How to Implement Applocker using Intune

Applocker comprises policies and rules designed to allow or deny app execution on Windows devices. It plays a vital role in increasing the security of all devices within your organization by controlling the execution of applications, scripts, DLL files, and packaged apps.

Requirements to use Applocker

• A device with Windows 10 or Windows 11 OS to prepare for Applocker rules.
• Application Identity service enabled.

You can create Applocker rules for below file types:

• Executable files: .exe and .com
• Windows Installer files: .msi, mst, and .msp
• Scripts: .ps1, .bat, .cmd, .vbs, and .js
• DLLs: .dll and .ocx
• Packaged apps and packaged app installers: .appx and .msix.

Step 1 – Create an Applocker Policy

To create an Applocker policy, you must log in as an administrator on a Windows 10 or Windows 11 device and follow these steps:

Enable Applocker

• Press Windows + R to open the Run Dialog box.
• Type secpol.msc and Press Enter.
• Expand Application Control Policies.
• Right-click AppLocker and select Properties.
• Check the Configured box under the Executable rules section and select Enforce rules from the drop-down menu.
• Click on OK.

Step 2 – Add Applocker default rules

After we have enabled Applocker, you can proceed to create default Applocker rules. You can follow the below steps to create default applocker rules:

• Press Windows + R to open Run Dialog box.
• Type secpol.msc and Press Enter
• Expand Application Control Policies
• Expand AppLocker
• Right-click on Executable Rules and click on Create Default Rules.

Default rules ensure that executables are not blocked from C:\Program Files and C:\Windows folder. These folders contain applications Installed on the device and OS files.

A third default Allow rule is also created for Administrators. As per the default rule, administrators can execute all files from any location, and this policy does not restrict them.

Step 3 – Create Applocker Custom Rules

We can now create custom Applocker rules to prevent specific applications from executing on the device. I will use a Google Chrome application as an example in the next steps.

• Press Windows + R to open Run Dialog box.
• Type secpol.msc and Press Enter
• Expand Application Control Policies
• Expand AppLocker
• Right-click on Executable Rules and click on Create New Rule

Click Next.

• Select Deny and click on Next.

• Select Publisher and click on Next.

• Click on the “Browse” and select the application. For example, Google Chrome. It’s usually installed at C:\Program Files\Google\Chrome\Application location. Select the chrome.exe file.

• Move the slider up to block all versions of this EXE and Click Next.

• On Exceptions window. Select Next.

• Provide a Name and Description to Identify this rule on the Applocker rules page.

• The applocker rule has been created to deny the Google Chrome app.

Step 4 – Export Applocker Rules

Now, we can export the rules from Applocker. Follow below steps to Export the rules:

• Press Windows + R to open Run Dialog box.
• Type secpol.msc and Press Enter
• Expand Application Control Policies
• Right Click on AppLocker and select Export Policy
• Save Applocker XML configuration file.

Step 5 – Deploy Applocker rules using Intune

You can follow below steps to deploy Applocker rules we exported in the previous step:

• Sign in to the Intune admin center.
• Click on Devices > Windows > Configuration Profiles.
• Click on Create > New Policy.
• Select:
  • Platform: Windows 10 and later
  • Profile type: Templates
  • Template Name: Custom

• Provide a Name and Description, and click on Next.
• Click on Add and add the OMA-URI setting:
  • Name: EXE Rule Collection (You can provide whatever name you like)
  • Description: Executable Rules
  • OMA-URI: ./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/apps/EXE/Policy
  • Data type: String
  • Value: Copy and Paste XML file content from <RuleCollection Type> to </RuleConnection>

• OMA-URI setting configured on Intune admin center

• You can also create other Applocker policies and use the OMA-URI setting below to deploy them using Intune.
  • ./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/apps/MSI/Policy
  • ./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/apps/Script/Policy
  • ./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/apps/StoreApps/Policy
  • ./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/apps/DLL/Policy

• Click on Save and Next.
• Scope tags, click Next
• Assignments – Select an Entra security group containing devices. You an also click on Add all devices or All users. Click Next.

• Applicability Rules: click Next
• Review and Create, click Create

End-user Experience

Launch the EXE app blocked by the Applocker rule, you should see the below message:

“This app has been blocked by your system administrator“

More Information

Applocker Event ID 8004

You can locate AppLocker-related events in the Event Viewer by following the below steps:

• Go to Start > Search for Event Viewer.
• Expand Application and Services logs > Microsoft > Windows.
• Find AppLocker folder.
• Click on EXE and DLL.
• You will find that Event ID 8004 is generated when an application is prevented from running. This confirms that the policy we applied from Intune is working fine.

Applocker Rules Storage Location on End User Device

You can locate Applocker rules on the target device at C:\Windows\System32\AppLocker\MDM location.

FAQs

1. How to Delete Applocker Policy?

Once you have exported AppLocker rules into an XML file, it is unnecessary to keep those rules in place on the test device from where you exported the file. You can delete those rules if they are no longer required.

• Press Windows + R to open Run Dialog box
• Type secpol.msc and Press Enter
• Expand Application Control Policies.
• Right-click on AppLocker and select Clear Policy.

When you click “Clear Policy,” a warning popup will appear to confirm whether you want to delete all the rules created on your device. Click on Yes.

2. Where are AppLocker rules stored in the registry?

You can locate AppLocker rules at the registry location:

1. HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\SrpV2
2. HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows\SrpV2