Edge crashes when AppLocker is enabled with DLL enforcement rules Windows 1803

Fixed Issue #17343551

Details

Author
Alex E.
Created
May 2, 2018
Privacy
This issue is public.
Found in
  • Microsoft Edge
Found in build #
17.17134
Reports
Reported by 10 people

Sign in to watch or report this issue.

Steps to reproduce

Check
-in Instructions

 Link to GIT
source change

https://microsoft.visualstudio.com/_git/os/pullrequest/1897474 

Conflict Contact

DLINSLEY

Submitted by

DLINSLEY

What is the issue? <additional data needed on
scenario/user impacted>

AppLocker helps Enterprises manage which apps and binaries can run on devices they manage.   A string in Windows did not match the descriptor of binaries like the ones loaded by Edge, causing the applications that depend on those binaries to crash when started.

How was the issue/bug found?

This issue was reported from customers that manage Intune controlled environments and deploy/enforce AppLocker rules.

https://developer.microsoft.com/en-us/microsoft-edge/platform/issues/17343551/

Quantify the impact of the issue - why do we need to
service this issue now?

Enterprises using Applocker will experience crashes in applications they manage, including Edge

Is the fix ready and what is it?

Yes, the fix is ready - it corrects the precompiled binary descriptor used by AppLocker policies to manage the apps that are allowed to load.

How was the fix Validated?

ENS(AppLocker)/Edge teams coordinated on functional validation to ensure AppLocker deployment and Edge scenarios did not incur regressions. 

Regression risk level of the fix

Low - The fix is narrowly scoped to categories of Apps like Edge, and therefore does not have a broad risk of regression.

Has the fix been flighted in a RS4 flight?​

No

Do you have any data points that can be monitored to
ensure that the fix works or if there are adverse effects from the fix?

No

Does this fix need to be backported to TH2, RS1,
RS2 or prior releases (for CBB/LTSB customers)?

No

QD signing off on this change

glauciaf

How to
validate/test for regressions

(required for WSD pre-release validation)

Scenario to
validate
:

Deploy an AppLocker policy to a set of devices that restricts execution of applications and DLL binaries.  Ensure that the rules are enforced and effective, and that no related processes crash or fail.

Install Windows 10

Apply a domain-based Group Policy

Browse to Computer Configuration\Policies\Windows Settings\Application Control Policies

Right-clikc Applocker > Properties

Under Advanced
, check the box titled Enable the DLL rule collection

Apply other required polices

Once the policy has been applied, launch Edge.  

Expected
behavior
:

Edge should launch successfully and navigate to a URL.  Confirm that Edge does not crash.

Close Criteria

Customers can confirm successful Applocker enablement with these changes applied, then ensure that core apps like Edge can still load and run with full functionality.

Steps to reproduce the issue

  1. Install Windows 10 1803 Enterprise Edition (our tests were upgrades from 1709)
  2. Using domain-based GPO (would work for local security policy as well)
  3. Browse to Computer Configuration\Policies\Windows Settings\Application Control Policies
  4. Right-click ‘AppLocker’ -> Properties
  5. Under the ‘Advanced’ tab, check the box ‘Enable the DLL rule collection’
  6. Apply other policies as needed
  7. Once policy is applied to system, launch Edge. Edge will open briefly, appear to be attempting to load a page, but prevent any navigation and then crash after a few seconds.

Notes

  • Similar to issue 13758012, which actually prompted me to consider AppLocker as the culprit
  • Without DLL enforcement, Edge works. While this means that the other facets of AppLocker can be used, it does not have the same security impact as it does with DLL enforcement (yes, I know it is not considered a security boundary).
  • You must fully disable DLL enforcement for Edge to work. You cannot simply unconfigure enforcement for DLL Rules.
  • Did not have issues with Edge + DLL Enforcement in 1607, 1703, or 1709. Issue only occurred after completing the upgrade to 1803.

