How to implement AppLocker with the Intune

AppLocker it's a technology or whitelisting technology that allows to restricting  the applications that users can execute. 

It's not the best solution but it's a good solution to Manage access in the Applications.

Unfortunately Applocker it's not supported for all Windows Versions and you can't do anything for the Devices that are out of your Local Network. 

Intune comes to fill the gap and give a solution with the Applocker CSP which supported almost by all Windows Versions and control access in Applications for the Devices outside of your Local Network.

Remote work will be permanent and IT Pro must be ready to manage Personal or Company devices in the same Level if will be located in Office or Home.

For this reason today i will explain how can implement AppLocker in the Intune.

 

How to create AppLocker Policy

Before proceed in this article must be already has create and test AppLocker Policy in your environment.

It's prerequisites to read the article How to install and configure Applocker to improve Application Control & Security in order to create the Applocker Policy before export in an XML file.

However in the link you can find in which Windows Version Applocket CSP supported

Configuration service provider reference

 

 

How to export Applocker Rules from the GPO

After you have create the AppLocker Policy in your environment the next step is to export the Applocker Policy from Group Policy Management Console to get the XML file that you will need later on in Intune..

  • Login in the Domain Controller and Edit the AppLocker Policy
  • Right click in the AppLocker and select Export Policy

 

  • Save the xml file.

How to split the XML File to use in Intune

Intune use xml to identify AppLocker Policies.

But you can't copy and paste all the lines of the XML file because will not be accepted.

Instead you should copy the lines from  <RuleCollection ...> to   </RuleCollection> for every Policy as you can see below.

For example here you must copy all these lines between arrows that related with the EXE Policy as you can see in Type="Exe"

Copy and Paste and the other lines base on the Type between <RuleCollection ...> to   </RuleCollection>

 

Understanding Applocker CSP

In order to understand what is Applocker CSP let's first explain as simple can be what is CSP and how Intune send the Applocker Policies in the Windows Devices.

CSP (Configuration Service Provider) is an interface that used by MDM Providers to read, set, modify, or delete configuration settings on the devices.

The OMA-URI is a string that represent a custom configuration for the Windows 10 Device.  The syntax of the OMA-URI is determine by the CSP on the client.

Microsoft use the Applocker CSP in Intune to allow or deny applications in the Devices which manage by Intune. Applocker CSP in the Intune use the OMA-URI to represent the Applocker Policy 

For example in Intune when you create the Configuration Profile with the Applocker Policy the Intune send it to the Assign devices. When the OMA-URI reach the Device the CSP read them and configure accordingly.

Below you can see a detail image from Microsoft which represent how OMA-URI and CSP works to apply a configuration in the device

 

If you are interesting to deep into CSP , OMA-URI and Applocker CSP you can find more details here

Support tip - Deploy OMA-URIs to target a CSP through Intune, and a comparison to on-premises

AppLocker CSP

 

Which Windows OS support AppLocker CSP?

Base on Microsoft AppLocker CSP supported by almost all Windows 10 Versions as you can see here.

For more details you can read in Configuration service provider reference

 

 

How to import AppLocker Rules to Intune

Now that you have the XML file it's time to proceed and create the Configuration Profile for the AppLocker Policy

  • Login in the Microsoft 365 Tenant and open the Intune.
  • From the right side select Devices - - Configuration Profiles - - Create Profile

 

  • Select
    • Platform : Windows 10 and Later
    •  Profile Type : Templates
    • Template: Custom
  • Click Create

 

  • Type the Name of the Profile like AppLocker_Policy and click Next

 

  • In the OMA-URI Settings click Add

 

  • Here must be create the Policies 
  • Type a name that represent the Policy like EXE. So you will know that this is for the Exe files in the Applocker Profile.
  • In the OMA-URI type the following:
    • ./Vendor/MSFT/AppLocker/AppLocker/ApplicationLaunchRestrictions/apps/EXE/Policy
  • In the Data type change it to String and copy/paste the appropriate lines in the Value only for the EXE. Read the How to split the XML File to use in Intune
  • Click Save

 

  • Follow the above steps to create the rest of the policies included the right OMA-URI  
    • MSI - ./Vendor/MSFT/AppLocker/AppLocker/ApplicationLaunchRestrictions/apps/MSI/Policy
    • Script - ./Vendor/MSFT/AppLocker/AppLocker/ApplicationLaunchRestrictions/apps/Script /Policy
    • DLL - ./Vendor/MSFT/AppLocker/AppLocker/ApplicationLaunchRestrictions/apps/DLL/Policy
    • Appx - ./Vendor/MSFT/AppLocker/AppLocker/ApplicationLaunchRestrictions/apps/Appx /Policy
  • At the end you must have the Policies as follow
  • Click Review + Save and Save it.

 

  • Click Add Groups and select the Group with the Computers that you want to apply the AppLocker Policy. Click next.

 

  • In the Applicability Rules don't change anything just click Next.

 

  • Click Create

 

 

How to test the the Applocker Policy applied

After complete all the above steps then we must verify that the Applocker Policy applied in the PC.

  • Login in the PC which added in Intune.
  • Then try to open the application that you have Deny.
  • If it's in Audit Mode then open the Eveent Viewer. Expand Application and Services Logs\Microsoft\Applocker.
  • Click on EXE and DLL.
  • Verify that the Event Logs 8002  for the Application in Default Rules exist and 8006 for the applications that you have Deny.

 

 

Disqus Comments