

M. Anselmi
  • 21
  • 3