Confirming that AppLocker Policies have been applied

When using MDM to push AppLocker policies to a Windows 10 device, there are several places that you can check to confirm that your settings have been successfully applied.

  1. File Explorer
  2. Event Viewer
  3. Fiddler
  4. Try to launch the App

Let’s take a look…

1. File Explorer

Open up File Explorer. Look at the C:\Windows\System32\AppLocker\MDM subfolders to see if the corresponding rules exist for EXE, MSI, Scripts, and APPX.  Open with Notepad++ to make sure that the contents of the Policy file matches the contents of the policy that you pushed with your MDM.

2. Event Viewer

Open up Event Viewer. Navigate to the Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin log to confirm that the policy was correctly ingested.

BAD – This Applocker policy failed to apply successfully.

3. Fiddler

Install and run Fiddler to see which CmdID(s) did not receive a 200. 200 is good. Anything besides a 200 is bad.

GOOD – The Command response was 200
BAD – The Command response was 500

4. Try to launch the app on a device

Once you have confirmed that the policy exists on the device and did not fail, you can try to open the app and if you see a block message then you know that your rule has been applied correctly.

GOOD – The Applocker policy is blocking this application from running

I hope that you find this content helpful. Let us know if there are any other MDM related questions that we can answer for you!

Leave a Reply

%d bloggers like this: