Applocker server ("Application Identity") refuses to start

[Ook]

Hi,

In my company we're currently deploying Win7 in combination with AppLocker. We're using whitelists (everything is blocked unless we specifically allow it) so coming from a fairly open environment on XP, the change is quite drastic.

Anyway, after doing ~250 roll outs, we're now seeing several workstations where AppLocker's core, the Application Identity service, refuses to start, thereby dropping all AppLocker policies. This means that although users still aren't part of local admins, they are now suddenly able to start all sorts of stand alone apps again which is obviously not what we wanted (this is why we've brought AppLocker in the 1st place

When I manuall start Application Identity, it says one of its dependencies failed to start. When I then have a closer look, it indeed seems the (hidden) service "AppID" has a problem - this is what happens when I try to start it through DOS:

Code:

C:\Windows\system32>net start AppID
System error 31 has occurred.

A device attached to the system is not functioning.

I've checked DeviceManagement but all physicall devices seem correctly ionstalled. I;ve also googled all over but can't seem to find a single posting about this issue - does anyone perhaps know what is going on here?

Thanks in advance - your help is greatly appreciated! Regards,
Ook

[jeremym]

Just curious.. does it start then?

[Ook]

Hi Jeremy,

Thanks for checking but no, it eventually does not start the service (so effectively anybody logging on to these machines is without any AppLocker policies). At first I thought the policies weren't getting through properly but later on I discovered the lack of Application Identity service causes this behaviour.

PS: In the topic title I mentioned the word "server" but this should obviously be "service". If an admin could change this for me, much appreciated.

[Ook]

Sorry for bumping this but this problem seems to be spreading within our org; I see more and more users who 'suddenly' have problems starting this service (and hence don't receive any AppLocker policies). I just can't seem to be able to find any more info about it.. Thanks in advance!

PS: Admin, could you please fix the topic title (server --> service) so it covers the load? Thanks

[Ook]

One more bump - sorry guys, getting desperate

[jeremym]

So, this is the kind of thing I would plunk down the $150 and call MS and get resolved. It's too serious to mess around with. Just my 2 ¢.

[trekker]

Short of something that is going to require a hotfix from Microsoft, there has to be something that is conflicting or causing the problem. Is there anything that these boxes have in common? Do all of the computers that are having problems have anyone that uses them regularly that has Admin rights? Are they running any kind of non "off the shelf" software? Are you running a 3rd party antivirus/firewall or IPS that could have rules that are stopping the service from starting? Have you checked the Event Log for any further error messages?

Have you tried taking one of these systems and moving it to an OU that only has the AppLocker rules applied and loopback set to Replace so that when a user logs in, no Group Policy is applying except the AppLocker rules. You might even want to consider temporarily removing antivirus and 3rd party firewall. Try starting AppID and see if it still errors. If it does, you've at least eliminated your other policy as the culprit.

[Ook]

Thanks for the suggestions guys. One of the machines is my own and I'm indeed a local admin on it. I'll double check the other ones but I personally don't have any 'strange' apps installed; all business related and all official/licensed etc. I will have a go at changing the policies (on a test OU and with the AV scan unloaded. I will let you know what happens! Cheers so far (and yes, we might eventually raise this as a ticket with MS but that's basically my last resort )