How to Implement Applocker using Intune

Applocker consists of policies and rules designed to allow or deny the execution of apps on your Windows devices. It plays a vital role in increasing the security of all devices within your organization by controlling the execution of applications, scripts, DLL files, and packaged apps.

Requirements to use Applocker

  • A device with Windows 10 or Windows 11 OS to prepare for Applocker rules
  • Application Identity service enabled.

You can create Applocker rules for below file types:

  • Executable files: .exe and .com
  • Windows Installer files: .msi, mst, and .msp
  • Scripts: .ps1, .bat, .cmd, .vbs, and .js
  • DLLs: .dll and .ocx
  • Packaged apps and packaged app installers: .appx and .msix.

Step 1 – Create an Applocker Policy

To create an Applocker policy, you must log in as an administrator on a Windows 10 or Windows 11 device and follow these steps:

Enable Applocker

  • Press Windows + R to open Run Dialog box.
  • Type secpol.msc and Press Enter.
  • Expand Application Control Policies.
  • Right-click AppLocker and select Properties.
  • Check Configured box under Executable rules section and select Enforce rules from the drop-down menu.
  • Click on OK.
Enable Applocker Rule
Enable Applocker Rule

Step 2 – Add Applocker default rules

After we have enabled Applocker, you can proceed to create default applocker rules. You can follow below steps to create default applocker rules:

  • Press Windows + R to open Run Dialog box.
  • Type secpol.msc and Press Enter
  • Expand Application Control Policies
  • Expand AppLocker
  • Right-click on Executable Rules and click on Create Default Rules.
Add Applocker default rules
Add Applocker default rules

Default rules make sure that executables are not blocked from C:\Program Files and C:\Windows folder. These folders contain applications Installed on the device and OS files.

A third default Allow rule is also created for Administrators. As per the default rule, Administrators can execute All files from any location and are not restricted by this policy.

Add Applocker default rules
Add Applocker default rules

Step 3 – Create Applocker Custom Rules

We can now create a custom Applocker rules to deny specific applications from executing on the device. I will take an example of a Google Chrome application in the next steps.

  • Press Windows + R to open Run Dialog box.
  • Type secpol.msc and Press Enter
  • Expand Application Control Policies
  • Expand AppLocker
  • Right-click on Executable Rules and click on Create New Rule

Click Next.

Create Applocker Custom Rules
Create Applocker Custom Rules
  • Select Deny and click on Next.
Create Applocker Custom Rules
Create Applocker Custom Rules
  • Select Publisher and click on Next.
Create Applocker Custom Rules
Create Applocker Custom Rules
  • Click on the “Browse” and select the application. For example: Google Chrome. Its usually installed at C:\Program Files\Google\Chrome\Application location. Select chrome.exe file.
  • Move the slider up to block all versions of this EXE and Click Next.
Create Applocker Custom Rules
Create Applocker Custom Rules
  • On Exceptions window. Select Next.
Create Applocker Custom Rules
Create Applocker Custom Rules
  • Provide a Name and Description to Identify this rule on the Applocker rules page.
Create Applocker Custom Rules
Create Applocker Custom Rules
  • Applocker rule has been created to deny Google chrome app.
Create Applocker Custom Rules
Create Applocker Custom Rules

Step 4 – Export Applocker Rules

Now, we can export the rules from Applocker. Follow below steps to Export the rules:

  • Press Windows + R to open Run Dialog box.
  • Type secpol.msc and Press Enter
  • Expand Application Control Policies
  • Right Click on AppLocker and select Export Policy
  • Save Applocker XML configuration file.
Export Applocker Rules
Export Applocker Rules

Step 5 – Deploy Applocker rules using Intune

You can follow below steps to deploy Applocker rules we exported in the previous step:

  • Login on Microsoft Intune admin center
  • Click on Devices / Windows / Configuration Profiles
  • Click on Create Profile
  • Select:
    • Platform: Windows 10 and later
    • Profile type: Templates
    • Template Name: Custom
  • Provide a Name and Description and click on Next.
  • Click on Add and add below OMA-URI setting:
    • Name: EXE Rule Collection (You can provide whatever name you like)
    • Description: Executable Rules
    • OMA-URI: ./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/apps/EXE/Policy
    • Data type: String
    • Value: Copy and Paste XML file content from <RuleCollection Type> to </RuleConnection>
Deploy Applocker rules using Intune
Deploy Applocker rules using Intune
  • OMA-URI setting configured on Intune admin center
Deploy Applocker rules using Intune
Deploy Applocker rules using Intune
  • You can also create other Applocker policies and use below OMA-URI setting to deploy it using Intune.
    • ./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/apps/MSI/Policy
    • ./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/apps/Script/Policy
    • ./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/apps/StoreApps/Policy
    • ./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/apps/DLL/Policy
Deploy Applocker rules using Intune
Deploy Applocker rules using Intune
  • Click on Save and Next.
  • Scope tags, click Next
  • Assignments – Select an Azure AD group containing devices or you can add all devices or all users. Click Next.
Deploy Applocker rules using Intune
Deploy Applocker rules using Intune
  • Applicability Rules, click Next
  • Review and Create, click Create

End-user Experience

Launch the EXE app blocked by Applocker rule, you should see below message:

This app has been blocked by your system administrator“.

This app has been blocked by your system administrator
End-user Experience

More Information

Applocker Event ID 8004

You can locate AppLocker related events in the Event Viewer by following below steps:

  • Go to Start > Search for Event Viewer.
  • Expand Application and Services logs > Microsoft Windows.
  • Find AppLocker folder.
  • Click on EXE and DLL.
  • You will find that Event ID 8004 is generated when an application is prevented from running. This confirms that the policy we applied from Intune is working fine.
Applocker Event ID 8004
Applocker Event ID 8004

Applocker Rules Storage Location on End User Device

You can locate Applocker rules on the target device at C:\Windows\System32\AppLocker\MDM location.

FAQs

1. How to Delete Applocker Policy?

Once you have exported AppLocker rules into an XML file, it is not necessary to keep those rules in place on the test device from where you exported the file. You can delete those rules if no longer required.

  • Press Windows + R to open Run Dialog box
  • Type secpol.msc and Press Enter
  • Expand Application Control Policies.
  • Right-click on AppLocker and select Clear Policy.
Delete Applocker Policy
Delete Applocker Policy

When you click on “Clear Policy,” a warning popup will appear to confirm whether you want to delete all the rules created on your device. Click on Yes.

Delete Applocker Policy
Delete Applocker Policy

2. Where are AppLocker rules stored in the registry?

You can locate AppLocker rules at below registry location:

  1. HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\SrpV2
  2. HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows\SrpV2
Applocker rules in registry
Applocker rules in the registry

Leave a Comment