Last Updated on February 3, 2023 by rudyooms
This (updated) blog will show you how you could manually configure Applocker and how to import the XML into a CSP in Intune.
In one of my last blogs, I explained how to make sure access to Administrative Tools can be restricted using a GUI. It’s really simple to implement. You only need to turn it on. But… you can do more, much more.
What if I tell you, you can deploy a complete Applocker policy just within a few seconds? So in Part 2 of the blog, I will show you how you could automate this with Powershell.
1. Manually
When we want to deploy an Applocker policy to our devices that are enrolled in Intune we need to start by opening the Group Policy Object Editor and open computer configuration/windows settings/ security settings/Applocker.
When you’re looking at the categories, you will notice: DLL is missing. Before we proceed we need to enable the DLL Rule. You could do so, by right-clicking on the Applocker configuration and pressing properties.
After you have enabled the DLL collection, we need to make sure we have some default rules to start with, so right-click and press: “Create default rules“. Make sure you do this for each category.
If you take a look at the Applocker Executable rules, you will notice it contains 3 rules to make sure all Windows and Program files folders and files are allowed for everyone and 1 rule to be sure all files and folders are allowed for building\administrators.
This is also your pitfall, in the default Applocker rules… PowerShell is allowed to be executed for all users. (more on that topic later on). Before we could copy/paste the XML information into Intune we need to export it.
It will be exported as 1 XML. You will need to divide this XML into 5 parts, because if you combine them as 1 XML, Intune isn’t going to accept that XML
As an example, this is the one for EXE. You will need to make sure for each rule, you copy-paste everything like below.
Now we have the XML’s we need, we can create a CSP for each category. Here are the OMA-URI’s you will need for each category
./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/EXEGroup/EXE/Policy
./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/MSIGroup/MSI/Policy
./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/ScriptGroup/Script/Policy
./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/DLLGroup/DLL/Policy
./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/StoreAppsGroup/StoreApps/Policy
You will need to press the browse button and select the XML corresponding to the oma-uri/category.
You will need to add all the programs/DLL’s etc which are not on the allow list in Applocker. For example, you really want to make sure users are allowed to install/update Teams. The best practice is to use publisher rules. I dedicated a blog on how to do this.
If something is blocked you will be prompted with a nice error. I also wrote a blog on how to troubleshoot Applocker:
The men who stare at the AppLocker event log – Call4Cloud
2. PowerShell and Graph
If you don’t want to go through all the hassle and manually create the Applocker rules we could also automate the process.
It only requires two scripts; a deployment script that makes the connection to Graph and another script that contains the JSON (config) itself
Links to the Scripts (in a zip file)
- Deployment Script
- JSON File
https://call4cloud.nl/wp-content/uploads/2021/04/Windows10_Applocker.zip
The Applocker policy itself is hardened with the Lolbas Project in mind. Looking a little bit closer to the policy itself, you will notice that I added exclusions to the default allow paths. Let me explain why… When configuring your applocker XML, you need to make sure all locations that are “writable” from the user context are excluded from the allowed paths!
If you want to know more about the lolbas (lolbins) project, take a look at
https://lolbas-project.github.io/
Looking at the Applocker Policy itself, you have to keep in mind that the DLL Policy is set to “Audit Only. Please note: the DLL Policy, can cause a Performance impact on your system.
Of course, Powershell, Cmd, Regedit, and all other, not necessary executables for users, are excluded –> blocked. Do you want to run Teams? I guess you do. Teams.exe and all other necessary .exe files to run teams are allowed with the use of publisher rules.
If you want to know more about how to implement Applocker, the names of 2 persons who know everything about it come to mind: Sami Laiho and Oddvar Moe.
https://www.linkedin.com/in/samilaiho/
Sami is publishing a lot of Applocker stuff lately… So go check it out
https://www.linkedin.com/in/oddvarmoe
3. Editing an Existing Applocker Policy
When you have uploaded the Applocker policy to your tenant there will come a day you need to add some stuff to it. How are we going to accomplish this?
