starred/terminal
1
0
Fork 0
mirror of https://github.com/microsoft/terminal.git synced 2026-02-03 21:25:34 +00:00
Code Issues 19.0k Packages Projects Releases 20 Wiki Activity

Can't properly whitelist the Terminal package with Applocker / missing signature #8352

New Issue
Closed
opened 2026-01-31 01:27:15 +00:00 by claunia · 5 comments
claunia commented 2026-01-31 01:27:15 +00:00
Owner
Copy Link

Originally created by @CTDhelpdesk on GitHub (May 20, 2020).

Originally assigned to: @DHowett on GitHub.

Environment

Microsoft Windows NT 10.0.19041.0

Windows build number: [run `[Environment]::OSVersion` for powershell, or `ver` for cmd]
Windows Terminal version (if applicable):
1.0.1401.0

Any other software?
Applocker (not separate software, but important)

Steps to reproduce

We use Applocker to restrict both executable and packaged apps in our environments. I was able to properly whitelist the Terminal app package and it installs as expected, but when actually trying to launch it, Applocker blocks it. In event viewer, rather than showing the package name, it shows a blank. The error verbatim is " was prevented from running. "

Full event viewer output:

Provider [ Name] Microsoft-Windows-AppLocker [ Guid] {cbda4dbf-8d5d-4f69-9578-be14aa540d22} Provider       [ Name] Microsoft-Windows-AppLocker       [ Guid] {cbda4dbf-8d5d-4f69-9578-be14aa540d22}
Provider
      [ Name] Microsoft-Windows-AppLocker
      [ Guid] {cbda4dbf-8d5d-4f69-9578-be14aa540d22}

Expected behavior

Expected Applocker behavior is to properly allow the app to run, since the package Microsoft.WindowsTerminal is whitelisted.

Actual behavior

Screenshot of the (blank) package name being blocked by Applocker:
image

Originally created by @CTDhelpdesk on GitHub (May 20, 2020). Originally assigned to: @DHowett on GitHub. <!-- 🚨🚨🚨🚨🚨🚨🚨🚨🚨🚨 I ACKNOWLEDGE THE FOLLOWING BEFORE PROCEEDING: 1. If I delete this entire template and go my own path, the core team may close my issue without further explanation or engagement. 2. If I list multiple bugs/concerns in this one issue, the core team may close my issue without further explanation or engagement. 3. If I write an issue that has many duplicates, the core team may close my issue without further explanation or engagement (and without necessarily spending time to find the exact duplicate ID number). 4. If I leave the title incomplete when filing the issue, the core team may close my issue without further explanation or engagement. 5. If I file something completely blank in the body, the core team may close my issue without further explanation or engagement. All good? Then proceed! --> <!-- This bug tracker is monitored by Windows Terminal development team and other technical folks. **Important: When reporting BSODs or security issues, DO NOT attach memory dumps, logs, or traces to Github issues**. Instead, send dumps/traces to secure@microsoft.com, referencing this GitHub issue. If this is an application crash, please also provide a Feedback Hub submission link so we can find your diagnostic data on the backend. Use the category "Apps > Windows Terminal (Preview)" and choose "Share My Feedback" after submission to get the link. Please use this form and describe your issue, concisely but precisely, with as much detail as possible. --> # Environment Microsoft Windows NT 10.0.19041.0 ```none Windows build number: [run `[Environment]::OSVersion` for powershell, or `ver` for cmd] Windows Terminal version (if applicable): 1.0.1401.0 Any other software? Applocker (not separate software, but important) ``` # Steps to reproduce We use Applocker to restrict both executable and packaged apps in our environments. I was able to properly whitelist the Terminal app package and it installs as expected, but when actually trying to launch it, Applocker blocks it. In event viewer, rather than showing the package name, it shows a blank. The error verbatim is " was prevented from running. " Full event viewer output: Provider [ Name] Microsoft-Windows-AppLocker [ Guid] {cbda4dbf-8d5d-4f69-9578-be14aa540d22} | Provider |   |   |   | [ Name] | Microsoft-Windows-AppLocker |   |   |   | [ Guid] | {cbda4dbf-8d5d-4f69-9578-be14aa540d22} -- | -- | -- | -- | -- | -- | -- | -- | -- | -- | -- | -- Provider   |   |   | [ Name] | Microsoft-Windows-AppLocker   |   |   | [ Guid] | {cbda4dbf-8d5d-4f69-9578-be14aa540d22} # Expected behavior Expected Applocker behavior is to properly allow the app to run, since the package Microsoft.WindowsTerminal is whitelisted. # Actual behavior Screenshot of the (blank) package name being blocked by Applocker: ![image](https://user-images.githubusercontent.com/65674594/82474919-997fc380-9a80-11ea-881d-68ce63a857df.png)
claunia commented 2026-01-31 01:27:17 +00:00
Author
Owner
Copy Link

@DHowett commented on GitHub (Jun 26, 2020):

So, this isn't great. Would you be able to try the alternate installation method?

  • Download the msixbundle, rename it to zip
  • Unzip it
  • Find the x64 msix inside it, rename it to zip
  • Unzip it
  • Run WindowsTerminal.exe?

