How to create an applocker policy (Manual)

Posted On December 2, 2022

Windows AppLocker is a technology first introduced in Windows 7 that allow you to restrict which programs users can execute based on the program’s attributes. In enterprise environments it is typically configured via Group Policy, however we can leverage the XML it creates to easily build our own custom policies that perform many of the same tasks with Microsoft Intune.

The process flow goes like this: We first model the policy we want to implement using AppLocker in Group Policy Editor. We then export the XML for that policy and use it to create a new, custom Windows 10/11 Device Configuration policy in Intune. Once the custom policy is deployed, the same policy behavior we modeled with AppLocker in Group Policy Editor is then applied to our targeted Windows 10/11 devices.

Applocker supported versions

  • All editions off Windows 10 and Windows 11 are supported when deploying with Intune
  • Only Enterprise and Education editions of Windows 10 and 11 are supported when deploying with Active Directory Group Policies

Note:

Application Identity service should not be disabled, as it is used to identify and verify the applications.

You can create AppLocker rules for below file types:

  • Executable files: .exe and .com
  • Windows Installer files: .msi, mst, and .msp
  • Scripts: .ps1, .bat, .cmd, .vbs, and .js
  • DLLs: .dll and .ocx
  • Packaged apps and packaged app installers: .appx and .msix.

How to create an AppLocker Policy

To create an AppLocker policy, you need to login as an administrator on any Windows 10 or Windows 11 device and follow below steps:

Enable AppLocker Rule Enforcement

  • Click on Start, Type Run, Type secpol.msc.
  • Expand Application Control Policies.
  • Right click AppLocker and click on Properties.
  • Under Enforcement tab. Select the checkbox for Executable rules and select Enforce rules.

Create AppLocker Policy Rule

In the next step we will create a default policy rule which we can change and edit to your specific needs. We can create a Allow or a Deny rules. Most importantly is to add the Windows and Program Files folder to the allowed folders.

To create default rules:

  • Click on Start, type Run, Type secpol.msc.
  • Expand Application Control Policies.
  • Expand AppLocker.
  • Right click on Executable Rules and click on Create Default Rules.

Everyone will be able to execute Files from:

  • C:\Program Files
  • C:\Windows
  • Administrators don’t have any restrictions.f

Create Default Rules corresponding to each AppLocker rule collection by right-clicking on Windows Installer Rules, Script Rules, Packaged app Rules and click Create Default Rules.

How to create AppLocker Allow/Deny rule for an application

In this manual we want to create an allow rule to allow the CamCal application next to the Windows and Program Files application.

  • Click on Start, Type Run, Type secpol.msc.
  • Expand Application Control Policies.
  • Expand AppLocker.
  • Right click on Executable Rules and click on Create New Rule.

On the Permissions screen, Select the Allow Action.

Select Publisher if you have a single application, you can select the executable to create the rule.

In this example I have an old application with multiple executables, and a few cmd files. In this manual we are going to select Path

Now browse the path that you want to Allow

On Exceptions window. Select Next as we do not want to add any exceptions to this rule.

If you want you can change the name of the application.

Once the rule is created, you should be able to find the rule under Executable Rules rule collection.

How to Export AppLocker Policy

We have created all the rules we needed in our AppLocker policy. We can now export the policy to an XML file.

To Export the AppLocker Policy, follow below steps:

  • Click on Start, Type Run, Type secpol.msc.
  • Expand Application Control Policies.
  • Right Click on AppLocker and select Export Policy.

Provide File Name and location where you want to save this XML file.

How to Deploy AppLocker rules in Intune

We can now deploy the XML file with Intune.

Login on Microsoft Endpoint Manager admin center, click on Devices, Configuration Profiles+ Create Profile.

On the flyout fill in the following fields:

  • Select Platform: Windows 10 and later
  • Profile type: Templates
  • Template Name, search for custom: Custom

In the Basics tab fill in the required fields, you can use the following examples:

  • Name: AppLocker Policy
  • Description: Applocker Policy rules for Windows devices

On the Configuration Tab click on Add to add OMA-URI Setting, and fill in the following fields:

  • Name: EXE Rule Collection
  • Description: Executable Rules
  • OMA-URI: ./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/apprulset0001/EXE/Policy
  • Data type: String
  • Value: Paste the Rule section that contains the folder paths, including program files and Windows folder

If you have created rules under Windows Installer Rules, Script Rules, Packaged app Rules or DLL rule collection as well then you can copy the rules from Exported XML file and paste it in the value text box under a separate OMA-URI by clicking on Add button.

OMA-URI for each Rule Collection:

  • ./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/apprulset0001/MSI/Policy
  • ./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/apprulset0001/Script/Policy
  • ./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/apprulset0001/StoreApps/Policy
  • ./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/apprulset0001/DLL/Policy

Similar to the EXE Rule Collection, you can click on Add button to add OMA-URI setting for other rule collections.

Assignments

You can add all users or all devices or you can create an Azure ad security group which contains users or devices and use it to deploy this configuration profile. If you deploy this configuration profile to users, then it will get deployed to all the managed devices where user’s sign in into.

If you deploy this configuration to devices, then it will be applied to all users who will sign into that device. You can plan your deployment accordingly. I will be deploying the AppLocker rules to all devices.

On the last tab you can review and create the policy. Review the device configuration profile and click on Create to create and deploy AppLocker rules to the End users / devices.

End User Experience

After you have created this policy and assigned it to devices or users it will take some time to be effective.

The policy will block any executables that are not in the allow list. The user will get a message like below with an unauthorized application:

Troubleshooting

If you want to do some troubleshooting on the end users device. Go to the Event Viewer, From the Application and Services logs, Windows, Applocker, EXE and DLL logs search for Events with an ID of 8004 for blocked applications, search for 8002 for allowed applications.

image 7

Microsoft Documentation

More documentation can be found on the Microsoft Docs website: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview

You can find more information about the AppLocker CSP at https://docs.microsoft.com/en-us/windows/client-management/mdm/applocker-csp location.

Tweet
Share
Pin
Share
Tags:, ,

Related Posts

About The Author

Cor den Boer

Add a Comment

Your email address will not be published. Required fields are marked *