Error Logged

<Event 
    xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    <System>
        <Provider Name="Application Error" />
        <EventID Qualifiers="0">1000</EventID>
        <Level>2</Level>
        <Task>100</Task>
        <Keywords>0x80000000000000</Keywords>
        <TimeCreated SystemTime="2018-05-01T16:07:24.937988500Z" />
        <EventRecordID>1723</EventRecordID>
        <Channel>Application</Channel>
        <Computer>Computer1.contoso.com</Computer>
        <Security />
    </System>
    <EventData>
        <Data>MicrosoftEdge.exe</Data>
        <Data>11.0.17134.1</Data>
        <Data>5acd8aa5</Data>
        <Data>EMODEL.dll</Data>
        <Data>11.0.17134.1</Data>
        <Data>5acd8ba6</Data>
        <Data>c0000409</Data>
        <Data>000000000018db7e</Data>
        <Data>1b08</Data>
        <Data>01d3e166772d13bd</Data>
        <Data>C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe</Data>
        <Data>C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\EMODEL.dll</Data>
        <Data>86ec840d-fac2-4c9d-9d7e-48b7224168e7</Data>
        <Data>Microsoft.MicrosoftEdge_42.17134.1.0_neutral__8wekyb3d8bbwe</Data>
        <Data>MicrosoftEdge</Data>
    </EventData>
</Event>

Workaround

While I know it is highly discouraged by the Microsoft Edge team, implemeting the registry key below allows Edge to run:

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Spartan]
"RAC_LaunchFlags"=dword:00000035

I grabbed the value of 35 from our 1709 machines, which had that value configured through no effort of our own. It seems Windows had set that itself.

Again, as discussed in Issue 13758012, comment 13, this is an undocumented key and is not supposed to be used. Despite the strong wording, we have opted to use this key in the meantime to enable us to still have the AppLocker protection for DLLs, while allowing Edge to work. Hopefully we will be able to remove the key when/if this issue can be resolved.

Please see other feedbacks in userfeedback VSO for feedbacks that are tracked by this work item.

h3 {
color:#2f5496;
font-family:Segoe UI;
font-size:small;
padding-left:3%;
}

table {
font-size:small;
width:95%;
}

th, td {
font-size:small;
padding:5px;
}

td {
border:0.5px solid white;
}

th {
background-color:#8B8989;
color:white;
}

.feedback-leftcell {
width:20%;
color:#004d8b;
}

.feedback-row:hover {
background-color:#C4C4C4;
}

#feedback-banner, #feedback-footer {
background-color:#0078D7;
color:white;
width:100%;
}

#feedback-banner td, #feedback-footer td {
border:0;
font-size:larger;
padding:10px;
}

#feedbacksection-v5 {
font-family:Segoe UI;
border:5px solid #0078D7;
border-collapse:collapse;
}

#feedbackdetails-table, #feedbackanalysis-table, #feedbacklinks-table {
font-family:Calibri Light;
background-color:#f5f5f5;
}

            
        

        This Bug was created from feedback triage by steveth

    




Report Details



    
        Feedback Details

        Description

    

    
        Title

        Intune Browser Policy is causing Edge to Crash upon Launch


    

    
        Description

        When we supply a browser policy [(JSON) is attached] Edge will crash on 1803 RTM. This previously did not occur on 1709. It reporduces 100% of the time. Crash Dump is attached as well. 

Reproduction VM is available in Azure. RDP file is also attached.

Creds to signon:
Desktop-de5c0me\wil
Pw – Demome123

        Area Path

        UIF\Microsoft Edge\Browser crashes or stops working

    

    
        [Feedback Hub](https://aka.ms/feedbackhuburi/?ContextId=343&amp;feedbackId=e56f80e7-cbd6-4db5-9469-016d082adbe2&amp;form=1&amp;src=1)

        View this Customer Feedback details and comments in the Feedback Hub app.

    

    
        [Feedback VSO](../7024543/)

        View this Customer Feedback in Feedback VSO.

    

    
        [Upvoted By](https://aka.ms/feedbackinternalupvoters?vsoId=7024543)

        Contact selfhosters that upvoted this issue.

    

    



Analysis and Diagnostics


    
        Tool

        Description

    

    
        [Feedback Cabs](http://aka.ms/FeedbackViewer/?txtUifId=e56f80e7-cbd6-4db5-9469-016d082adbe2&amp;section=Cabs)

        
            
                Looking For CAB files related to feedback?

