Not yet another AppLocker Blog.

Last Updated on December 3, 2021 by rudyooms

Provisioning your non (for now) Azure ad enrolled Windows 10 Pro devices with AppLocker can be very hard because AppLocker won’t work on Windows 10 Pro devices without Intune… at least that’s what I thought. 

When configuring AppLocker on a Windows 10 Pro device, you will notice this message inside the event log: component not available on this SKU.  Take a look at the operating system requirements…

Some time ago I created a blog about how you can automatically wipe and reset your domain joined devices to enroll them with autopilot.  In this PowerShell script, I used the WMI bridge to reset the device. 

I was very interested in the possibility to automatically push AppLocker to Windows 10 Pro domain joined devices. 

The first thing I needed to know was if I could use WBMTest tool (WBEMTEST)to check out the keys necessary to create the AppLocker policy. So I opened the WBMtest tool and just connected to root\cimv2\mdm\dmmap

Now the connection was established it was time to enumerate some classes! To do so press: “Enumerate classes” and there it was a nice MDM_AppLocker_ApplicationLaunchRestrictions01_EXE03 key. 

The second thing I did was opening this key to check out the exact keys I needed to push the AppLocker policy itself. As you can see I need these keys: 

*Namespace = root\cimv2\mdm\dmmap 

*ParentID = ./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions 

*Class = MDM_AppLocker_ApplicationLaunchRestrictions01_EXE03 

*Group =Just like with MDM, you need to specify a groupname for the applocker Policy itself. For more information about the applocker CSP  

AppLocker CSP – Windows Client Management | Microsoft Docs 

Now that we have all the information we need, it’s time to create and test with it. But unfortunately, it didn’t work at first. After spending some time, I realized I needed to convert the AppLocker policy string to an HTML encoded string. 

Here is the script: 

$namespace = "root\cimv2\mdm\dmmap" 
$group = "applockerexe" 
$class = "MDM_AppLocker_ApplicationLaunchRestrictions01_EXE03"  
$parent = "./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/$Group" 
Add-Type -AssemblyName System.Web 
$policy = [System.Net.WebUtility]::HtmlEncode(@" 
COPY PASTE YOUR EXE INTUNE APPLOCKER POLICY 
"@) 
 
New-CimInstance -Namespace $namespace -ClassName $class -Property @{ParentID=$parent;InstanceID="EXE";Policy=$policy} 

Insert your own Applocker policy at: COPY PASTE YOUR EXE INTUNE APPLOCKER POLICY

As you probably know, you can monitor the AppLocker folder itself to see if the script is working:  

So, the PowerShell script worked. To be sure I created a new standard user (not-admin) en tried to open PowerShell. Take a look at the Operating system: Windows 10 Pro 

Conclusion:  

It’s funny to see you can get AppLocker working on a Windows 10 pro device without utilizing Intune.  When you use the WMI bridge part in the script I published to wipe your device you can make sure all your Windows 10 pro devices inside your domain will get an AppLocker policy!  

Leave a Reply

Your email address will not be published. Required fields are marked *

2  +  8  =