First, open Intune and open your existing Applocker policy. In this example, I am going to add an additional allowed Store App
Select it all…. Open notepad and make sure it is in UTF-8. Copy the contents from above and make sure you save it first, so you have a proper backup
I want to make sure people could install the HP Smart App. First off, I am installing the App on my test device to make sure I could fetch the proper publisher
After the App is installed, we need to open gpedit.msc and browse to the Applocker configuration and create a new Store App rule. We are going to select the first option to select the app that we installed in the previous step
After selecting the HP Smart app we can change some additional settings and press next to add the rule to the policy
With this additional rule added to the policy we could export the whole Applocker policy to XML
Now we need to open that exported policy and select the content that we need (FilePublisherRule)
And copy the content in the one you created earlier so it looks something like this and save the XML file
<RuleCollection Type="Appx" EnforcementMode="NotConfigured">
<FilePublisherRule Id="4da47ec9-1f42-4307-9e28-b7fa740cab06" Name="Microsoft Apps" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">
<Conditions>
<FilePublisherCondition PublisherName="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="*" BinaryName="*">
<BinaryVersionRange LowSection="*" HighSection="*" />
</FilePublisherCondition>
</Conditions>
</FilePublisherRule>
<FilePublisherRule Id="9f93f6b2-beb9-4c37-81bf-0576732402c6" Name="Ondertekend door Microsoft Corporation" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">
<Conditions>
<FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="*" BinaryName="*">
<BinaryVersionRange LowSection="*" HighSection="*" />
</FilePublisherCondition>
</Conditions>
</FilePublisherRule>
<FilePublisherRule Id="69395f9a-434f-47c9-8646-659cea379880" Name="AD2F1837.HPPrinterControl, van HP Inc." Description="" UserOrGroupSid="S-1-1-0" Action="Allow">
<Conditions>
<FilePublisherCondition PublisherName="CN=ED346674-0FA1-4272-85CE-3187C9C86E26" ProductName="AD2F1837.HPPrinterControl" BinaryName="*">
<BinaryVersionRange LowSection="*" HighSection="*" />
</FilePublisherCondition>
</Conditions>
</FilePublisherRule>
</RuleCollection>If the XML is saved we can upload it to Intune. Don’t forget to save!
Conclusion:
You really need to implement adminless and Applocker. You can deploy Applocker manually but why not do this A la minute. ? So you can sit back and relax
I see a few posts showing this as the method to migrate GPO AppLocker to Intune, but is this correct? Seems like Intune AppLocker settings should be within Endpoint Security\Attack Surface Reduction\Policy Type: Application Control. Not Device Configuration Profile
I know and I have the same feeling, the official answer should come from Microsoft but from what I have heard: It’s very hard to transform the csp to a nice gui friendly interface. Because editting the csp applocker policy could break your system if not done correctly 🙂
On our “on-prem” side we integrated the policy so a specific group can’t use Edge, Chrome, etc. That is based on a SID from an on-prem group.
Member of “Geen_Internet” means all the browsers are blocked.
I tried to put in a SID of a Azure group, but that didn’t work the way i wanted it. It blocks the browsers for any user.
Any hints or ideas how to fix it?
Thats indeed a good question. I have heard that question often… Its a fact that applocker doesn’t like azure ad groups…I know its totally stupid … but what about creating a local group and adding those users to it … (nice name…. geen internet 🙂 it totally explains it purpose 🙂 )
I want to add a Rule to Allow C:\Program Files (x86) Folder by creating an allow rule.
But when i create a new rule and select the path to be allowed, it comes up as %PROGRAMFILES%\*, and when checked again after creating it points to C:\Program Files instead of C:\Program Files (x86). Any idea what is going wrong here and how to add C:\Program Files (x86)
Within the default applocker rules the Program files folder (meaning x86 and the x64 one) is allowed…. are you trying to add a specific folder or?
I have a question, please enlighten me
Your OMA-URI
./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/StoreAppsGroup/StoreApps/Policy
OMA-URI on Microsoft’s website: https://learn.microsoft.com/en-us/windows/client-management/mdm/applocker-csp#applicationlaunchrestrictionsgrouping
./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/{Grouping}/StoreApps/Policy
How did you come up with “StoreAppsGroup” as the “{Grouping}” value?