How to create an applocker policy (Manual)

Posted On December 2, 2022

Windows AppLocker is a technology first introduced in Windows 7 that allow you to restrict which programs users can execute based on the program’s attributes. In enterprise environments it is typically configured via Group Policy, however we can leverage the XML it creates to easily build our own custom policies that perform many of the same tasks with Microsoft Intune.

The process flow goes like this: We first model the policy we want to implement using AppLocker in Group Policy Editor. We then export the XML for that policy and use it to create a new, custom Windows 10 Device Configuration policy in Intune. Once the custom policy is deployed, the same policy behavior we modeled with AppLocker in Group Policy Editor is then applied to our targeted Windows 10 devices.

You can find all of our documentation on Windows AppLocker here, and in this post, I’ll walk you through an example using this process to block the built-in Mail app on Windows 10 computers.

What are the requirements for AppLocker

  • If you are using Intune AppLocker CSP Policies to manage and deploy AppLocker then any edition of Windows 10 and Windows 11 is supported.
  • If you are using Active Directory Group Policy to manage and deploy AppLocker then devices running Windows 10 and Windows 11 Enterprise, Windows 10 and Windows 11 Education, and Windows Server 2016 are supported.
  • Application Identity service should not be disabled because it determines and verifies the identity of an app. Stopping this service will prevent AppLocker policies from being enforced. If Application Identity service is set to Manual (Trigger Start) which is its default status then it will still work fine, there is no need to keep the service always in running state / no need to deploy a PowerShell script to change it to Automatic and Running status.

You can create AppLocker rules for below file types:

  • Executable files: .exe and .com
  • Windows Installer files: .msi, mst, and .msp
  • Scripts: .ps1, .bat, .cmd, .vbs, and .js
  • DLLs: .dll and .ocx
  • Packaged apps and packaged app installers: .appx and .msix.

How to create an AppLocker Policy

To create an AppLocker policy, you need to login as an administrator on any Windows 10 or Windows 11 device and follow below steps:

Enable AppLocker Rule Enforcement

  • Click on Start -> Type Run -> Type secpol.msc.
  • Expand Application Control Policies.
  • Right-click AppLocker and click on Properties.
  • Under Enforcement tab. Select the checkbox for Executable rules and select Enforce rules. This will enforce Executable Rules when the policy will be applied. Instead of Enforce rules, you can also select Audit option. Audit option will not enforce the rules and only generate audit events in Event Logs when user performs an action which match the AppLocker rules.

If there are any other type of rules you are creating under Windows Installer RulesScript Rules and Packaged app Rules which you want to Enforce to the target device then check the box next to corresponding option. For now, I have created rules under Executable rules only, therefore I have only checked and selected Enforce rules under Executable rules option.

Create AppLocker Policy Rules

Once you have configured AppLocker rule Enforcement, you can create the rules as per your requirement. There are two types of rules you can create, Allow and Deny. You should start with creating default rules first which whitelist Program Files and Windows Folder.

Program Files contains all your installed applications and Windows Folder contains Operating system files. Therefore, its recommended to whitelist / Allow both these locations. To create default rules:

  • Click on Start -> Type Run -> Type secpol.msc.
  • Expand Application Control Policies.
  • Expand AppLocker.
  • Right-click on Executable Rules and click on Create Default Rules.

Everyone will be able to execute Files from:

  • C:\Program Files folder.
  • C:\Windows Folder.
  • Administrators are having no restrictions, they can execute and run files from anywhere.
Create Default Rules corresponding to each AppLocker rule collection by right-clicking on Windows Installer RulesScript RulesPackaged app Rules and click Create Default Rules.

These Default rules can be modified as per your requirement. For example, you can also add a Rule to Allow C:\Program Files (x86) Folder by creating an allow rule. You can also deny execution of certain programs by creating a Deny Rule.

How to create AppLocker Allow/Deny rule for an application

As we want to allow or block specific executables (.exe) files by creating an allow or deny rule, we will be creating all the rules under Executable Rules rule collection. Let’s create an allow rule to allow the CamCal application.

  • Click on Start -> Type Run -> Type secpol.msc.
  • Expand Application Control Policies.
  • Expand AppLocker.
  • Right-click on Executable Rules and click on Create New Rule.

Click on Next if you see Before you Begin screen. On Permissions screen, Select Allow Action.

Select Publisher if you have a single application, you can select the executable to create the rule.

To use a publisher condition, the files must be digitally signed by the software publisher, or you must do so by using an internal certificate.

In this example I have an old application with multiple executables, and a few cmd files. In this manual we are going to select Path

Therefore, if you want to create a rule which will work irrespective of Google chrome version then move this slider up a bit. File version will show as * which means that its valid of all application versions. Same rule applied when creating a rule for other applications as well.

