Where the Wild Applocker Rules Are

Where the Wild Applocker Rules Are

This (updated) blog will show you how you could manually configure Applocker and how to import the XML into a CSP in Intune. Part 2 of the blog will show you how you could automate this with Powershell.

In one of my last blogs, I explained how to make sure access to Administrative Tools can be restricted using a GUI. It’s really simple to implement. You only need to turn it on.

But… you can do more, much more.

What if I tell you, you can deploy a complete Applocker policy just within a few seconds?

But before I tell you how you could do this,  we will start with some background information and how to configure it in Intune.

Part 1: Configuring Applocker CSP manually

We need to start with opening the Group Policy Object Editor and open computer configuration / windows settings / security settings / Applocker.

When you’re looking at the categories, you will notice: DLL is missing. Before we proceed we need to enable the DLL Rule. You could do so, by right-clicking on the Applocker configuration and press properties.

After you have enabled the DLL collection, we need to make sure we have some default rules to start with, so right-click and press: Create Default rules. Make sure you do this for each category.

If you take a look at the Applocker Executable rules, you will notice it contains 3 rules to make sure all Windows and Program files folders and files are allowed for everyone and 1 rule to be sure all files and folders are allowed for building\administrators.

This is also your pitfall, in the default Applocker rules… PowerShell is allowed to be executed for all users. (more on that topic later on). Before we could copy/paste the XML information into Intune we need to export it.

It will be exported as 1 xml. You will need to divide this xml into 5 parts

As an example, this is the one for EXE. You will need to make sure for each rule, you copy-paste everything like below.

Now we have the XML’s we need, we can create a CSP for each category. Here are the OMA-URI’s you will need for each category

./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/EXEGroup/EXE/Policy

./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/MSIGroup/MSI/Policy

./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/ScriptGroup/Script/Policy

./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/DLLGroup/DLL/Policy

./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/StoreAppsGroup/StoreApps/Policy

You will need to press the browse button and select the XML corresponding to the oma-uri/category.

You will need to add all the programs/dll’s etc which are not on the allow list in applocker. Like example, you really want to make sure users are allowed to install/update Teams. Best practise is using publisher rules. I dedicated a blog on how to do this.

Exodus: Teams and Applocker – Installation and Update problems (call4cloud.nl)

If something is blocked you will be prompted with a nice error. I also wrote a blog on how to troubleshoot Applocker:

The men who stare at the AppLocker event log – Call4Cloud

Part 2. Automate the Applocker CSP creation

It only requires two scripts; a deployment script which makes the connection to Graph and another script which contains the JSON (config) itself

Links to the Scripts (in a zip file)

  1. Deployment Script
  2. JSON File

https://call4cloud.nl/wp-content/uploads/2021/04/Windows10_Applocker.zip

The Applocker policy itself is hardened with the Lolbas Project in mind.

If you want to know more about the lolbas (lolbins) project, take a look at

https://lolbas-project.github.io/

Looking at the Applocker Policy itself, you have to keep in mind that the The DLL Policy is set to “Audit Only. Please note: the DLL Policy,  can cause a Performance impact on your system..

Of course, Powershell, Cmd, Regedit and all other, not necessary .exe files for users, are blocked. Do you want to run Teams? I guess you do. Teams.exe and all other necessary .exe files to run teams are allowed with the use of publisher rules.

If you want to know more about how to implement Applocker, the names of 2 persons who know everything about it come to mind: Sami Laiho and Oddvar Moe.

https://www.linkedin.com/in/samilaiho/

Sami is publishing a lot of Applocker stuff lately… So go check it out

https://www.linkedin.com/in/oddvarmoe

Conclusion:

You really need to implement adminless and Applocker. You can deploy Applocker manually but why not doing this A la minute. ? So you can sit back and relax

4 thoughts on “Where the Wild Applocker Rules Are

  1. Pingback: The LAPS and the furious! - Call4Cloud
  2. Pingback: No Country For Not Monitoring - Call4Cloud
  3. I see a few posts showing this as the method to migrate GPO AppLocker to Intune, but is this correct? Seems like Intune AppLocker settings should be within Endpoint Security\Attack Surface Reduction\Policy Type: Application Control. Not Device Configuration Profile

    1. I know and I have the same feeling, the official answer should come from Microsoft but from what I have heard: It’s very hard to transform the csp to a nice gui friendly interface. Because editting the csp applocker policy could break your system if not done correctly 🙂

Leave a Reply

Your email address will not be published. Required fields are marked *

4  +  2  =