How to Implement Applocker using Intune

by Leave a comment

Applocker is a set of policies / rules to allow or deny apps from running on your windows device. Applocker helps to improve the overall security of all your devices in your organization by controlling the execution of applications, scripts, dll files, packages apps etc.

What are the requirements for Applocker

  • If you are using Intune Applocker CSP Policies to manage and deploy Applocker then any edition of Windows 10 and Windows 11 is supported.
  • If you are using Active Directory Group Policy to manage and deploy Applocker then devices running Windows 10 and Windows 11 Enterprise, Windows 10 and Windows 11 Education, and Windows Server 2016 are supported.
  • Application Identity service should not be disabled because it determines and verifies the identity of an app. Stopping this service will prevent AppLocker policies from being enforced. If Application Identity service is set to Manual (Trigger Start) which is its default status then it will still work fine, there is no need to keep the service always in running state / no need to deploy a powershell script to change it to Automatic and Running status.

You can create Applocker rules for below file types:

  • Executable files: .exe and .com
  • Windows Installer files: .msi, mst, and .msp
  • Scripts: .ps1, .bat, .cmd, .vbs, and .js
  • DLLs: .dll and .ocx
  • Packaged apps and packaged app installers: .appx and .msix.

Applocker Tips

When you create Applocker Policy, you will have the option to create either an Allow rule or Deny rule. If there are no rules created for a specific rule collection then all files with that file format are allowed to run. For example. If you have not created any rules under Executable files rule collection the all .exe and .com files will be allowed to run.

If you start creating rules in rule collection (either allow or deny rules), only files which are explicitly allowed are permitted to run. For Example, if you create a rule under Executable Files to say Allow all files under C:\Program Files\* folder. Then all .exe and .com files under Program Files location will be permitted to run and all .exe and .com files which are outside the Program Files folder will be blocked with a message “This app has been blocked by your system administrator“. You can then create rules specific to the file and choose the option to either allow or deny its execution.

Please note if you can create both allow and deny rules. Deny actions override allow actions in all cases. Microsoft recommendation is to use allow action with exceptions. However, you can have both allow and deny rules as per your organization requirements.

How to create an Applocker Policy

To create an Applocker policy, you need to login as an administrator on any Windows 10 or Windows 11 device and follow below steps:

Enable Applocker Rule Enforcement

  • Click on Start -> Type Run -> Type secpol.msc.
  • Expand Application Control Policies.
  • Right-click AppLocker and click on Properties.
  • Under Enforcement tab. Select the checkbox for Executable rules and select Enforce rules. This will enforce Executable Rules when the policy will be applied. Instead of Enforce rules, you can also select Audit option. Audit option will not enforce the rules and only generate audit events in Event Logs when user performs an action which match the applocker rules.

If there are any other type of rules you are creating under Windows Installer Rules, Script Rules and Packaged app Rules which you want to Enforce to the target device then check the box next to corresponding option. For now, I have created rules under Executable rules only, therefore I have only checked and selected Enforce rules under Executable rules option.

Applocker Properties

Create Applocker Policy Rules

Once you have configured Applocker rule Enforcement, you can create the rules as per your requirement. There are two types of rules you can create, Allow and Deny. You should start with creating default rules first which whitelist Program Files and Windows Folder.

Program Files contains all your installed applications and Windows Folder contains Operating system files. Therefore, its recommended to whitelist / Allow both these locations. To create default rules:

  • Click on Start -> Type Run -> Type secpol.msc.
  • Expand Application Control Policies.
  • Expand AppLocker.
  • Right-click on Executable Rules and click on Create Default Rules.
Applocker Create Default Rules

Below Default Rules will be created under Executable Rules:

Everyone will be able to execute Files from:

  • C:\Program Files folder.
  • C:\Windows Folder.
  • Administrators are having no restrictions, they can execute and run files from anywhere.
Applocker Create Default Rules For Executables
Create Default Rules corresponding to each Applocker rule collection by right-clicking on Windows Installer Rules, Script Rules, Packaged app Rules and click Create Default Rules.

These Default rules can be modified as per your requirement. For example, you can also add a Rule to Allow C:\Program Files (x86) Folder by creating an allow rule. You can also deny execution of certain programs by creating a Deny Rule.

How to create Applocker Deny rule for an application

As we want to block executables (.exe) files by creating a deny rule, we will be creating all the rules under Executable Rules rule collection. Let’s create a deny rule to block Google Chrome application.