On Exceptions window. Select Next as we do not want to add any exceptions to this rule.

You can change the Name of the AppLocker rule to a simpler name. For example. I have provided below Name and Description.

  • Name: Block CHROME.EXE.
  • Description: This Deny Rule will Block Execution of Google Chrome Program on the Devices.

Once the rule is created, you should be able to find the rule under Executable Rules rule collection. As you can see in below screenshot, there is a Deny rule we created for blocking Google Chrome application.

How to Export AppLocker Policy

We have created all the rules we needed in our AppLocker policy. We can now export the policy in an XML file.

To Export the AppLocker Policy, follow below steps:

  • Click on Start -> Type Run -> Type secpol.msc.
  • Expand Application Control Policies.
  • Right Click on AppLocker and select Export Policy.

Provide File Name and location where you want to save this XML file.

How to Deploy AppLocker rules using Intune

Once we have divided our XML file into multiple files with respect to each rule collection. Now, we can create a device configuration profile to deploy these rules to target devices. Follow below steps to create a device configuration profile in Intune.

Login on Microsoft Endpoint Manager admin center, click on Devices, Configuration Profiles+ Create Profile.

On the flyout fill in the following fields:

  • Select Platform: Windows 10 and later
  • Profile type: Templates
  • Template Name, search for custom: Custom

In the Basics tab fill in the required fields, you can use the following examples:

  • Name: AppLocker Policy
  • Description: This is a Device Configuration Profile to Implement AppLocker rules on all organization devices.

On the Configuration Tab click on Add to add OMA-URI Setting, and fill in the following fields:

  • Name: EXE Rule Collection
  • Description: Executable Rules
  • OMA-URI: ./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/apprulset0001/EXE/Policy
  • Data type: String
  • Value: Paste the Rulecollection corresponding to EXE rule collection copied from the Exported XML file.

If you have created rules under Windows Installer Rules, Script Rules, Packaged app Rules or DLL rule collection as well then you can copy the rules from Exported XML file and paste it in the value text box under a separate OMA-URI by clicking on Add button.

OMA-URI for each Rule Collection:

  • ./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/apprulset0001/MSI/Policy
  • ./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/apprulset0001/Script/Policy
  • ./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/apprulset0001/StoreApps/Policy
  • ./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/apprulset0001/DLL/Policy

Similar to the EXE Rule Collection, you can click on Add button to add OMA-URI setting for other rule collections. If you just have rules in Executable Rules, then you can skip this step.

Similar to the EXE Rule Collection, you can click on Add button to add OMA-URI setting for other rule collections. If you just have rules in Executable Rules, then you can skip this step.

Assignments Tab

You can add all users or all devices or you can create an Azure ad security group which contains users or devices and use it to deploy this configuration profile. If you deploy this configuration profile to users, then it will get deployed to all the managed devices where user’s sign in into.

If you deploy this configuration to devices, then it will be applied to all users who will sign into that device. You can plan your deployment accordingly. I will be deploying the AppLocker rules to all devices.

On the last tab you can review and create the policy. Review the device configuration profile and click on Create to create and deploy AppLocker rules to the End users / devices.

End User Experience

After you have created this policy and assigned it to the target devices. This will take some time to take affect. You can also force initiate Intune Policy refresh or restart your PC once to speed up the Intune Policy refresh / sync Process.

AppLocker policy which we deployed blocks the execution of the deployed application from anywhere on the device except the file path. Let’s check End user device and try to launch the CamCal Application. As soon as you double-click on CamCal from a different location, you will get an error message “This app has been blocked by your system administrator.” Contact your system administrator for more info.

You can click on Close or click on Copy to clipboard.

Applocker Event ID 8004

You can find Applocker related Events in Windows Event Viewer. Please follow below steps to find the Applocker folder in Event Viewer.

  • Go to Start -> Search for Event Viewer and click on it to Launch Event Viewer MMC.
  • Expand Application and Services logs -> Microsoft -> Windows.
  • Find AppLocker folder.
  • Click on EXE and DLL for EXE and DLL related Events.
  • You will find that Event ID 8004 is generated when an application is prevented from running. This confirms that the policy we applied from Intune is working fine.
  • Below is an example of a different application that was blocked

Further Information

For Further Information on AppLocker you can refer to this Microsoft Docs link: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview

You can find more information about the AppLocker CSP at https://docs.microsoft.com/en-us/windows/client-management/mdm/applocker-csp location.

Tweet
Share
Pin
Share
Tags:, ,

Related Posts

About The Author

Cor den Boer

Add a Comment

Your email address will not be published. Required fields are marked *