You might be able to whitelist it if it is a separate executable. I'm not sure which of your organization's AppLocker policies is applying to our package, but do bear a Microsoft code signature so there shouldn't be any trouble. Sorry about that.

@DHowett commented on GitHub (Jun 26, 2020): So, this isn't great. Would you be able to try the alternate installation method? * Download the `msixbundle`, rename it to `zip` * Unzip it * Find the _x64_ `msix` inside it, rename it to `zip` * Unzip it * Run WindowsTerminal.exe? You might be able to whitelist it if it is a separate executable. I'm not sure which of your organization's AppLocker policies is applying to our package, but do bear a Microsoft code signature so there shouldn't be any trouble. Sorry about that.
claunia commented 2026-01-31 01:27:17 +00:00
Author
Owner
Copy Link

@CTDhelpdesk commented on GitHub (Jun 26, 2020):

Hi Dustin, thanks for looking in to this. I'm able to reproduce it regardless of the installation method, and as far as the rule that prevents installation, I don't think it's the EXE rule (I can manually run the exe without it being blocked). I'm testing this on the preview branch, and I've successfully applocker whitelisted the Terminal Preview package after downloading it from the MS Store (on an applocker exempted machine).

image

However, in practice, the installation from the MS Store still fails:

image

with this error showing in Applocker event viewer:

image

I'd like to try whitelisting it via the MSIX installer (Group Policy Management allows you to whitelist either by pointing to an installed app or to an installer, but won't let you target MSIXBundles, just MSIX or APPX).

Trying to install via Chocolatey gives a similar error:

microsoft-windows-terminal v1.1.1671.0 [Approved]
microsoft-windows-terminal package files install completed. Performing other installation steps.
Progress: 0% - Processing ERROR: The running command stopped because the preference variable "ErrorActionPreference" or common parameter is set to Stop: Deployment failed with HRESULT: 0x80073D19, An error occurred because a user was logged off.

error 0x800704EC: Deployment of package Microsoft.WindowsTerminalPreview_1.1.1671.0_x64__8wekyb3d8bbwe was blocked by AppLocker.

NOTE: For additional information, look for [ActivityId] 14f4e94f-4a3d-0003-e52a-fb143d4ad601 in the Event Log or use the command line Get-AppPackageLog -ActivityID 14f4e94f-4a3d-0003-e52a-fb143d4ad601

The install of microsoft-windows-terminal was NOT successful.
Error while running 'C:\ProgramData\chocolatey\lib\microsoft-windows-terminal\tools\chocolateyInstall.ps1'.
See log for details.

Chocolatey installed 8/9 packages. 1 packages failed.
See the log for details (C:\ProgramData\chocolatey\logs\chocolatey.log).

I hope that clarifies things. My coworkers and I have already become totally enamored with Terminal on our applocker-exempt machines and would love to be able to run it on our company workstations!

@CTDhelpdesk commented on GitHub (Jun 26, 2020): Hi Dustin, thanks for looking in to this. I'm able to reproduce it regardless of the installation method, and as far as the rule that prevents installation, I don't think it's the EXE rule (I can manually run the exe without it being blocked). I'm testing this on the preview branch, and I've successfully applocker whitelisted the Terminal Preview package after downloading it from the MS Store (on an applocker exempted machine). ![image](https://user-images.githubusercontent.com/65674594/85890004-5f9d8d80-b7a1-11ea-819d-2adfe86f4b55.png) However, in practice, the installation from the MS Store still fails: ![image](https://user-images.githubusercontent.com/65674594/85890121-9b385780-b7a1-11ea-9818-20327d581e7a.png) with this error showing in Applocker event viewer: ![image](https://user-images.githubusercontent.com/65674594/85890204-bdca7080-b7a1-11ea-8dca-ed1bcffde0e4.png) I'd like to try whitelisting it via the MSIX installer (Group Policy Management allows you to whitelist either by pointing to an installed app or to an installer, but won't let you target MSIXBundles, just MSIX or APPX). Trying to install via Chocolatey gives a similar error: microsoft-windows-terminal v1.1.1671.0 [Approved] microsoft-windows-terminal package files install completed. Performing other installation steps. Progress: 0% - Processing ERROR: The running command stopped because the preference variable "ErrorActionPreference" or common parameter is set to Stop: Deployment failed with HRESULT: 0x80073D19, An error occurred because a user was logged off. error 0x800704EC: Deployment of package Microsoft.WindowsTerminalPreview_1.1.1671.0_x64__8wekyb3d8bbwe was blocked by AppLocker. NOTE: For additional information, look for [ActivityId] 14f4e94f-4a3d-0003-e52a-fb143d4ad601 in the Event Log or use the command line Get-AppPackageLog -ActivityID 14f4e94f-4a3d-0003-e52a-fb143d4ad601 The install of microsoft-windows-terminal was NOT successful. Error while running 'C:\ProgramData\chocolatey\lib\microsoft-windows-terminal\tools\chocolateyInstall.ps1'. See log for details. Chocolatey installed 8/9 packages. 1 packages failed. See the log for details (C:\ProgramData\chocolatey\logs\chocolatey.log). I hope that clarifies things. My coworkers and I have already become totally enamored with Terminal on our applocker-exempt machines and would love to be able to run it on our company workstations!
claunia commented 2026-01-31 01:27:17 +00:00
Author
Owner
Copy Link

@zadjii-msft commented on GitHub (Aug 5, 2020):

(Group Policy Management allows you to whitelist either by pointing to an installed app or to an installer, but won't let you target MSIXBundles, just MSIX or APPX).

