5 Replies Latest reply on Aug 11, 2016 10:54 AM by brett.chadwick

    Application control blocks GPEdit.dll

    adrijus Rookie

      Hi,

      Last week at App Control Log Queries I found that GPEditt.dll is blocked. Parent process is CccmExec.exe. I tried to add it to white list in APP library, to authorize but it is still blocked. The same situation is for multiple endpoints. Maybe someone have the same problem or any suggestions?

        • 1. Re: Application control blocks GPEdit.dll
          reneg Apprentice

          CcmExec.exe is the Host Process for Microsoft Configuration Manager Client and makes changes to the system. If your trust Configuration Manager Software Deployments and Configuration Changes, add CcmExec.exe to your Trusted Updater Policy.

           

          Also search for CcmExec.exe in EMSS > Review > App Control Library > search for all copies of CcmExec.exe and add them to your Trusted Updater Policy.

          • 2. Re: Application control blocks GPEdit.dll
            adrijus Rookie

            Before I posted this issue I checked my App Control Library and added all copies of CccmExec.exe to White listed applications policy.

            Now I tried to do as you recommended but events about blocked dll still repeats. There are two blocked dlls - GPEDIT.DLL.MUI (parent process AppControlNotification.exe) and GPEdit.dll (parent process CcmExec.exe).

            I was trying to add it to Authorised Applications group but it still are blocked. There are no problems with other applications, only with these two dll

            • 3. Re: Application control blocks GPEdit.dll
              reneg Apprentice

              1. From the App Control Log Query, add GPEDIT.DLL.MUI and GPEdit.dll to your existing Supplemental Policy.  Supplemental Policies only allows a program to load into memory. 

               

              2. Add CcmExec.exe to your Trusted Updater Policy because this program will load into memory and drop files on the HDD.  If you trust this behavior, Trusted Updater is the only policy that will work for you.

               

              Any software distribution tool that you trust to make changes to the system like installing or updating software, leverage Trusted Updater Policy as much as possible.

              • 4. Re: Application control blocks GPEdit.dll
                adrijus Rookie

                sorry for delay, we had a public holidays.

                Yesterday I added dlls to Supplemental Policy and CcmExec.exe to Trusted updater policy but this morning the names of endpoints repeats at App Control log query and I have ~1K entries at query. I checked Trusted update policy - there are entries about CcmExec.exe and also GPEDIT.DLL.MUI and GPEdit.dll at Supplemental Policy..

                • 5. Re: Application control blocks GPEdit.dll
                  brett.chadwick Apprentice

                  You may want to verify that the files are the exact same hash. The files could have been modified in the time between adding them into the policy in which case they would still be blocked. Also be sure that the policies have successfully reached the endpoint by checking the agent control panel reviewing the date/time stamp for the policy that is being used.

                   

                  Once you have the root process that is updating, using and changing these files in as a trusted updater any further changes won't need to be managed at this level and will automatically be handled by the trust engine.