A while ago I did a blog post about managing Windows Defender of Windows 10 via OMA-DM. During that specific post I showed how to use OMA-DM, via Microsoft Intune standalone and hybrid, to configure Windows Defender. In this post I’ll do something similar for AppLocker. However, I have to admit that it was a bit more challenging for AppLocker. The main difference is that Windows 10 includes many different separate policy settings for Windows Defender, but provides a separate configuration service provider (CSP) for AppLocker.
During this post I’ll show how to create the required AppLocker XML, what the AppLocker XML looks like, what the AppLocker CSP looks like and how to combine the AppLocker XML and the AppLocker CSP. I’ll end this post with the end-user experience. During this post I’ll use the build-in Windows 10 app Candy Crush Soda Saga as an example.
Create the AppLocker XML
The required AppLocker XML can be created by using the Local Security Policy snap-in, the Local Group Policy Editor snap-in or the Group Policy Management snap-in. Any of these snap-ins will work in a similar way for creating the required AppLocker XML. It doesn’t matter which snap-in is used, as long as it’s being used on a Windows 10 device. That makes it easier with configuring and selecting the required apps. During the following twelve steps, I’ll use the Local Group Policy Editor snap-in for configuring the Candy Crush Soda Saga app.
Inside the AppLocker XML
Now let’s have a look at the AppLocker XML that I just created. That AppLocker XML should look like the one shown below. It should show a default allow rule and a specific deny rule on the Candy Crush Soda Saga app, both within the RuleCollection element of the Appx type. That element of the AppLocker XML is what’s required during the further configurations.
<AppLockerPolicy Version="1"> <RuleCollection Type="Exe" EnforcementMode="NotConfigured" /> <RuleCollection Type="Msi" EnforcementMode="NotConfigured" /> <RuleCollection Type="Script" EnforcementMode="NotConfigured" /> <RuleCollection Type="Dll" EnforcementMode="NotConfigured" /> <RuleCollection Type="Appx" EnforcementMode="Enabled"> <FilePublisherRule Id="a9e18c21-ff8f-43cf-b9fc-db40eed693ba" Name="(Default Rule) All signed packaged apps" Description="Allows members of the Everyone group to run packaged apps that are signed." UserOrGroupSid="S-1-1-0" Action="Allow"> <Conditions> <FilePublisherCondition PublisherName="*" ProductName="*" BinaryName="*"> <BinaryVersionRange LowSection="0.0.0.0" HighSection="*" /> </FilePublisherCondition> </Conditions> </FilePublisherRule> <FilePublisherRule Id="8ea1fe67-536d-4324-99e2-88f9c9c70321" Name="king.com.CandyCrushSodaSaga, version 18.104.22.168 and above, from king.com" Description="" UserOrGroupSid="S-1-1-0" Action="Deny"> <Conditions> <FilePublisherCondition PublisherName="CN=F80C3B33-B9E8-4F23-AB15- B97C700EFF2F" ProductName="king.com.CandyCrushSodaSaga" BinaryName="*"> <BinaryVersionRange LowSection="22.214.171.124" HighSection="*" /> </FilePublisherCondition> </Conditions> </FilePublisherRule> </RuleCollection> </AppLockerPolicy>
Inside the AppLocker CSP
Before using the AppLocker CSP it’s good to get a better understanding of the different nodes. The AppLocker CSP contains nodes for the different configuration components of AppLocker. Let’s go through these different nodes.
- ./Vendor/MSFT/AppLocker – Defines the root node for the AppLocker configuration service provider;
- ApplicationLaunchRestrictions – Defines restrictions for applications;
- Grouping – Defines dynamic nodes. These nodes contains a GUID naming that can be literally anything. That GUID makes sure that the un-enrollment of a device will behave as expected;
- EXE | MSI | Script | StoreApps | DLL | CodeIntegrety – Defines restrictions for launching executable applications, Windows Installer files, scripts, store apps and DLL files;
- Policy – Defines the policy for launching executable applications, Windows Installer files, scripts, store apps, and DLL files. The contents of this node is precisely the RuleCollection element as discussed in the previous paragraph.
