Edge crashes when AppLocker is enabled with DLL enforcement rules Windows 1803

Fixed Issue #17905647

Details

Created
Jun 15, 2018
Privacy
This issue is public.
Found in build #
17.17134
Fixed in build #
17.17698
Reports
Reported by 9 people

Sign in to watch or report this issue.

Steps to reproduce

Check
-in Instructions

 Link to GIT
source change

https://microsoft.visualstudio.com/_git/os/pullrequest/1897474 

Conflict Contact

DLINSLEY

Submitted by

DLINSLEY

What is the issue? <additional data needed on
scenario/user impacted>

AppLocker helps Enterprises manage which apps and binaries are allowed to run on devices they manage.   A string in Windows did not match the descriptor of binaries like the ones loaded by Edge, causing the applications that depend on those binaries to crash when started.

How was the issue/bug found?

This issue was reported from customers that manage Intune controlled environments and deploy/enforce AppLocker rules.

https://developer.microsoft.com/en-us/microsoft-edge/platform/issues/17343551/

Quantify the impact of the issue - why do we need to
service this issue now?

Enterprises using Applocker will experience crashes in applications they manage, including Edge

Is the fix ready and what is it?

Yes, the fix is ready - it corrects the precompiled binary descriptor used by AppLocker policies to manage the apps that are allowed to load.

How was the fix Validated?

ENS(AppLocker)/Edge teams coordinated on functional validation to ensure AppLocker deployment and Edge scenarios did not incur regressions. 

Regression risk level of the fix

Low - The fix is narrowly scoped to categories of Apps like Edge, and therefore does not have a broad risk of regression.

Has the fix been flighted in a RS5 flight?​

No

Do you have any data points that can be monitored to
ensure that the fix works or if there are adverse effects from the fix?

No

Does this fix need to be backported to TH2, RS1,
RS2 or prior releases (for CBB/LTSB customers)?

No

QD signing off on this change

glauciaf

How to
validate/test for regressions

(required for WSD pre-release validation)

Scenario to
validate
:

Deploy an AppLocker policy to a set of devices that restricts execution of applications and DLL binaries.  Ensure that the rules are enforced and effective, and that no related processes crash or fail.

Install Windows 10

Apply a domain-based Group Policy

Browse to Computer Configuration\Policies\Windows Settings\Application Control Policies

Right-clikc Applocker > Properties

Under Advanced
, check the box titled Enable the DLL rule collection

Apply other required polices

Once the policy has been applied, launch Edge.  

Expected
behavior
:

Edge should launch successfully and navigate to a URL.  Confirm that Edge does not crash.

Close Criteria

Customers can confirm successful Applocker enablement with these changes applied, then ensure that core apps like Edge can still load and run with full functionality.

Steps to reproduce the issue

  1. Install Windows 10 1803 Enterprise Edition (our tests were upgrades from 1709)
  2. Using domain-based GPO (would work for local security policy as well)
  3. Browse to Computer Configuration\Policies\Windows Settings\Application Control Policies
  4. Right-click ‘AppLocker’ -> Properties
  5. Under the ‘Advanced’ tab, check the box ‘Enable the DLL rule collection’
  6. Apply other policies as needed
  7. Once policy is applied to system, launch Edge. Edge will open briefly, appear to be attempting to load a page, but prevent any navigation and then crash after a few seconds.

Notes

  • Similar to issue 13758012, which actually prompted me to consider AppLocker as the culprit
  • Without DLL enforcement, Edge works. While this means that the other facets of AppLocker can be used, it does not have the same security impact as it does with DLL enforcement (yes, I know it is not considered a security boundary).
  • You must fully disable DLL enforcement for Edge to work. You cannot simply unconfigure enforcement for DLL Rules.
  • Did not have issues with Edge + DLL Enforcement in 1607, 1703, or 1709. Issue only occurred after completing the upgrade to 1803.

Error Logged

<Event 
    xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    <System>
        <Provider Name="Application Error" />
        <EventID Qualifiers="0">1000</EventID>
        <Level>2</Level>
        <Task>100</Task>
        <Keywords>0x80000000000000</Keywords>
        <TimeCreated SystemTime="2018-05-01T16:07:24.937988500Z" />
        <EventRecordID>1723</EventRecordID>
        <Channel>Application</Channel>
        <Computer>Computer1.contoso.com</Computer>
        <Security />
    </System>
    <EventData>
        <Data>MicrosoftEdge.exe</Data>
        <Data>11.0.17134.1</Data>
        <Data>5acd8aa5</Data>
        <Data>EMODEL.dll</Data>
        <Data>11.0.17134.1</Data>
        <Data>5acd8ba6</Data>
        <Data>c0000409</Data>
        <Data>000000000018db7e</Data>
        <Data>1b08</Data>
        <Data>01d3e166772d13bd</Data>
        <Data>C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe</Data>
        <Data>C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\EMODEL.dll</Data>
        <Data>86ec840d-fac2-4c9d-9d7e-48b7224168e7</Data>
        <Data>Microsoft.MicrosoftEdge_42.17134.1.0_neutral__8wekyb3d8bbwe</Data>
        <Data>MicrosoftEdge</Data>
    </EventData>
</Event>

Workaround

While I know it is highly discouraged by the Microsoft Edge team, implemeting the registry key below allows Edge to run:

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Spartan]
"RAC_LaunchFlags"=dword:00000035

I grabbed the value of 35 from our 1709 machines, which had that value configured through no effort of our own. It seems Windows had set that itself.

Again, as discussed in Issue 13758012, comment 13, this is an undocumented key and is not supposed to be used. Despite the strong wording, we have opted to use this key in the meantime to enable us to still have the AppLocker protection for DLLs, while allowing Edge to work. Hopefully we will be able to remove the key when/if this issue can be resolved.

