Configure AppLocker in Intune
ฝัง
- เผยแพร่เมื่อ 9 ส.ค. 2023
- AppLocker is a Windows 7 technology that can block certain executables, apps, installers, and scripts. This video shows how you can use push AppLocker configuration with the help of Intune Configuration Profiles.
In this video, we show how to block the execution of GIMP with the help of AppLocker/XML/Intune.
OMA-URI path used in this video:
./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/apps/EXE/Policy
WOw, there were a few things I missed when I created my xml file and built applocker polices to block steam. I literally broke a few things enforcing it to my test group. I have to say I was able to undo it, but not without a fight first. This video helped me see my mistakes. Thank you
thanks for the comment, and happy to hear it helped.
Nice job one more time John!!! And thank you for taking my comment in consideration 😊
Thank you for the tip! good idea
hyyyyyyy buddy its working for me Thanks a lot
Well done! thanks for sharing your success
Bra video!
Tackar så mycket
Hi Bro, I tried this steps to block Snipping tool. But its still snipping tool working fine I can't achive this. I tried to block via intune policy still snipping tool working fine I can't achive this. Kindly provide solution to block snipping tool.
Hi, there is the default rules that could include Snipping Tools since it is signed by Microsoft I assume.
I got pretty many comments with some issues, so could justify a seconadry video for AppLocker with Intune.
I got one ready soon in a few hours about Enterprise App new feature in Intune and got Windows 365 planned, but will try to add in an AppLocker when time allows
Thanks for posting this video. Just curious, if I understand correctly Application Control can accomplish the same objective here. I know there are differences where Applocker may be mor suitable depending on org requirements (dll, drivers). Do you have a preference?
Thanks, and an excellent question, I don't got any own experience because I have only used AppLocker.
Reading about it, seems they do the same job, however AppLocker is easier and Application Control if you do mistakes can render the device not able to boot.
"AppLocker is much easier and less risky to update than WDAC. AppLocker XML files are simple text files that you can edit manually. WDAC XML files are also text files, but it is not practical to edit them manually. AppLocker uses the Subject Name of a certificate to identify a signed file. It is the same subject name regardless of the certificate used to sign. WDAC uses the thumbprint. The same name might be used in multiple different certificates with different thumbprints. A mistake in an AppLocker policy might cause some processes not to run. A mistake in a WDAC policy might cause Windows not to boot. If it cannot boot, the only solution is to re-image the device. Imagine doing that for 30 or 50,000 devices!"
@@IntuneVitaDoctrina Appreciate the feedback. Those are great points around WDAC, I haven't used it myself but am considering it for modern management.
I would like to know how to block specific applications via Microsoft Intune
Hi! :)
That is specified in the XML file.
Got so many questions around AppLocker I think a second video showing some more configuration and tricks would be good, will think about it and hope time allows to do it soon
Will this work in Windows 10/11 Pro if policies deployed with Intune?, cos it doesn't work in Win 10/11 Pro with GPO.
Intune/AppLocker with MDM configuration policies will work, the video shows it.
Legacy GPO should work also but it uses a different way
what is the solution if we need to block multiple exe via Intune / Defender .??
Good question, if they are in same path you can use wild cards, if different paths you will have to do one entry per app.
I attempted to replicate the steps from your video using the Firefox & VLC apps, but it appears to be blocking essential system apps, such as the calculator. Could you consider creating a new, more comprehensive video tutorial on how to use AppLocker?
Hi, you are the second to tell similiar. For me it works perfect, I wonder where things can go wrong, should be the XML file. Could you please email me your XML file to john@bryntze.cloud and I'll look at it, and if that shows something that leads to an error or something I missed in the video I'll be happy to add it.
Can I use this app locker to allow users to run only Notepad where the user is logged in?
I guess that could be possible, but in that case it is maybe better to setup Windows in Kiosk mode and auto start Notepad.exe
@@IntuneVitaDoctrina kiosk mode is based on devices not on users based and we want to display some background message which is not possible if notepad open directly
Then AppLocker could probably do the job, it is difficult to lock down all, like if you got Notepad you get access to the open file menu and can browse etc, but if you do a AppLocker config that only allows notepad.
