How to implement Applocker with Microsoft Intune

Applocker is tool included in Windows 10 and 11. It permit to set up policies or rules for allow or deny apps from running on your device. 

We can create Applocker rules for below file types: 
  • EXE files: .exe and .com
  • Windows Installer files: .msi, mst, and .msp
  • Scripts: .ps1, .bat, .cmd, .vbs, and .js
  • DLLs: .dll and .ocx
  • Packaged apps and packaged app installers: .appx and .msix.
Sources : https://learn.microsoft.com/fr-fr/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-collections

The Applocker solution purpose a multiple possibilities for secure your device. We have possibilities to block or allow apps. By default, it is recommended to allow all applications and add a custom rules for a scpecific application.

Prérequisites for used Applocker

  • Device with Windows 10 or 11 for prepare the Applocker rules
  • Application Identity service enabled

Enable Applocker

For create an Applocker policy, you need to login as an administrator on Windows 10 or 11 device and follow below steps:
  • Right Click on Start button and select Run
  • Enter secpol.msc and Enter
  • Expand Application Control Policies
  • Right click of Applocker and select Properties
  • Check the Configured box in the Executable rules section and select Enforce rules from the drop-down menu.
  • Click Apply and Ok

Add Applocker default rules 

After have proceed to enabled Applocker, we can create a default applocker rules. To do this just follow the steps below:
  • Right Click on Start button and select Run
  • Enter secpol.msc and Enter
  • Expand Application Control Policies
  • Expand Applocker
  • On Executable Rules, right click and select Create default Rules
    • This action allows you to create basic rules for using your computer

Create Applocker Custom rules

Now we can create a rule to do this just follow the steps below:
  • Right Click on Start button and select Run
  • Enter secpol.msc and Enter
  • Expand Application Control Policies
  • Expand Applocker
  • On Executable Rules, right click and select Create New Rule...

  • Click Next

  • Select Deny and click Next

  • Select an option, in my case i select Publisher and click Next
  • Click Browse and select an application to block. Move the cursor to File name to block all versions of chrome and click Next.

  • Click Next

  • Click Create

Export Applocker rules

We will be able to export the configuration in order to import it into Microsoft Intune.
  • Right Click on Start button and select Run
  • Enter secpol.msc and Enter
  • Expand Application Control Policies
  • Right click to Applocker and select Export Policy


  • Save your Applocker XML configuration files

Deploy Applocker rules with Microsoft Intune

For deploy the Applocker rules with Microsoft Intune, 
  • Connect to https://endpoint.microsoft.com
  • Go to Devices / Windows / Configuration Profiles
  • Click Create Profile
  • Select :
    • Platform : Windows 10 and later
    • Profile Type : Templates
    • Template name : Custom
  • Complete the Name field and click Next
  • Click Add
  • Complete all fields
    • Name : Choice OMA-URI name
    • OMA-URI : ./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/apps/EXE/Policy
    • Data type : String
    • Value : Copy and paste the xml content file from <RuleCollection type> to </RuleCollection type>
  • If necessary, create other applocker policies included with the right OMA-URI
    • MSI : ./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/apps/MSI/Policy
    • Script : ./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/apps/Script /Policy
    • DLL : ./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/apps/DLL/Policy
    • Appx : ./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/apps/StoreApps /Policy
  • Click Save and Next
  • Scope tags, click Next
  • Assignments, select groups, all devices or all Users and click Next
  • Application Rules, click Next
  • Review and Create, click Create

Verification

In the Management console

  • Go to Devices / Windows / Configuration Profiles and select your Applocker configuration profile
  • Click view Report

On the client computer

Launch the EXE application, if the Applocker is correctly configured on the computer, you should normally have the screen below :



Other information, after configuration profile application, we have the config files in the folder :
  • C:\Windows\System32\AppLocker





















Comments

Popular posts from this blog

Windows 11 security check with Powershell

SCCM - Erreur 0x87D00664 lors de l'installation de la mise à jour de Juin 2020

Send email alert if Reboot or shutdown a Server with Powershell