Provisioning your non- (for now) Azure ad-enrolled Windows 10 Pro devices with AppLocker can be very difficult because AppLocker won’t work on Windows 10 Pro devices without Intune… at least, that’s what I thought.
Requirements for Applocker
When configuring AppLocker on a Windows 10 Pro device, you will notice this message inside the event log: component not available on this SKU. Take a look at the operating system requirements…
Some time ago I created a blog about how you can automatically wipe and reset your domain joined devices to enroll them with autopilot. In this PowerShell script, I used the WMI bridge to reset the device.
I was very interested in the possibility to automatically push AppLocker to Windows 10 Pro domain joined devices.
The first thing I needed to know was if I could use WBMTest tool (WBEMTEST)to check out the keys necessary to create the AppLocker policy. So I opened the WBMtest tool and just connected to root\cimv2\mdm\dmmap
Now the connection was established it was time to enumerate some classes! To do so press: “Enumerate classes” and there it was a nice MDM_AppLocker_ApplicationLaunchRestrictions01_EXE03 key.
The second thing I did was opening this key to check out the exact keys I needed to push the AppLocker policy itself. As you can see I need these keys:
*Namespace = root\cimv2\mdm\dmmap
*ParentID = ./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions
*Class = MDM_AppLocker_ApplicationLaunchRestrictions01_EXE03
*Group =Just like with MDM, you need to specify a groupname for the applocker Policy itself. For more information about the applocker CSP
AppLocker CSP – Windows Client Management | Microsoft Docs
Now that we have all the information we need, it’s time to create and test with it. But unfortunately, it didn’t work at first. After spending some time, I realized I needed to convert the AppLocker policy string to an HTML encoded string.
Here is the script:
$namespace = "root\cimv2\mdm\dmmap"
$group = "applockerexe"
$class = "MDM_AppLocker_ApplicationLaunchRestrictions01_EXE03"
$parent = "./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/$Group"
Add-Type -AssemblyName System.Web
$policy = [System.Net.WebUtility]::HtmlEncode(@"
COPY PASTE YOUR EXE INTUNE APPLOCKER POLICY
"@)
New-CimInstance -Namespace $namespace -ClassName $class -Property @{ParentID=$parent;InstanceID="EXE";Policy=$policy}
Insert your own Applocker policy at: COPY PASTE YOUR EXE INTUNE APPLOCKER POLICY
As you probably know, you can monitor the AppLocker folder itself to see if the script is working:
So, the PowerShell script worked. To be sure I created a new standard user (not-admin) en tried to open PowerShell. Take a look at the Operating system: Windows 10 Pro
Conclusion:
It’s funny to see you can get AppLocker working on a Windows 10 pro device without utilizing Intune. When you use the WMI bridge part in the script I published to wipe your device you can make sure all your Windows 10 pro devices inside your domain will get an AppLocker policy!