Create AppLocker OMA-URI
Now it’s time to use the created AppLocker XML for configuring Windows 10 devices. The key with this is that only the RuleCollection element is required that matches with the node in AppLocker CSP. With the RuleCollection element of the Appx type, I need the StoreApp node in the AppLocker CSP. This is applicable to Microsoft Intune hybrid and standalone.
Microsoft Inune hybrid
Let’s start with the configuration in Microsoft Intune hybrid. I’ll walk through the required steps to configure the required OMA-URI configuration item.
|1||In the Configuration Manager administration console, navigate to Assets and Compliance > Overview > Compliance Settings > Configuration Items;|
|2||On the Home tab, click Create Configuration Item to open the Create Configuration Item Wizard;|
On the General page, specify the following information and click Next;
On the Supported Platforms page, select the following platforms and click Next;
|5||On the Device Settings page, select Configure additional settings that are not in the default settings groups and click Next;|
|6||On the Additional Settings page, click Add to open the Browse Settings dialog box.|
|7||In the Browse Settings dialog box, click Create Setting to open the Create Setting dialog box;|
Note: [MyGroup0] is a custom GUID that can be literally anything. That GUID makes sure that the un-enrollment of a device will behave as expected.
|9||In the Browse Settings dialog box, select the newly created setting and click Select to open the Create Rule dialog box;|
Note: The complete RuleCollection element, about the Appx type, should be provided in this compliance rule configuration.
|11||In the Browse Settings dialog box, click Close to return to the Additional Settings page;|
|12||On the Additional Settings page, click Next;|
|13||On the Platform Applicability page, click Next;|
|14||On the Summary page, click Next;|
|14||On the Completion page, click Close;|
Note: This created a configuration item that can be deployed like any other configuration item, as a part of a configuration baseline.
Microsoft Intune standalone
Let’s continue with the same configuration within Microsoft Intune standalone. I’ll walk through the required steps to configure the required OMA-URI configuration policy.
|1||In the Microsoft Intune administration console, navigate to Policy > Configuration Policies and click Add to open the Create a New Policy dialog box;|
|2||In the Create a New Policy dialog box, select Windows > Custom Configuration (Windows 10 Desktop and Mobile and later) and click Create Policy to open the Create Policy page;|
On the Create Policy page, specify the following information in the General section and click Add in the OMA-URI Settings section to open the Add or edit OMA-URI Setting dialog box;
Note: [MyGroup0] is a custom GUID that can be literally anything. That GUID makes sure that the un-enrollment of a device will behave as expected. Also, the complete RuleCollection element, about the Appx type, should be provided in the value configuration.
|5||On the Create Policy page, click Save Policy to open the Deploy Policy dialog box;|
|6||In the Deploy Policy dialog box, click Yes to open the Manage Deployment dialog box;|
|7||In the Manage Deployment dialog box, select a group click Add and click OK.|
Let’s end this post with the most important thing, the end-user experience. Actually, the end-user experience will be exactly the same as with a local or domain group policy configuration. The end-user will receive the message as shown below and the end-user can find messages in the Event Viewer. Those messages in the Event Viewer will wrongly indicate that the app is blocked by group policy.
|End-user message||Event Viewer message|
Fore more information about how AppLocker works, AppLocker policies and the AppLocker CSP, please refer to:
- How AppLocker works: https://technet.microsoft.com/en-us/library/mt431786(v=vs.85).aspx
- Lock down Windows 10 to specific apps: https://technet.microsoft.com/en-us/library/mt592642%28v=vs.85%29.aspx
- AppLocker CSP: https://msdn.microsoft.com/en-us/library/windows/hardware/dn920019(v=vs.85).aspx