Well that sounds like the real issue here. @DHowett any ideas on who we'd follow up with on that one?

@zadjii-msft commented on GitHub (Aug 5, 2020): > (Group Policy Management allows you to whitelist either by pointing to an installed app or to an installer, but won't let you target MSIXBundles, just MSIX or APPX). Well that sounds like the real issue here. @DHowett any ideas on who we'd follow up with on that one?
claunia commented 2026-01-31 01:27:17 +00:00
Author
Owner
Copy Link

@DHowett commented on GitHub (Aug 6, 2020):

So wait -- just to make sure I totally understand.
If you extract the msixbundle (it's just a signed zip file!) and install the x64 msix from inside it, can it be deployed then? Before I file a bug on the AppLocker folks, i'd like to determine whether the bug I am filing is "applocker cannot be used with bundles" 😀

@DHowett commented on GitHub (Aug 6, 2020): So wait -- just to make sure I totally understand. If you extract the msixbundle (it's just a signed zip file!) and install the _x64 msix_ from inside it, can it be deployed then? Before I file a bug on the AppLocker folks, i'd like to determine whether the bug I am filing is "applocker cannot be used with **bundles**" 😀
claunia commented 2026-01-31 01:27:18 +00:00
Author
Owner
Copy Link

@ghost commented on GitHub (Aug 17, 2020):

This issue has been automatically marked as stale because it has been marked as requiring author feedback but has not had any activity for 4 days. It will be closed if no further activity occurs within 3 days of this comment.

@ghost commented on GitHub (Aug 17, 2020): This issue has been automatically marked as stale because it has been marked as requiring author feedback but has not had any activity for **4 days**. It will be closed if no further activity occurs **within 3 days of this comment**.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
Reserved
A11yCO
A11yMAS
A11ySev1
A11ySev2
A11ySev3
A11yTTValidated
A11yUsable
A11yVoiceAccess
A11yWCAG
Area-Accessibility
Area-AtlasEngine
Area-AzureShell
Area-Build
Area-Build
Area-Chat
Area-CmdPal
Area-CodeHealth
Area-Commandline
Area-CookedRead
Area-DefApp
Area-Extensibility
Area-Fonts
Area-GroupPolicy
Area-i18n
Area-Input
Area-Interaction
Area-Interop
Area-Localization
Area-Output
Area-Performance
Area-Portable
Area-Quality
Area-Remoting
Area-Rendering
Area-Schema
Area-Server
Area-Settings
Area-SettingsUI
Area-ShellExtension
Area-ShellExtension
Area-ShellExtension
Area-Suggestions
Area-Suggestions
Area-TerminalConnection
Area-TerminalControl
Area-Theming
Area-UserInterface
Area-VT
Area-Windowing
Area-WPFControl
AutoMerge
Blocking-Ingestion
Culprit-Centennial
Culprit-WinUI
Disability-All
Disability-Blind
Disability-LowVision
Disability-Mobility
External-Blocked-WinUI3
Fixed
Gathering-Data
good first issue
HCL-E+D
HCL-WindowsTerminal
Help Wanted
Impact-Compatibility
Impact-Compliance
Impact-Correctness
Impact-Visual
In-PR
InclusionBacklog
InclusionBacklog-Windows TerminalWin32
InclusionCommitted-202206
Issue-Bug
Issue-Docs
Issue-Feature
Issue-Feature
Issue-Question
Issue-Samples
Issue-Scenario
Issue-Task
Needs-Attention
Needs-Author-Feedback
Needs-Bisect
Needs-Discussion
Needs-Repro
Needs-Tag-Fix
Needs-Tag-Fix
Needs-Triage
No-Recent-Activity
Priority-0
Priority-1
Priority-2
Priority-3
Product-Cmd.exe
Product-Colortool
Product-Colortool
Product-Colortool
Product-Conhost
Product-Conpty
Product-Meta
Product-Powershell
Product-Terminal
Product-WSL
pull-request
Mirrored from GitHub Pull Request
 Resolution-Answered
Resolution-By-Design
Resolution-Duplicate
Resolution-External
Resolution-Fix-Available
Resolution-Fix-Committed
Resolution-No-Repro
Resolution-Won't-Fix
Severity-Blocking
Severity-Crash
Severity-DataLoss
spam
this-will-be-a-breaking-change
Tracking-External
WindowsTerminal_Win32
Work-Item
zAskModeBug
zInbox-Bug
No Label Needs-Author-Feedback Needs-Tag-Fix Needs-Triage No-Recent-Activity Product-Terminal Resolution-External
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
claunia
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/terminal#8352
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?