Call4Cloud | MMP-C | Autopilot | Device Preparation

Not yet another AppLocker Blog.

Patch My Pc | install & update thousands of apps

Provisioning your non- (for now) Azure ad-enrolled Windows 10 Pro devices with AppLocker can be very difficult because AppLocker won’t work on Windows 10 Pro devices without Intune… at least, that’s what I thought. 

I will divide this blog into multiple parts

Requirements for Applocker

    When configuring AppLocker on a Windows 10 Pro device, you will notice this message inside the event log: component not available on this SKU.  Take a look at the operating system requirements…

    Some time ago I created a blog about how you can automatically wipe and reset your domain joined devices to enroll them with autopilot.  In this PowerShell script, I used the WMI bridge to reset the device. 

    I was very interested in the possibility to automatically push AppLocker to Windows 10 Pro domain joined devices. 

    The first thing I needed to know was if I could use WBMTest tool (WBEMTEST)to check out the keys necessary to create the AppLocker policy. So I opened the WBMtest tool and just connected to root\cimv2\mdm\dmmap

    Now the connection was established it was time to enumerate some classes! To do so press: “Enumerate classes” and there it was a nice MDM_AppLocker_ApplicationLaunchRestrictions01_EXE03 key. 

    The second thing I did was opening this key to check out the exact keys I needed to push the AppLocker policy itself. As you can see I need these keys: 

    *Namespace = root\cimv2\mdm\dmmap 

    *ParentID = ./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions 

    *Class = MDM_AppLocker_ApplicationLaunchRestrictions01_EXE03 

    *Group =Just like with MDM, you need to specify a groupname for the applocker Policy itself. For more information about the applocker CSP  

    AppLocker CSP – Windows Client Management | Microsoft Docs 

    Now that we have all the information we need, it’s time to create and test with it. But unfortunately, it didn’t work at first. After spending some time, I realized I needed to convert the AppLocker policy string to an HTML encoded string. 

    Here is the script: 

    $namespace = "root\cimv2\mdm\dmmap" 
    $group = "applockerexe" 
    $class = "MDM_AppLocker_ApplicationLaunchRestrictions01_EXE03"  
    $parent = "./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/$Group" 
    Add-Type -AssemblyName System.Web 
    $policy = [System.Net.WebUtility]::HtmlEncode(@" 
    COPY PASTE YOUR EXE INTUNE APPLOCKER POLICY 
    "@) 
     
    New-CimInstance -Namespace $namespace -ClassName $class -Property @{ParentID=$parent;InstanceID="EXE";Policy=$policy} 

    Insert your own Applocker policy at: COPY PASTE YOUR EXE INTUNE APPLOCKER POLICY

    As you probably know, you can monitor the AppLocker folder itself to see if the script is working:  

    So, the PowerShell script worked. To be sure I created a new standard user (not-admin) en tried to open PowerShell. Take a look at the Operating system: Windows 10 Pro 

    applocker active on a Windows 11 device which is not enrolled into Intune

    Conclusion:  

    It’s funny to see you can get AppLocker working on a Windows 10 pro device without utilizing Intune.  When you use the WMI bridge part in the script I published to wipe your device you can make sure all your Windows 10 pro devices inside your domain will get an AppLocker policy!  

    Leave a Reply

    Your email address will not be published. Required fields are marked *

    Proudly powered by WordPress | Theme: Wanderz Blog by Crimson Themes.