dotnet core build command fails VS2017 with applocker error RRS feed

  • Question

  • Running in a domain with Applocker rules and getting this odd behavior:

    running a command from VS command prompt works:

    dotnet "someDLL" "someparams"

    operates without failure.

    However, running this same command as part of a build is failing with the following information:

    A) Build script fails each time such a dotnet command is run with "This program is blocked by group policy. For more information, contact your system administrator."

    B) AppLocker logs say "%OSDRIVE%\USERS\...\APPDATA\LOCAL\TEMP\TMP{GUID OR  SOMETHING HERE}.EXEC.CMD was prevented from running" and is "blocked by MSI and SCRIPT" rule.

    The fact that B is "dynamic" causes A to be problematic (as our security folks are unwilling/unable/other to add this to some exception list/rules of some kind), and I don't know enough about AppLocker to argue the point - other than dev's can't dev like this... which is met with stony silence... 

    I assume this is something to do with how VS does CMD process launches but its really annoying... Any thoughts/suggestions on how to work through this in a maintainable way?

    I have also had a fair share of issues with the way the Roslyn compiler is done as a "\bin\Roslyn\" and have had to disable (so far have had success by removing Microsoft.CodeDom.Providers.DotNetCompilerPlatform and Microsoft.Net.Compilers) to get things running with AppLocker... 

    This is MASSIVELY slowing us down from ACTUAL work... Is AppLocker just impossible for use with developers? Is there any guidance or information I can point to our security/infrastructure on this issue?

    -- this is not the profile you're looking for --

    Monday, December 10, 2018 2:01 AM