  • Click on Start -> Type Run -> Type secpol.msc.
  • Expand Application Control Policies.
  • Expand AppLocker.
  • Right-click on Executable Rules and click on Create New Rule.

Click on Next if you see Before you Begin screen. On Permissions screen, Select Deny Action.

create Applocker Deny rule

Select Publisher.

To use a publisher condition, the files must be digitally signed by the software publisher, or you must do so by using an internal certificate.

create Applocker Deny rule Publisher

Click on Browse and browse to Google Chrome application. Google Chrome application is installed at C:\Program Files\Google\Chrome\Application location. Select chrome.exe file. Please note the slider and move it up one level to generalize the File version.

If you keep the slider down then the rule will be created for the selected chrome.exe file version only. For example if chrome.exe you selected is of version 16.0.342 then next time if the application is updated to version 17.0, this rule will not work unless you update this applocker rule.

Therefore, if you want to create a rule which will work irrespective of Google chrome version then move this slider up a bit. File version will show as * which means that its valid of all application versions. Same rule applied when creating a rule for other applications as well.

create Applocker Deny rule for Google chrome

On Exceptions window. Select Next as we do not want to add any exceptions to this rule.

create Applocker Deny rule

You can change the Name of the Applocker rule to a simpler name. For example. I have provided below Name and Description.

  • Name: Block CHROME.EXE.
  • Description: This Deny Rule will Block Execution of Google Chrome Program on the Devices.
create Applocker Deny rule google chrome

Once the rule is created, you should be able to find the rule under Executable Rules rule collection. As you can see in below screenshot, there is a Deny rule we created for blocking Google Chrome application.

create Applocker Deny rule google chrome

How to Export Applocker Policy

We have created all the rules we needed in our Applocker policy. We can now export the policy in an XML file.

To Export the Applocker Policy, follow below steps:

  • Click on Start -> Type Run -> Type secpol.msc.
  • Expand Application Control Policies.
  • Right Click on AppLocker and select Export Policy.
Export Applocker Policy
  • Provide File Name and location where you want to save this XML file.

Applocker Policy XML file

We have exported Applocker rules in an XML file which we will use it to deploy the rules on End user devices. This XML file will contain all the rules from each rule collection. XML file contains RuleCollection tag which defines the rule for a particular rule collection. Therefore, Copy the rules from <RuleCollection> to </RuleCollection> tag for each rule collection.

<RuleCollection Type=”Exe” enforcementMode=”Enabled”>

…………………………………………

…………………………………………

</RuleConnection>

Copy the highlighed section from applocker policy XML file into a separate notepad. This is the RuleCollection for EXE files. Similarly if you have applocker rules created under other rule collections, you can split the rules into multiple files. These files will be used for deployment of applocker rules to the end user devices.

Applocker Policy XML file

How to Deploy Applocker rules using Intune

Once we have divided our XML file into multiple files with respect to each rule collection. Now, we can create a device configuration profile to deploy these rules to target devices. Follow below steps to create a device configuration profile in Intune.

  • Login on Microsoft Endpoint Manager admin center.
  • Click on Devices.
  • Click on Configuration Profiles.
  • Click on +Create Profile.
  • Select Platform: Windows 10 and later.
  • Profile type: Templates.
  • Template Name: Custom.

Basics Tab

  • Name: Applocker Policy
  • Description: This is a Device Configuration Profile to Implement applocker rules on all organization devices.

Configuration Tab

Click on Add to add OMA-URI Setting.

You can find more information about the Applocker CSP at https://docs.microsoft.com/en-us/windows/client-management/mdm/applocker-csp location.
  • Name: EXE Rule Collection
  • Description: Executable Rules
  • OMA-URI: ./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/apprulset0001/EXE/Policy
  • Data type: String
  • Value: Paste the Rulecollection corresponding to EXE rule collection copied from the Exported XML file.

If you have created rules under Windows Installer Rules, Script Rules, Packaged app Rules or DLL rule collection as well then you can copy the rules from Exported XML file and paste it in the value text box under a separate OMA-URI by clicking on Add button.

OMA-URI for each Rule Collection:

  • ./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/apprulset0001/MSI/Policy
  • ./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/apprulset0001/Script/Policy
  • ./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/apprulset0001/StoreApps/Policy
  • ./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/apprulset0001/DLL/Policy
Applocker OMA-URI Intune

Similar to the EXE Rule Collection, you can click on Add button to add OMA-URI setting for other rule collections. If you just have rules in Executable Rules, then you can skip this step.

