R
Rick Montrose Dangleton
Guest
Since updating some machines in our enterprise to Windows 10 1809, AppLocker's default rule for Packaged App Execution is randomly blocking Calculator intermittently. We only have the default rule for Packaged App Execution being enforced, which allows all signed packaged apps to run, yet if I view the event log for AppLocker when the problem occurs, the event id that is logged clearly indicates AppLocker is not working properly. Instead of being filled out with details about the app, everything is blank. The RuleID is a series of zeros, the RuleName is blank, and on the general screen where the name of the app should be listed, it just says (blank) " was prevented from running" without the app name. The strangest thing about the issue is that if the user waits and tries again later, it will start working again - without even rebooting or logging off. Looking at event logs, it is probably working 99% of the time, it just randomly does this 1% of the time then returns to normal.
It does not appear to affect any other app except Calculator that I have seen, although we do not use many UWP apps. We do not have any issues with any other AppLocker rules for executables, etc., just Calculator, and only since installing 1809. I have cleared the AppLocker policy and re-applied the default rule and that had no effect on the problem. We have multiple machines exhibiting this issue so I believe this may be a bug.
Here is a sample of the event id 8022 that is generated during this issue:
General:
" was prevented from running."
PolicyNameLength 4
PolicyName APPX
RuleId {00000000-0000-0000-0000-000000000000}
RuleNameLength 1
RuleName -
RuleSddlLength 1
RuleSddl -
TargetUser (User SID Redacted)
TargetProcessId 12460
PackageLength 0
Package
FqbnLength 1
Fqbn -
And here is a sample 8020 for Calculator when it was allowed to run from the very same machine.
General:
"MICROSOFT.WINDOWSCALCULATOR was allowed to run."
PolicyNameLength 4
PolicyName APPX
RuleId {0ff4dd23-7c87-489b-a3b8-cb2b35e5eadf}
RuleNameLength 24
RuleName All signed packaged apps
RuleSddlLength 81
RuleSddl D
XA;;FX;;;S-1-1-0;((Exists APPID://FQBN) && ((APPID://FQBN) >= ({"\\*",0}))))
TargetUser (User SID Redacted)
TargetProcessId 6624
PackageLength 27
Package MICROSOFT.WINDOWSCALCULATOR
FqbnLength 129
Fqbn CN=MICROSOFT CORPORATION, O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT.WINDOWSCALCULATOR\APPX\10.1811.3241.00
More...
It does not appear to affect any other app except Calculator that I have seen, although we do not use many UWP apps. We do not have any issues with any other AppLocker rules for executables, etc., just Calculator, and only since installing 1809. I have cleared the AppLocker policy and re-applied the default rule and that had no effect on the problem. We have multiple machines exhibiting this issue so I believe this may be a bug.
Here is a sample of the event id 8022 that is generated during this issue:
General:
" was prevented from running."
PolicyNameLength 4
PolicyName APPX
RuleId {00000000-0000-0000-0000-000000000000}
RuleNameLength 1
RuleName -
RuleSddlLength 1
RuleSddl -
TargetUser (User SID Redacted)
TargetProcessId 12460
PackageLength 0
Package
FqbnLength 1
Fqbn -
And here is a sample 8020 for Calculator when it was allowed to run from the very same machine.
General:
"MICROSOFT.WINDOWSCALCULATOR was allowed to run."
PolicyNameLength 4
PolicyName APPX
RuleId {0ff4dd23-7c87-489b-a3b8-cb2b35e5eadf}
RuleNameLength 24
RuleName All signed packaged apps
RuleSddlLength 81
RuleSddl D
XA;;FX;;;S-1-1-0;((Exists APPID://FQBN) && ((APPID://FQBN) >= ({"\\*",0})))) TargetUser (User SID Redacted)
TargetProcessId 6624
PackageLength 27
Package MICROSOFT.WINDOWSCALCULATOR
FqbnLength 129
Fqbn CN=MICROSOFT CORPORATION, O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT.WINDOWSCALCULATOR\APPX\10.1811.3241.00
More...