Windows 10 Start Menu Does Not Work with AppLocker.

I know that this is not a System Center related post but I just spent the good part of 2 hours pulling my hair out over this issue so I thought I better have something to show for it at the end of it all.

In my lab I had newly built Windows 10 Enterprise PC’s that are joined to a domain. Before they join the domain all apps are functioning fine, however,  as soon as one of them joins the domain ALL the Windows 10 packaged apps stop working even the start menu (Cortana) doesn’t work and the Edge browser does not appear on the taskbar.

Now I know I have some AppLocker GPO’s in the environment that prevent users from running applications under their user folder (C:\User\Username) but that does not explain why these apps are not running as they are not run from one of these locations.

Looking at the event logs, the AppLocker event log reads: “No packaged apps can be executed while Exe rules are being enforced and no packaged app rules have been configured

Under Windows 8.x and 10, the new applications require new AppLocker rules called Package App Rules. These rules target the new Modern UI style apps. If you enable AppLocker with simple .exe based rules, Windows will automatically disable ALL modern apps unless unlocked by specific AppLocker rules.

This seems a simple enough answer. Turn off Applocker in GPO and reboot.

However, after removing the GPO, refreshing the GPO’s (GPUpdate /force) and rebooting several times the error still occurs.

It is almost as if once the Applocker rules are applied they are never removed.

After a little more digging I found this article: Problem: AppLocker Rules Still Enforced After the Service is Stopped

Turns out that when you remove the GPO from workstations the Applocker service gets disabled before it can update it’s policies so the policies remain intact.

Short answer was to keep the GPO’s enabled but remove ALL of the Applocker rules, refresh the GPO’s several times until the Packaged apps start to work again and then you can remove the GPO. So in the end the answer is not to difficult, but unless you go digging in to the fact that modern apps are treated differently by AppLocker and GPO’s will disable the service before cleaning house, then this blog may be useful. Winking smile

Advertisements

4 comments

  1. Glenn Turner

    Thank you!!!! Another way to do this without turning off AppLocker entirely is to go into policy:

    COMPUTER > Policies > Windows Settings > Security Settings > Application Control Policies > AppLocker > Packaged app Rules
    Right-click and choose Create Default Rules.

    That allows Everyone to run All signed packaged apps.

    You can then fine-tune to allow just Microsoft apps, and still keep your existing investment in terms or Executable Rules and Windows Installer Rules.

    Like

    • Brett Moffett

      That is a good point Glenn and a good starting point for people not wanting to get too in depth.
      Allowing people to run All Signed Packaged apps is a good basic strategy but unfortunately virus writers are even signing their code nowadays. Rare, but it happens.
      All depends on how deep you want to get with your security.

      Like

      • Glenn Turner

        Yes, definitely. Once, we verified that this would fix it, we got rid of that rule. We replaced it with one that allows Everyone to run all packaged apps signed by Microsoft. That’s the only rule, so if it’s not sign by MS, it won’t run. As we’re running LTSB and there’s no Store, there’s no legitimate reason to allow anything other than MS signed apps. Problem solved.

        Thanks again… Finding this article after checking the AppLocker Event logs confirmed that we were on the right track and allowed us to quickly fix it.

        Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s