App Control for Business for regular humans - Part 3
How to do basic troubleshooting for App Control for Business
App Control for Business (ACfB) for regular humans
Part 3 - Troubleshooting
The last part to this section is troubleshooting. How do you go about fixing an application you can’t get running? There are applications for example, store data in local appdata that is not signed or in ProgramData that may need just a bit more work to get functioning.
Event Viewer
The reason I have suggested in these posts that you do this app by app is so you can look at Event Viewer to better see what is and isn’t working. ACfB records faulting events to two areas in particular. The one you will likely spend most time looking into is the CodeIntegrity logs. This is under ‘Applications and Services Logs’, ‘Microsoft’, ‘Windows’, ‘CodeIntegrity’.
Event ID 3077 and 3033 provide you with the file that has been blocked, and which policy is blocking it. This will be a base policy, and in the instance of this screenshot is the first base policy I created. This is the first step to creating the next supplemental policy to add to your configuration. Start permitting these blocked files one by one, and see if you perhaps need to start allowing through other publishers such as the .NET Foundation. I feel I need to stress at this stage that the more you unlock, the more risk you open your business to. However if you haven’t had any kind of Application filtering in place, then this should be putting you in a much better place.
You won’t always be allowing through Publishers, sometimes you may need to allow through a particular file, like a DLL, that hasn’t been signed. You would use the File Hash type here rather than Publisher or Path, just to allow the particular hash for that file to work. This can happen when apps store temporary data in AppData, for example.
Sometimes you will need to allow directories outside of Program Files. Some applications store critical data in ProgramData as well. Some of these directories can be allowed as they’re only writable by Administrators, similar to Program Files.
When you have made the additional policies and tested they allow your application to function without error, it’s always worth checking one that you wouldn’t expect to work that you haven’t explicitly blocked already.
Wrapping up
Congratulations on making it this far, it’s a complicated topic and there are a hundred ways to do all of it. These posts have all just been my way of handling this technology, and I hope you have found it useful. Deploying ACfB can be done in Intune under Endpoint Security, App Control for Business (currently in Preview). Here you would deply the XML files that have been created to your devices.