ARC Profile Not Working on Windows Devices

When an Application Run Control profile is assigned and installed on Windows Modern Devices, the profile deployment appears successful. However, the expected application restrictions are not enforced. Applications that should be blocked as per the profile configuration remain accessible and can still be launched by users. This results in a failure to control or restrict application usage.

Windows Modern Devices OS version 10
SOTI MobiControl 2025.0.0

When an Application Run Control profile is assigned and installed on Windows Modern Devices, the expected behavior is that specific applications defined in the policy should be blocked from running. However, in this case:

• The Application Run Control profile successfully deploys and shows as installed on the targeted device(s).

• Applications that are configured to be blocked in the profile remain accessible and can still be launched by end users.

• No error messages or notifications are displayed to indicate a failure in applying the application restrictions.

Upgrade to SOTI MobiControl version 2025.1.0.

This issue can be fixed using some custom scripts:

1. Start the Application Identity services on the affected devices. Select the device in the web console. Run the following script using the send script option in PowerShell Native mode:

sc.exe config appidsvc start=auto

2. Remove the ARC profile using the following script (this needs to be run in PowerShell Native mode). The Edge Browser application is used in this example. You must write the file path in the second line for the Edge Browser file in your system:

# Define the path to the Edge Browser executable
$EdgePath = "Write the file path for Edge Browser exe file"

# Check if Edge Browser is installed
if (Test-Path $EdgePath) {
    # Create a clear AppLocker policy file
    $clearPolicy = @"
<AppLockerPolicy Version="1">
<RuleCollection Type="Exe" EnforcementMode="NotConfigured"/>
<RuleCollection Type="Msi" EnforcementMode="NotConfigured"/>
<RuleCollection Type="Script" EnforcementMode="NotConfigured"/>
<RuleCollection Type="Dll" EnforcementMode="NotConfigured"/>
<RuleCollection Type="Appx" EnforcementMode="NotConfigured"/>
</AppLockerPolicy>
"@

    # Save the clear policy to a temporary file
    $clearPolicyPath = "$env:TEMP\clearPolicy.xml"
    $clearPolicy | Out-File -FilePath $clearPolicyPath

    # Apply the clear AppLocker policy
    Set-AppLockerPolicy -XMLPolicy $clearPolicyPath

    # Restart the Application Identity service
    Stop-Service -Name AppIDSvc
    Start-Service -Name AppIDSvc

    Write-Output "AppLocker policy blocking Edge has been removed successfully."
} else {
    Write-Output "Edge Browser is not installed on this machine."
}

3. Fetch the data value (the hash value) for the Edge Browser application. This is used in the next step. On the enrolled Windows device where the Edge Browser app is present, open a PowerShell in administrator mode and run the following command:

Get-filehash "write the file path for Edge Browser exe file" -Algorithm SHA256

3. Copy the hash value and paste it in the below script in the data parameter after 0x (it will be 0x...hash value...). Send the following in PowerShell Native mode after making the necessary changes in the name parameter in the <FileHashRule ID> line, and data and SourceFileName parameter in the <FileHash Type> line:

# Define the AppLocker policy XML as a string
$policyXml = @"
<AppLockerPolicy Version="1">
<RuleCollection Type="Appx" EnforcementMode="NotConfigured">
<FilePublisherRule Id="ae2d2b9f-fa42-43a8-974a-06e9ff60020b" Name="All signed packaged apps" Description="Allows members of the Everyone group to run packaged apps that are signed." UserOrGroupSid="S-1-1-0" Action="Allow">
<Conditions>
<FilePublisherCondition PublisherName="*" ProductName="*" BinaryName="*">
<BinaryVersionRange LowSection="0.0.0.0" HighSection="*"/>
</FilePublisherCondition>
</Conditions>
</FilePublisherRule>
</RuleCollection>
<RuleCollection Type="Dll" EnforcementMode="NotConfigured"/>
<RuleCollection Type="Exe" EnforcementMode="Enabled">
<FilePathRule Id="921cc481-6e17-4653-8f75-050b80acca20" Name="(Default Rule) All files located in the Program Files folder" Description="Allows members of the Everyone group to run applications that are located in the Program Files folder." UserOrGroupSid="S-1-1-0" Action="Allow">
<Conditions>
<FilePathCondition Path="%PROGRAMFILES%\*"/>
</Conditions>
</FilePathRule>
<FilePathRule Id="a61c8b2c-a319-4cd0-9690-d2177cad7b51" Name="(Default Rule) All files located in the Windows folder" Description="Allows members of the Everyone group to run applications that are located in the Windows folder." UserOrGroupSid="S-1-1-0" Action="Allow">
<Conditions>
<FilePathCondition Path="%WINDIR%\*"/>
</Conditions>
</FilePathRule>
<FilePathRule Id="fd686d83-a829-4351-8ff4-27c7de5755d2" Name="(Default Rule) All files" Description="Allows members of the local Administrators group to run all applications." UserOrGroupSid="S-1-5-32-544" Action="Allow">
<Conditions>
<FilePathCondition Path="*"/>
</Conditions>
</FilePathRule>
<FileHashRule Id="e239e402-4d15-4518-905d-a93a3ef3033c" Name="write the .exe file name of Edge application, for example, EdgeBrowser.exe" Description="" UserOrGroupSid="S-1-1-0" Action="Deny">
<Conditions>
<FileHashCondition>
<FileHash Type="SHA256" Data="0x....write the hash value obtained earlier....." SourceFileName="write the .exe file name of Edge application, for example, EdgeBrowser.exe" SourceFileLength="5371208"/>
</FileHashCondition>
</Conditions>
</FileHashRule>
</RuleCollection>
<RuleCollection Type="Msi" EnforcementMode="NotConfigured"/>
<RuleCollection Type="Script" EnforcementMode="NotConfigured"/>
</AppLockerPolicy>
"@
# Create a temporary XML file
$tempXmlPath = "$env:TEMP\AppLockerPolicy.xml"
$policyXml | Out-File -FilePath $tempXmlPath -Encoding UTF8
# Import the AppLocker module
Import-Module AppLocker
# Apply the new AppLocker policy from the temporary XML file
Set-AppLockerPolicy -XMLPolicy $tempXmlPath -Merge
# Confirm the new policy has been applied
Get-AppLockerPolicy -Effective
# Clean up: Remove the temporary XML file
Remove-Item -Path $tempXmlPath -Force