For fun I asked ChatGPT, but I highly doubt this one would work :)
@@IntuneVitaDoctrina thank you. I did that with the help of ChatGPT but it's not working with the user group
Is there a way you can block non-admin users from installing Microsoft Store apps on Windows 10/11 Pro?
that is a really good question, by default no, but you can for example do a Configuration Policy that doesn't allow the users to start the Microsoft Store App at all, very common solution. Then if it is just some users, you must have a AzureAD group and target your policy to them
@@IntuneVitaDoctrina thank you for your response. I configured a policy from Intune to block Microsoft Store, but I am unable to open other apps like: Photos, Camera, etc. those who are pre-installed with Windows that can be found in M. Store as well. Also, I created another policy in Intune to block non-Admin users to install apps from Microsoft Store, and I noticed that you will be asked for Admin credentials only for specific apps.
true, you can in Intune even with store on clients block, add them in Intune apps and push to all you want or put in self services
Hi
Thanks for the Video.
We tried to block some remote applications with this process but as not only the applications we intended to block were affected, but also applications like Teams were blocking and when we try to install another applications is also blocking.
Can you please help us on this, how to resolve this issue.
Hi,
Often best to set it to Audit mode before enforce block, to be sure you get the correct result.
I can for sure help, could you please tell me more what you block on? what is the criteria? is it signature? path? etc?
Sounds like maybe you blocked the signature of Microsoft since Teams is getting blocked.
Was it a Microsoft software you initially wanted to block?
Also as I show in the video, did you add in the default three rules to allow Microsoft? maybe it is only those missing, I show in the video how you with one click add them in.
Yes default rules are added but same issue
one more question is this will work on windows 11 devices ?@@IntuneVitaDoctrina
yes in the video I use Windows 11 Enterprise, but it works on Pro also
Hello John,
I am facing the exact same issue.
The targeted app is blocked but at the same time Microsoft teams app gets blocked as well.
Default executable rules are created.
As mentioned in my another comment, unable to access the generated XML file as well.
Same issue. Blocked Firefox and it's also blocking Teams. Anyone have a solution?
is Firefox installed under c:\program files\Mozilla etc?
You'll need a separate Publisher rule for Teams. This won't be captured by the default rules as it's installed in the users \AppData\Local folder 📁
Hi!
Cool to see new good video again!
I wonder if you know or did a script that blocks specific applications like game apps that students like to install on computer labs? Do you think you can make such a video?
Thanks a lot!
My first IT job 1997, was at the largest elementary school in Scandinavia, St Eriksskolan in Stockholm, we ran at that time Windows 3.11, which had no security at all, we installed Windows on C: and redirect ALL temp folders and user profiles to D: then we had a third party program that blocked all on C:... guess what I found on the D: GAMES :) GTA (car game) and stuff :)
So if an organization needs to protect itself from it's own users, which sometimes is the case in schools, then AppLocker could be a solution.
I'll think about doing such video, it would basically be to find the Signing Certificate for the game makers and block execution of them. Maybe it exists already ready AppLocker rules to copy for that. I'll think about it, could be a good video and useful for certain orgnaizations.
hello Mr. I got problem after i implement applocker to block Telegram and then it also block my deplay setting and microsoft store as well 😢, do you have any solution ?
Hi, always best to test on one device first or run on all but in Audit mode to find out these things when it doesn't work as one hoped.
You will need to recreate the XML file and add allow path to those that are blocked, but by default should all in Program Files work except those you specify to block, but maybe those are outside program files.
im just create default rule one more in packaged app-Excution and now everything working fine. thank you
excellent and thanks for sharing the solution: well done
now for real machince is still block 😅
i dont understand now on machince testing it block only app that i want to block but when im using it with real machince it block noted ++ , block microsoft team T_T i dont know how to fixing it now, could you help me check
I have tried this and this also blocks MS Teams and thats not on the value,
There are two versions of Microsoft Teams, could you please provide me the full path to the ms teams that get blocked and I will re-look on my device. Nothing in the XML should block Teams
@@IntuneVitaDoctrina this path, C:\Users\A\AppData\Roaming\Microsoft\Windows\Start Menu\Programs
That is the path to the shortcut in start menu, can you please right click on that shortcut and chose ‘file location’ what that shortcut lnk file points to?