All CABs for
this feedback can be accessed in the Feedback Viewer.

                Note:

CABs may take up to 12 hours
to process through the
telemetry pipeline. CABs age out and are removed after 60 days
due
to Watson retention policies.

        [Feedback Analysis](http://aka.ms/FeedbackViewer/?txtUifId=e56f80e7-cbd6-4db5-9469-016d082adbe2)

        
            
                Want to understand how this feedback is trending across various pivots?

                With the Feedback Viewer, you can view trending information for this feedback,
                including upvotes by build, region, time, device, and more. Try out the prototype
                version of our [WAAS Lightspeed](https://aka.ms/waaslightspeed/?txtUifId=e56f80e7-cbd6-4db5-9469-016d082adbe2)

that includes intelligent auto analyzed
insights, dimensional, detailed diagnostic and telemetry analysis

        [Related Watson Crashes](http://watson/User?Identifier=g:6755410285107131&amp;Expand=true&amp;StartDate=7-May-2018&amp;EndDate=7-May-2018&amp;DateTimeFormat=UTC&amp;EventCategory=All)

        
            
                
                    Want to view Watson crashes that occurred on the same day from the user who
                    filed feedback?

The Watson Viewer will let you dive into crash data.

        [Device Drill](http://devicedrill/EventBrowser?dataSet=ALL&amp;deviceId=g:6755410285107131&amp;focusTimeStamp=2018-05-07T20:31:40&amp;durationAfterMin=10)

        
            
                Want to view telemetry events from this customer's device?

Device Drill lets
you dive into the telemetry of the device this from which this feedback was filed.

Other Links


    
        Link

        Description

    

    
        [Feedback FAQ](http://aka.ms/FeedbackFaq)

        
            
                See the Feedback FAQ for more information about subjective user feedback.
            

        

    

    
        [Where's my CAB? Wiki](http://aka.ms/whereismycabwiki)

        
            
                If you were expecting a CAB but it does not appear in the viewer, please
                see the wiki for more information.
            

        

    

    
        [Translation Volunteers](https://aka.ms/feedbacktranslationvolunteers)

        
            
                For translation assistance, please see the translation volunteers wiki.
            

        

    

    
        [Reporting child pornography](http://aka.ms/FeedbackReportAbuseAndChildPornographyWiki)

        
            
                If attached screenshot(s) is child pornography you must report it using
                instructions listed at the link.
            

        

    







    
        
            Be Heard.
        

        
            [
                //aka.ms/feedback
            ](https://aka.ms/feedback)

Attachments

0 attachments

    Comments and activity

    • Microsoft Edge Team

      Changed Assigned To to “Steven K.”

    • Will someone reply here when this issue will be fixed by MS, or how I should follow this?

    • Hi Yannara,

      Yes, we will post updates here.  We try to always leave a message when the issue changes status.

      Appreciate the submission,

      Steve

    • Same issue as Steven K. No problem with Applocker and DLL enforcement on 1703 or 1709, only on 1803 and it´s “fixed” using:[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Spartan]
      "RAC_LaunchFlags"=dword:00000035

    • I also want to add that the issue exists even if your AppLocker DLL rules are in Audit Only mode. I have an AppLocker policy that wasn’t enforcing any rules, they were all in Audit Only and that still caused Edge to crash in this same manner. This was on a brand new 1803 install, not an upgrade from a previous Windows 10 version.

    • Hello, Just want to add that where I work is also seeing this issue (applocker in use). We have plans to roll out 1803 very shortly and we use edge as the default browser so this will cause us big issues.

    • I am seeing the same issue, but with AzureAD joined only devices that have Intune pushing “Windows Defender Application Control” -> “Application control code integrity policies:” = Audit Only
      &

      “Windows Defender Application Control”-> “Trust apps with good reputation” = Enable

      (These are settings in Intune ->Device Configuration -> Create Profile -> Windows 10 or later (Platform) -> Type = Endpoint Protection-> Settings/Configure -> Windows Defender Application Control ->…)

      This is occurring in production – no MDM policies where changed - just upgrade to 1803.