Please see other feedbacks in userfeedback VSO for feedbacks that are tracked by this work item.

h3 {
color:#2f5496;
font-family:Segoe UI;
font-size:small;
padding-left:3%;
}

table {
font-size:small;
width:95%;
}

th, td {
font-size:small;
padding:5px;
}

td {
border:0.5px solid white;
}

th {
background-color:#8B8989;
color:white;
}

.feedback-leftcell {
width:20%;
color:#004d8b;
}

.feedback-row:hover {
background-color:#C4C4C4;
}

#feedback-banner, #feedback-footer {
background-color:#0078D7;
color:white;
width:100%;
}

#feedback-banner td, #feedback-footer td {
border:0;
font-size:larger;
padding:10px;
}

#feedbacksection-v5 {
font-family:Segoe UI;
border:5px solid #0078D7;
border-collapse:collapse;
}

#feedbackdetails-table, #feedbackanalysis-table, #feedbacklinks-table {
font-family:Calibri Light;
background-color:#f5f5f5;
}

            
        

        This Bug was created from feedback triage by steveth

    




Report Details



    
        Feedback Details

        Description

    

    
        Title

        Intune Browser Policy is causing Edge to Crash upon Launch


    

    
        Description

        When we supply a browser policy [(JSON) is attached] Edge will crash on 1803 RTM. This previously did not occur on 1709. It reporduces 100% of the time. Crash Dump is attached as well. 

Reproduction VM is available in Azure. RDP file is also attached.

Creds to signon:
Desktop-de5c0me\wil
Pw – Demome123

        Area Path

        UIF\Microsoft Edge\Browser crashes or stops working

    

    
        [Feedback Hub](https://aka.ms/feedbackhuburi/?ContextId=343&amp;feedbackId=e56f80e7-cbd6-4db5-9469-016d082adbe2&amp;form=1&amp;src=1)

        View this Customer Feedback details and comments in the Feedback Hub app.

    

    
        [Feedback VSO](../7024543/)

        View this Customer Feedback in Feedback VSO.

    

    
        [Upvoted By](https://aka.ms/feedbackinternalupvoters?vsoId=7024543)

        Contact selfhosters that upvoted this issue.

    

    



Analysis and Diagnostics


    
        Tool

        Description

    

    
        [Feedback Cabs](http://aka.ms/FeedbackViewer/?txtUifId=e56f80e7-cbd6-4db5-9469-016d082adbe2&amp;section=Cabs)

        
            
                Looking For CAB files related to feedback?

All CABs for
this feedback can be accessed in the Feedback Viewer.

                Note:

CABs may take up to 12 hours
to process through the
telemetry pipeline. CABs age out and are removed after 60 days
due
to Watson retention policies.

        [Feedback Analysis](http://aka.ms/FeedbackViewer/?txtUifId=e56f80e7-cbd6-4db5-9469-016d082adbe2)

        
            
                Want to understand how this feedback is trending across various pivots?

                With the Feedback Viewer, you can view trending information for this feedback,
                including upvotes by build, region, time, device, and more. Try out the prototype
                version of our [WAAS Lightspeed](https://aka.ms/waaslightspeed/?txtUifId=e56f80e7-cbd6-4db5-9469-016d082adbe2)

that includes intelligent auto analyzed
insights, dimensional, detailed diagnostic and telemetry analysis

        [Related Watson Crashes](http://watson/User?Identifier=g:6755410285107131&amp;Expand=true&amp;StartDate=7-May-2018&amp;EndDate=7-May-2018&amp;DateTimeFormat=UTC&amp;EventCategory=All)

        
            
                
                    Want to view Watson crashes that occurred on the same day from the user who
                    filed feedback?

The Watson Viewer will let you dive into crash data.

        [Device Drill](http://devicedrill/EventBrowser?dataSet=ALL&amp;deviceId=g:6755410285107131&amp;focusTimeStamp=2018-05-07T20:31:40&amp;durationAfterMin=10)

        
            
                Want to view telemetry events from this customer's device?

Device Drill lets
you dive into the telemetry of the device this from which this feedback was filed.

Other Links


    
        Link

        Description

    

    
        [Feedback FAQ](http://aka.ms/FeedbackFaq)

        
            
                See the Feedback FAQ for more information about subjective user feedback.
            

        

    

    
        [Where's my CAB? Wiki](http://aka.ms/whereismycabwiki)

        
            
                If you were expecting a CAB but it does not appear in the viewer, please
                see the wiki for more information.
            

        

    

    
        [Translation Volunteers](https://aka.ms/feedbacktranslationvolunteers)

        
            
                For translation assistance, please see the translation volunteers wiki.
            

        

    

    
        [Reporting child pornography](http://aka.ms/FeedbackReportAbuseAndChildPornographyWiki)

        
            
                If attached screenshot(s) is child pornography you must report it using
                instructions listed at the link.
            

        

    







    
        
            Be Heard.
        

        
            [
                //aka.ms/feedback
            ](https://aka.ms/feedback)

Attachments

0 attachments

    Comments and activity

    • Microsoft Edge Team

      Changed Assigned To to “Roger P.”

      Changed Steps to Reproduce

      Changed Status to “Confirmed”

      Changed Assigned To from “Roger P.” to “Rakesh P.”

      Changed Status from “Confirmed”

      Changed Status to “Confirmed”

      Changed Assigned To from “Rakesh P.” to “Mitch H.”

      Changed Status from “Confirmed” to “Fixed”

      Changed Assigned To from “Mitch H.” to “Rakesh P.”

    You need to sign in to your Microsoft account to add a comment.

    Sign in