Return to site
Return to site

Applocker Windows 10 Pro

broken image


  1. Applocker Windows 10 Pro
  2. Apps Locker

Import the AppLocker PoSh module with the below command: import-module AppLocker. And execute the Set-App Locker Policy command to clean everything up. Set-AppLockerPolicy -XMLPolicy. Reboot the machine. Afterwards let's say in 90% of the scenarios the machine will work as before AppLocker was enabled. Version Windows 10 Can be configured Yes Can be enforced Yes Available rules Packaged apps, Executable, Windows Installer, Script, DLL Notes You can use the AppLocker CSP to configure AppLocker policies on any edition of Windows 10 supported by Mobile Device Management (MDM). You can only manage AppLocker with Group Policy on devices running Windows 10 Enterprise, Windows 10 Education, and Windows Server 2016. On a Windows 10 computer running the Enterprise version start Group Policy Editor by typing Edit Group Policy in the search Taskbar. Under Computer Configuration Windows Settings Security Settings Application Control Policies Applocker right-click and select Properties and enable Packaged app Rules and select Enforce rules. BitLocker is an encryption feature built into computers running Windows 10 Pro—if you're running Windows 10 Home you will not be able to use BitLocker. BitLocker creates a secure environment for your data while requiring zero extra effort on your part. In fact, once it's setup, you might even forget that it's there and working!

In this post I will give you a quick overview about cloud configuration of AppLocker using Intune and MDATP.

AppLocker has been with us for quite some time now reaching back all the way to good old Windows 7. Although it is not the best solution from a technical point of view (there's Windows Defender Application Control including TPM-enforced policy signing) it is still a good way to build a quick solution to stop users from installing software or executing unwanted applications. It is one of my recommendations for a secure Windows 10 baseline.

Applocker windows 10 professional

In this post I assume that you are already some kind of familiar with AppLocker. I will focus on how you can shift it to Intune for deployment and Microsoft Defender ATP's Advanced Hunting capabilities for monitoring and policy refinement.

Configuration in Intune

First export your AppLocker configuration from either the Group Policy Management Console in Active Directory or from your local GPEdit Console. Even in a cloud-only scenario with Azure AD joined clients you can still use the latter to build the policy. It will look something like this:

Now we need to jump over to the Intune console to create a new Windows 10 configuration profile using the 'Custom' profile type:

For each of the five different rule collections a distinct entry must be added. These are the OMA-URIs you have to use:

  • AppLocker EXE:
    ./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/Native/EXE/Policy
  • AppLocker MSI:
    ./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/Native/MSI/Policy
  • AppLocker Script:
    ./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/Native/Script/Policy
  • AppLocker Appx:
    ./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/Native/StoreApps/Policy
  • AppLocker DLL:
    ./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/Native/DLL/Policy

Find out more in the official AppLocker CSP documentation:
https://docs.microsoft.com/en-us/windows/client-management/mdm/applocker-csp

Data type has to be set to 'String', Value equals each section from the AppLocker xml. Here's an example for the EXE rule collection:

The Value text field must contain each rule collection xml section including and as marked here in Notepad++:

Once you have added all rule collection types it will look something like this:

Don't forget to assign the profile to all users and/or devices you want to target. Although it might seem obvious please remember that deploying any kind of application control in enforced mode could break things without testing it first. So you might want to use AppLocker in audit mode first.

Monitor AppLocker events in MDATP

Now we head over to the Microsoft Defender Security Center selecting the Advanced hunting sub-menu. There we add the following query:

MiscEvents
| where EventTime > ago(14d) and
ActionType startswith 'AppControl'
| order by EventTime desc

Just paste it to the query text field:

You can modify the query at any time, e.g. by changing the EventTime filter to cover more days in the past. Once you run the query you get all files that are recognized by AppLocker (or Defender Application Control):

Applocker Windows 10 Pro

Depending on how you use AppLocker you can extract information about either paths, file names, signature, or file hashes to enhance your policy which you would then edit in either GPMC or GPEdit. Then you can continue by exporting it as xml and pasting each rule collection into the Intune profile again.

Thanks for reading!

Apps Locker

Chris





broken image
PreviousNext
Cookie Use
We use cookies to improve browsing experience, security, and data collection. By accepting, you agree to the use of cookies for advertising and analytics. You can change your cookie settings at any time. Learn More
Accept all
Settings
Decline All
Cookie Settings
Necessary Cookies
These cookies enable core functionality such as security, network management, and accessibility. These cookies can’t be switched off.
Analytics Cookies
These cookies help us better understand how visitors interact with our website and help us discover errors.
Preferences Cookies
These cookies allow the website to remember choices you've made to provide enhanced functionality and personalization.
Save