The men who stare at the AppLocker event log

The men who stare at the AppLocker event log

This short blog will be about the curious cage of AppLocker, MSI, Intune and the event log.

As you probably already know you can deploy your AppLocker baseline with PowerShell within a few minutes.

Let’s take a look at AppLocker… When deploying AppLocker you can check your configuration in the file system or registry (without Intune).

File System:

Take a look at c:\windows\system32\AppLocker. You’ll find all AppLocker policies in it. When using Intune all AppLocker policies will be placed inside the MDM folder.

Registry (without Intune!):

HKLM\Software\Policies\Microsoft\Windows\SrpV2

Did you notice the last characters? SRPV2: software restriction policy V2.

Quick tip: When you have locked yourself out with AppLocker, you can do a lot with these registry settings from a remote computer.

So, let’s configure some basic rules to block CMD and PowerShell.

Try to open CMD, it’ll be blocked as shown by the AppLocker notification below.

Now open the event viewer and take a look at the EXE and DLL event log.

Nice, so you can setup your AppLocker monitoring through Solarwinds like I did. But what about the MSI and scripts? AppLocker has an MSI and script event log… but when AppLocker is deployed through Intune you can forget about the whole MSI and Script AppLocker component!

Because MSI and script is not AppLocker (SRPV2) but it makes use of the software restriction policies! I find it a little weird that I couldn’t find any information about this.

So, I tried to run a MSI (which I blocked). The first thing I noticed was the lack of AppLocker warning when executing the MSI. When I opened the event log and looked at the MSI and Script AppLocker log it’s silence of the AppLocker log. There is no log, really no log at all.

Okay? Now go look at your application log! 

Event 1007? That certainly looks like SRP to me?

Yes, it definitely looks like the old school software restriction policy Microsoft is using to block MSI.

Conclusion:

Deploying AppLocker to protect your endpoints is a very wise option. But understanding how AppLocker works is definitely something else. Like the quick tip I mentioned about recovering from an AppLocker misconfiguration, I still don’t quite know how you can do the same when using Intune.

Leave a Reply

Your email address will not be published. Required fields are marked *