When multiple session support is enabled on a Windows server OS machine, Workspace Environment Management (WEM) application security rules of previously logged on users are replaced by rules of a more recently logged on user. For example, if a rule is assigned to user1 but not to user2, when user2 logs on the rule is deleted from local AppLocker rules. Thus the rule cannot be enforced for user1 as well.

To ensure that rules are merged instead of being replaced as a workaround for this issue, you can manually change the application security enforcement mode from "replace" to "merge" in the WEM database, as described here. This ensures that the WEM agent merges application security rules of a user with existing rules when another user logs on.

Note: When the application security "replace" mode is switched to "merge", existing AppLocker rules on a Windows machine are merged when users log on. Before turning off "replace" mode, ensure that there are no unwanted AppLocker rules on WEM agent machines.

To change the application security enforcement mode from "replace" to "merge"

1. Connect to SQL server instance containing the WEM database using “SQL Server Management Studio” or any tool which works with SQL server.

2. Select the WEM database and expand Tables. Right click on the table “VUEMSites” and select the context menu command Select Top 1000 Rows:
   

3. Make a note of the queried “IdSite” value of the configuration set to be changed.

4. On the WEM database, select the context menu command New Query:
   

5. Execute the following query:
   UPDATE VUEMSystemUtilities SET Value='0' WHERE
   Name='AppLockerControllerReplaceModeOn' AND idSite=[idSite];

Problem Cause

If multiple session support is enabled on a Windows server OS machine, WEM application security rules of previously logged on users are replaced by rules of a more recently logged on users.