Applocker OMA-URI Intune

Assignments Tab

You can add all users or all devices or you can create an Azure ad security group which contains users or devices and use it to deploy this configuration profile. If you deploy this configuration profile to users then it will get deployed to all the managed devices where user’s signins into.

If you deploy this configuration to devices then it will be applied to all users who will signin to that device. So you can plan your deployment accordingly. I will be deploying the applocker rules to all devices.

Deploy Applocker rules using Intune Assignmenets tab

Review + Create

Review the device configuration profile and click on Create to create and deploy applocker rules to the End users / devices.

End User Experience

After you have created this policy and assigned it to the target devices. This will take some time to take affect. You can also force initiate Intune Policy refresh or restart your PC once to speed up the Intune Policy refresh / sync Process.

Applocker policy which we deployed blocks the execution of Google Chrome application from anywhere on the device. Let’s check End user device and try to launch Google Chrome Application. As soon as you double-click on Google Chrome, you will get an error message “This app has been blocked by your system administrator.” Contact your system administrator for more info.

You can click on Close or click on Copy to clipboard. Even if you try to move the location of Google chrome exe to some other folder, it will still be denied / blocked from execution. Also, Even if the application is upgraded to different version in future, it will still be denied / blocked as we generalize the File versoin at the time of creating Deny rule in the Applocker Policy.

This app has been blocked by your system administrator

Applocker Event ID 8004

You can find Applocker related Events in Windows Event Viewer. Please follow below steps to find the Applocker folder in Event Viewer.

  • Go to Start -> Search for Event Viewer and click on it to Launch Event Viewer MMC.
  • Expand Application and Services logs -> Microsoft -> Windows.
  • Find AppLocker folder.
  • Click on EXE and DLL for EXE and DLL related Events.
  • You will find that Event ID 8004 is generated when an application is prevented from running. This confirms that the policy we applied from Intune is working fine.
Applocker Event ID 8004

Applocker Rules Storage Location on End User Device

We have created an Applocker Policy and deployed using Intune to the target devices. Applocker rules deployed using Intune are cached at C:\Windows\System32\AppLocker\MDM location.

The applocker Policy which we deployed to the target device using intune was located at C:\Windows\System32\AppLocker\MDM\133059143793535136\95A24146-BB1B-41EA-8315-D7AC88A87976\AppLocker\ApplicationLaunchRestrictions\apprulset0001\EXE.

Some unique values in the path could be different in your case but you can start with C:\Windows\System32\AppLocker\MDM location and traverse to the folders to find your applocker policy. There is a Policy file which you can open with notepad. Policy file contains the RuleCollection XML for EXE Rules which we deployed via Intune.

Applocker Rules Storage Location on End User Device

Policy File contents

Applocker Rules Storage Location on End User Device Policy file contents

How to Delete Applocker Policy

After you have exported Applocker rules in an XML file, you do not need the rules to be In place on a test device from where you exported the file. So its safe to delete all the rules. In case you need the rules back, you can simply Import XML file.

  • Click on Start -> Type Run -> Type secpol.msc.
  • Expand Application Control Policies.
  • Right Click on AppLocker and select Clear Policy.
Delete Applocker Policy

After you click on Clear Policy, a warning pop-up will show to check if you want to delete all the rules created on your device. “Clearing the policy returns all Applocker settings to not configured and delete all existing rules. Do you want to Continue ?Click on Yes to clear all the rules.

Delete Applocker Policy

Where Applocker rules are stored in registry

If you have created Applocker Policy rules using Local Group Policy (gpedit.msc) or Local Security Policy (secpol.msc). You can find the Applocker rules created HKEY_LOCAL_Machine\Software\Policies\Microsoft\Windows\SrpV2 and HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows\SrpV2 on the End user device.

Below is a screenshot from HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows\SrpV2 registry location.

If you have deployed Applocker rules using Intune, you can find the Policy rules at C:\Windows\System32\AppLocker\MDM location.

Applocker rules in registry

Conclusion

In this blog post, we have seen the step by step implementation of Applocker using Intune. Having an applocker in place improves the overall security on the device by blocking executions of the programs which are not in trusted locations like program files or windows folder. You can tweak the applocker rules as per your requirements and create a policy, test it on a device first and then export it to XML file.

Further Information

For Further Information on Applocker you can refer to this Microsoft Docs link: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview

Leave a Comment