Applocker CSP updates not working

Occasional Visitor

Hello!

 

We are using applocker via CSP (AppLocker CSP - Windows Client Management | Microsoft Learn) and it has been working great for years. But for some reason it resently stoped working with updates. If i publish a new XML the device will ge the XML, I can verify it by looking att the XML files in c:\Windows\system32\AppLocker\MDM\x\x\Applocker\ApplicationLaunchRestrictions\x\ and then the coresponding folder for each type, but it wont apply unit i remove all .policy files in c:\Windows\system32\AppLocker 

 

Can anyone help me understand why I need to delete those files in order to get it working?

2 Replies

@dasbult 

 

Not sure why it's failing to reapply, but possibly you could take a look at this PowerShell to go about clearing the local policy. Could be a possible workaround to purge the .policy files.

 

How to clear a local Applocker policy 

 

Only other thought is that possibly during a previous update, some bad policy value got set which ends up clogging the XML from properly refreshing. Only way to know that would be to backtrack through the updates, or possibly restart with a fresh policy config rather than continuing to update the existing.

 

Please upvote and accept this thread as answered if it's helpful, thanks!

Noticed it a couple of times... each time it happened there was an additional applocker policy on the device itself (which is odd ofcourse)
https://call4cloud.nl/2021/01/applocker-the-meltdown/
Removing them indeed sovles it, but shouldn't be necessary.