AppLocker shows no events?

EE,

We aren't receiving events from Applocker applied to our servers. It's the same policy applied to workstation (which work). The identity service is started. This can't be a GPO/config issue as it's working on the workstations.

Considering that this works on 2008 R2 servers in my  lab, I'm curious as to why we can't get it to work in production. GPResults obliviously show it's applied. GPResult /h shows applied and gplogview -h doesn't show any errors

Any advice? Thanks in advance
snyderkvAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

McKnifeCommented:
Although your description is not too precise yet, I am tempted to confirm: yes, Applocker has bugs, sometimes, it will not start blocking at all, sometimes it blocks perfectly, but misses to show popups.
But you need to be more precise about what is failing exactly.
snyderkvAuthor Commented:
Thanks for responding

It shows zero events in the event logs meaning the policy is not even applying (to multiple servers we tested)

It works on workstations, not on servers using the same policy. Workstations receive blocked messages and show the respective event IDs. The servers show 0 events and act as if the identity service isn't even turned on
snyderkvAuthor Commented:
Anybody? We are out of ideas. Tried everything, ruled out GPO corruption etc. Verified GPO with GPOtool and gplogview. Applies fine to workstations. Is this a stig? Maybe stigs or hardened policy settings?
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

snyderkvAuthor Commented:
As a workaround, if anyone can send me an easy step by step to do this in SRP that would help in the mean time.
McKnifeCommented:
If the policy does not even apply, the error lies in the security filtering of the policy, in the wmi filtering you might have applied or is due to the servers being in an OU with no link to the policy. Check that, please.
snyderkvAuthor Commented:
McKnife,

The policy does apply doing a gpresult as stated. But the events in event viewer show 0. This couldn't be an Applocker configuration issue as it should still at least show events.
McKnifeCommented:
Please see if the registry settings connected to applocker can be found at HKEY_LOCAL_Machine\Software\Policies\Microsoft\Windows\SrpV2
snyderkvAuthor Commented:
No keys in the root key but exe shows Enforcement Mode 1. They keys below show the rule paths. No changes in event logs or anything being blocked
McKnifeCommented:
Ok, weird indeed. And by writing "The identity service is started", you meant the application identity service?
Under what account is it running, still the default "Local service"?
snyderkvAuthor Commented:
Yes and I even logged it back in, hit apply and restarted the service. Still nothing
McKnifeCommented:
Had that sometimes, too. Change from enforced to audit, wait a little and then back.
snyderkvAuthor Commented:
I reset the security database using secedit and rebooted. Events are now populating in the event log but I have not tested the policies out.

By the way, 2012 actually shows events without clearing the security database but 2008 does not. I'm going to have a hard time to find out what policies/registry/ACLs are preventing AppLocker events from showing up and policies from applying. Possibly ACLs on the Identity service itself?. Any suggestions are welcome
McKnifeCommented:
I work with applocker just as long as it is out. It has these bugs. Once it runs, all is good, but sometimes it just won't start working right from the start. That is not your fault.
snyderkvAuthor Commented:
Went ahead and used SRP instead and it worked. Someone at M$ dropped the ball here

Question, how do you make an allow for \\sysvol paths when workstations login (via applocker) so that logon scripts etc can be applied?
McKnifeCommented:
Allow the path \\domain.local\sysvol\policies\*
Better even: sign your scripts and allow everything you sign.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.