      (Of course upgrade to 1803 goes something like: get-1st run experience, reboot, get latest updates, reboot, follow Defender security center prompt to reset TPM, reboot, reboot, wait 24 hours… Edge starts crashing on EMODEL.DLL a few seconds after launch.)

    • Is there a time schedule for this, when it will be fixed? This issue stops our 1803 piloting right away because of this. If I disable DLL rules, my Applocker will "break".

    • Happening on 1709 with April or May CU’s installed as well. Running AppLocker DLL rules in audit only mode causes Edge to crash. Disabling the DLL rules causes it to crash as well.
      Edge only works when completely removing the DLL rules.

    • We too are having this problem on 1803 and it was exactly the same on 1709. However, in 1709 it was fixed by April 23, 2018—KB4093105 (OS Build 16299.402) but is now back with 1803. It has halted our roll out of 1803 and we were so keen to do it next week. This is what the event viewer reports:

      Faulting application name: MicrosoftEdge.exe, version: 11.0.17134.48, time stamp: 0x5ae3f232
      Faulting module name: edgeIso.dll, version: 11.0.17134.1, time stamp: 0x659f279a
      Exception code: 0xc0000409
      Fault offset: 0x000000000003db73
      Faulting process id: 0x368
      Faulting application start time: 0x01d3f0ee7ab863ed
      Faulting application path: C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
      Faulting module path: C:\windows\SYSTEM32\edgeIso.dll
      Report Id: b6bd542b-717d-4092-a372-72d60059e2a8
      Faulting package full name: Microsoft.MicrosoftEdge_42.17134.1.0_neutral__8wekyb3d8bbwe
      Faulting package-relative application ID: MicrosoftEdge

      A fix would be greatly appreciated. Thank you.

    • I should update my post - Turns out having Intune enable Windows Defender Application Control in Audit mode is all that is needed to also trigger this error. In 1709 the this error didn’t occur, but all of the Windows 64bit Enterprise edition computers upgraded from 1703->1709->1803 are getting this now. I had to freeze the feature update.

      Steven K, have you been able to reproduce?

      Steven K, have you seen this blog:
      https://osddeployment.dk/2018/05/21/microsoft-edge-crash-on-windows-10-1803-with-windows-defender-application-control-enabled/

      We look forward to hearing if you have been able to reproduce or other status changes soon.

      Thanks!

    • Microsoft Edge Team

      Changed Assigned To to “Travis L.”

    • Happening to me to…plain old domain-joined Windows 10 Pro upgraded 1703->1709->1803. I don’t think I’ve enabled App Locker…can’t find anything under Group Policy. Got it working again with the RAC_LaunchFlags = dword:0x35 fix.

    • Microsoft Edge Team

      Changed Assigned To from “Travis L.” to “David L.”

      Changed Status to “Fixed”

    • Hi David, will a fix be included in an update?

    • I’m glad it’s fixed! How can i get the fix?

    • Microsoft Edge Team

      Changed Steps to Reproduce

      Changed Assigned To to “James M.”

      Changed Steps to Reproduce

      Changed Title from “Edge crashes when AppLocker is enabled with DLL enforcement Windows 1803” to “Edge crashes when AppLocker is enabled with DLL enforcement rules Windows 1803”

      Changed Steps to Reproduce

    • Hello,

      We are pleased to report this feature is fixed in Edge and will be available in an upcoming insider build.

      Best Wishes,
      The MS Edge Team

    • Microsoft Edge Team

      Changed Steps to Reproduce

      Changed Steps to Reproduce

    • We are starting to see this issue as well. On both 1709 and 1803. All domain joined PCs.
      Setting the regkey is also working for us.
      Will the fix become available for 1709 or do we need to keep the regkey until next release (1809) ?

    • I have just encountered this in 1709 when the Wim is patched to the June cumulative update. A new issue has been raised https://developer.microsoft.com/en-us/microsoft-edge/platform/issues/18055394/

    • I just updated yesterday my first 1803 to 06-2018 CU, and same issue is still present! This is not fixed, chage the status!

    • So Enterprise customers are just supposed to skip this OS Release entirely?? Even setting Applocker in Audit only mode causes Edge to crash constantly. Spartan reg entry workaround is an Ent level fix?

    You need to sign in to your Microsoft account to add a comment.

    Sign in