This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Good afternoon,
To protect our organisation from possible improper installations, we implemented Microsoft's new App Control for Business tool.
We've had some challenges, but we've managed to overcome them all by applying supplementary policies with a few necessary exceptions to keep the organisation running smoothly. However, there is one problem that we're not getting to grips with.
After analysing the events generated by the policy in ‘Audit’ mode, many of the blocked .DLLs are within the user's own profile. This is a problem because we need to make some exceptions but we can't find an alternative for the exception to be applied to all users.
When we create the rule, it doesn't convert the user's profile name into something generic like %USERPROFILE%.
It creates the rule with the direct path as shown in the image.
Does anyone have any ideas on this subject or have you experienced it?
Thank you in advance for your help.
Best regards,
Ruben Faustinita
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 30%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECM%3C/text%3E%3C/svg%3E)
@Ruben Faustinita, Hope the following suggestion can address your questions. If the answer is helpful, would you mind clicking "Accept Answer". Thanks!
@Ruben Faustinita, Thanks for posting in Q&A. In fact, App Control For Business uses path variables for well-known directories in Windows. Path variables aren't environment variables. For %USERPROFILE%., I don't find it in the path variable. You can use wildcards in App Control filepath rules to see if it works.
Hope the above information can help.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
@Ruben Faustinita, Hope the above suggestion can help. if there's any update, feel free to let us know.
Good afternoon,
I'll give you a bit more context to try to frame our problem.
To be able to protect our devices from improper installations, we are adopting App Control for Business. Almost 100% of our applications are sent via the Company Portal, which helps us implement these policies. However, we have had some problems with applications that create content after their first use. This added content is blocked due to our App control for Business base policy. To avoid this, we created a supplementary policy in which we make an exception to the application by “Publisher” and “issuer”. This option has worked for many applications without any problems.The problem happens when we talk about .dll files. For some reason the base policy blocks many dlls. Many that seem to me to be trustworthy are being blocked and most of them are within the user's profile. It has been very difficult to find a way to deal with this because there are so many dlls that the only alternative we have is to exclude them using the hash or the path where they are located. If we work with Hash, when we have an update everything will stop again. If we work with the path we have to make dozens of wildcards to get to the path where the dll is located within the user profile. This is our base policy based in "Allow Microsoft Mode".
Our question is? What is your recommendation to overcome these problems? Is there some type of configuration that is wrong and that could be causing all this impact?
We have another problem that we don't realise.
We have some exclusions for paths that we know users can't write, like Program files x86, and yet some things are being blocked.