Applocker consists of policies and rules designed to allow or deny the execution of apps on your Windows devices. It plays a vital role in increasing the security of all devices within your organization by controlling the execution of applications, scripts, DLL files, and packaged apps.
Requirements to use Applocker
- A device with Windows 10 or Windows 11 OS to prepare for Applocker rules
- Application Identity service enabled.
You can create Applocker rules for below file types:
- Executable files: .exe and .com
- Windows Installer files: .msi, mst, and .msp
- Scripts: .ps1, .bat, .cmd, .vbs, and .js
- DLLs: .dll and .ocx
- Packaged apps and packaged app installers: .appx and .msix.
Table of Contents
Step 1 – Create an Applocker Policy
To create an Applocker policy, you must log in as an administrator on a Windows 10 or Windows 11 device and follow these steps:
Enable Applocker
- Press Windows + R to open Run Dialog box.
- Type secpol.msc and Press Enter.
- Expand Application Control Policies.
- Right-click AppLocker and select Properties.
- Check Configured box under Executable rules section and select Enforce rules from the drop-down menu.
- Click on OK.
Step 2 – Add Applocker default rules
After we have enabled Applocker, you can proceed to create default applocker rules. You can follow below steps to create default applocker rules:
- Press Windows + R to open Run Dialog box.
- Type secpol.msc and Press Enter
- Expand Application Control Policies
- Expand AppLocker
- Right-click on Executable Rules and click on Create Default Rules.
Default rules make sure that executables are not blocked from C:\Program Files and C:\Windows folder. These folders contain applications Installed on the device and OS files.
A third default Allow rule is also created for Administrators. As per the default rule, Administrators can execute All files from any location and are not restricted by this policy.
Step 3 – Create Applocker Custom Rules
We can now create a custom Applocker rules to deny specific applications from executing on the device. I will take an example of a Google Chrome application in the next steps.
- Press Windows + R to open Run Dialog box.
- Type secpol.msc and Press Enter
- Expand Application Control Policies
- Expand AppLocker
- Right-click on Executable Rules and click on Create New Rule
Click Next.
- Select Deny and click on Next.
- Select Publisher and click on Next.
- Click on the “Browse” and select the application. For example: Google Chrome. Its usually installed at C:\Program Files\Google\Chrome\Application location. Select chrome.exe file.
- Move the slider up to block all versions of this EXE and Click Next.
- On Exceptions window. Select Next.
- Provide a Name and Description to Identify this rule on the Applocker rules page.
- Applocker rule has been created to deny Google chrome app.
Step 4 – Export Applocker Rules
Now, we can export the rules from Applocker. Follow below steps to Export the rules:
- Press Windows + R to open Run Dialog box.
- Type secpol.msc and Press Enter
- Expand Application Control Policies
- Right Click on AppLocker and select Export Policy
- Save Applocker XML configuration file.
Step 5 – Deploy Applocker rules using Intune
You can follow below steps to deploy Applocker rules we exported in the previous step:
- Login on Microsoft Intune admin center
- Click on Devices / Windows / Configuration Profiles
- Click on Create Profile
- Select:
- Platform: Windows 10 and later
- Profile type: Templates
- Template Name: Custom
- Provide a Name and Description and click on Next.
- Click on Add and add below OMA-URI setting:
- Name: EXE Rule Collection (You can provide whatever name you like)
- Description: Executable Rules
- OMA-URI: ./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/apps/EXE/Policy
- Data type: String
- Value: Copy and Paste XML file content from <RuleCollection Type> to </RuleConnection>
- OMA-URI setting configured on Intune admin center
- You can also create other Applocker policies and use below OMA-URI setting to deploy it using Intune.
- ./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/apps/MSI/Policy
- ./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/apps/Script/Policy
- ./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/apps/StoreApps/Policy
- ./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/apps/DLL/Policy
- Click on Save and Next.
- Scope tags, click Next
- Assignments – Select an Azure AD group containing devices or you can add all devices or all users. Click Next.
- Applicability Rules, click Next
- Review and Create, click Create
End-user Experience
Launch the EXE app blocked by Applocker rule, you should see below message:
“This app has been blocked by your system administrator“.
More Information
Applocker Event ID 8004
You can locate AppLocker related events in the Event Viewer by following below steps:
- Go to Start > Search for Event Viewer.
- Expand Application and Services logs > Microsoft > Windows.
- Find AppLocker folder.
- Click on EXE and DLL.
- You will find that Event ID 8004 is generated when an application is prevented from running. This confirms that the policy we applied from Intune is working fine.
Applocker Rules Storage Location on End User Device
You can locate Applocker rules on the target device at C:\Windows\System32\AppLocker\MDM location.
FAQs
1. How to Delete Applocker Policy?
Once you have exported AppLocker rules into an XML file, it is not necessary to keep those rules in place on the test device from where you exported the file. You can delete those rules if no longer required.
- Press Windows + R to open Run Dialog box
- Type secpol.msc and Press Enter
- Expand Application Control Policies.
- Right-click on AppLocker and select Clear Policy.
When you click on “Clear Policy,” a warning popup will appear to confirm whether you want to delete all the rules created on your device. Click on Yes.
2. Where are AppLocker rules stored in the registry?
You can locate AppLocker rules at below registry location:
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\SrpV2HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows\SrpV2