You'll need a separate Publisher rule for Teams. This won't be captured by the default rules as it's installed in the users \AppData\Local folder 📁
I've tried this, but get a status of Not Applicable. It is assigned to a group containing the computer account. What is causing this?
Interesting, that leans that the policy isn't working for your platform, here is from Microsoft Docs describing this
"Policy states:
Not Applicable: This policy isn't supported on this platform. For example, iOS/iPadOS policies don't work on Android. Samsung KNOX policies don't work on Windows devices."
learn.microsoft.com/en-us/troubleshoot/mem/intune/device-configuration/troubleshoot-policies-in-microsoft-intune
You are sure it is a Windows 10 or later Configuration Profile? and the OMA-URI is correct?
@@IntuneVitaDoctrina it's windows 10 or later, the os it deploys to is Windows 10 enterprise. The VM is a gallery image and part of a AVD hostpool.
tricky, you don't happen to be in Co-managed and have Intune linked to SCCM?
The Windows version of the Windows 10 Enterprise shows what version: 10.0.19045.3155 ?
@@IntuneVitaDoctrina It's not co-managed, no SCCM, just simple environment. Windows 10 Enterprise for Virtual Desktops Version 22H2 (OS Build 19045.3324)
Is this the first Configuration Profiles you have, or do you got others that work?, and it is only the AppLocker one that gives "Not Applicable"?
I am following the exact same steps, but it blocks all application in my device. What could be the reason?
Hi Anas, do you have the three default rules that allows Microsoft? does your rule even block like notepad.exe right now?
Would love to see your XML file of rules
Hello John,
Appreciate your prompt response.
The policy blocks the targeted application but at the same time it blocks Microsoft teams app as well.
Yes, I do have default executable rules created.
Notepad.exe working fine.
I'm able to export the XML file but unable to access it in the browser.
Error - The XML file doesn't appear to have any style information associated with it.
might be ok without the XML file, however I'm extremally interested to know what is the targeted application is? if it is another Microsoft software that you try to block I think I know why Teams is blocked too.
Please just reply short what application you try to block and I think I might have an idea for a fix
@@IntuneVitaDoctrina Really appreciate your swift response sir.
We are trying to block VNC connect app. It is a type of remote access applications.
the publisher of the VNC connect app doesn't happen to be Microsoft? (shouldn't but since your rule block Teams I have to ask :) )
hi My Intune master friend
My Application Identity is not running on all my PC how to make a Config to start the service on all pc?
Great job you make here to all yours Intune Friends
Hi Kim, thanks a lot for you support my Intune friend :)
Good question, there should be a configuration profile to set this, else do a script to make sure the service is started, can even do it as a Remediation script to ensure no one stops the service
# Define the service name AppIDSvc/Application Identity
$JBNserviceName = "AppIDSvc
# Set the service to automatic start
Set-Service -Name $JBNserviceName -StartupType Automatic
# Start the service
Start-Service -Name $JBNserviceName
@@IntuneVitaDoctrina if there is a Configuration profile do you where? - have try to look after that, but could not find that Config profil... 🙂
If you import ADMX files into Intune you can control services, as you have this option in GPO. That is the best way I can think of it. I think Intune got a limit of 10 ADMX files to import, I got one for Firefox settings for example.
that works :-) thanks 🙂@@IntuneVitaDoctrina
Amazing! It worked for me 💯to block Anydesk as a test victim by the signature. Thank you so much for showing it from all angles - design, where to expect it to appear, which service is responsible for it.
I've read other comments, calculator still works on my test VM too, so there are no side effects so far.
I wonder if there is a less involved method as my test domain where I start to enforce it seems to have 53 pages and 1100 items of discovered apps - is there a way to go and disable via Intune web interface right from the discovered apps list?
Another aspect - in my XML is NotConfigured - it's like this in C:\Windows\System32\AppLocker\MDM\133544220480798784\1E581961-5D30-4C8D-AF70-557C99C2E2FE\AppLocker\ApplicationLaunchRestrictions\apps\EXE\ , however the enforcement is working and it prevents starting Anydesk.exe..
Thank you again!
well done! interesting idea and use discovered apps as source, I don't think it lists the exe file and more product name, but if it does it sounds like a MS Graph could help there, still very difficult. For now AppLocker is a bit of a manual process and maybe that is good to not make errors and lock out too much