0

We run AppLocker on our RDS servers. We keep the default rule list, add Allow rules for custom applications, and a single block rule. The block rule blocks explorer.exe for most users, preventing them from gaining a full Remote Desktop shell, but allowing them to run Remote Apps.

This has worked beautifully for 2008 - 2012 R2.

Windows Server 2016 brings Universal Apps. Stripping AppLocker down to the default rules, logged in as a local admin (which grants the ability to run everything on hard disk!), and no additional rules, it blocks access to the Settings app.

Attempting to open the Settings app shows the standard AppLocker error: "This app has been blocked by your system administrator. Contact your system administrator for more info."

This is baffling. AppLocker seems to be unable to cope with Universal Apps. Does anyone have experience with this?

Thanks!

ltwally
  • 315
  • 2
  • 6
  • 21

1 Answers1

3

The error you're talking about does not necessarily mean it's Applocker.

Applocker can manage Universal Apps, it's called "Packaged app Rules" and you have to create at least the Default Rules in the "Packaged app Rules" node of your applocker policy.

You can take a look at the AppLocker logs too: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ee844150(v=ws.10)

Swisstone
  • 6,357
  • 7
  • 21
  • 32