From my previous post of AppLocker with Windows 10, I have discussed about AppLocker and how to implement it with Windows 10. From this post I’m hoping to discuss how to centrally deploy and manage AppLocker polices with Windows Intune.
Configuration service providers (CSP) can be used to configure device settings in Windows 10. MDM service providers such as Windows Intune can use CSP to define configurations and settings to Windows 10 devices. Open Mobile Alliance Device Management (OMA-DM) protocol uses the XML-based Synchronization Markup Language (SyncML) for data exchange between compliant servers and clients. CSP policies should be written using this format.
From this post let’s see how to create the configurations XML for AppLocker and deploy it using OMA-DM settings for AppLocker CSP.
These are the high level steps you have to follow
As discussed in the introduction, CSP require the configurations from a XML format. And for the AppLocker, the easiest method is to create the XML is from a Windows 10 machine using the local policy to define the AppLocker policy and exporting it as a XML. Let’s see how to do this.
<RuleCollection Type="Exe" EnforcementMode="Enabled">
<FilePathRule Id="921cc481-6e17-4653-8f75-050b80acca20" Name="(Default Rule) All files located in the Program Files folder" Description="Allows members of the Everyone group to run applications that are located in the Program Files folder." UserOrGroupSid="S-1-1-0" Action="Allow">
<Conditions>
<FilePathCondition Path="%PROGRAMFILES%\*" />
</Conditions>
</FilePathRule>
<FilePathRule Id="a61c8b2c-a319-4cd0-9690-d2177cad7b51" Name="(Default Rule) All files located in the Windows folder" Description="Allows members of the Everyone group to run applications that are located in the Windows folder." UserOrGroupSid="S-1-1-0" Action="Allow">
<Conditions>
<FilePathCondition Path="%WINDIR%\*" />
</Conditions>
</FilePathRule>
<FilePathRule Id="fd686d83-a829-4351-8ff4-27c7de5755d2" Name="(Default Rule) All files" Description="Allows members of the local Administrators group to run all applications." UserOrGroupSid="S-1-5-32-544" Action="Allow">
<Conditions>
<FilePathCondition Path="*" />
</Conditions>
</FilePathRule>
<FilePublisherRule Id="2a4b27b4-681f-40f2-a1e4-18b6f1cfcf98" Name="BITTORRENT.EXE, version 7.10.0.0 and above, in BITTORRENT, from O=BITTORRENT INC, L=SAN FRANCISCO, S=CALIFORNIA, C=US" Description="" UserOrGroupSid="S-1-1-0" Action="Deny">
<Conditions>
<FilePublisherCondition PublisherName="O=BITTORRENT INC, L=SAN FRANCISCO, S=CALIFORNIA, C=US" ProductName="BITTORRENT" BinaryName="BITTORRENT.EXE">
<BinaryVersionRange LowSection="7.10.0.0" HighSection="*" />
</FilePublisherCondition>
</Conditions>
</FilePublisherRule>
</RuleCollection>
Setting Name – Bitlocker Block
Setting description – description
Data type – String
OMA-URL – ./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/myapps/EXE/Policy
Value – XML file
<RuleCollection Type="Exe" EnforcementMode="Enabled">
<FilePathRule Id="921cc481-6e17-4653-8f75-050b80acca20" Name="(Default Rule) All files located in the Program Files folder" Description="Allows members of the Everyone group to run applications that are located in the Program Files folder." UserOrGroupSid="S-1-1-0" Action="Allow">
<Conditions>
<FilePathCondition Path="%PROGRAMFILES%\*" />
</Conditions>
</FilePathRule>
<FilePathRule Id="a61c8b2c-a319-4cd0-9690-d2177cad7b51" Name="(Default Rule) All files located in the Windows folder" Description="Allows members of the Everyone group to run applications that are located in the Windows folder." UserOrGroupSid="S-1-1-0" Action="Allow">
<Conditions>
<FilePathCondition Path="%WINDIR%\*" />
</Conditions>
</FilePathRule>
<FilePathRule Id="fd686d83-a829-4351-8ff4-27c7de5755d2" Name="(Default Rule) All files" Description="Allows members of the local Administrators group to run all applications." UserOrGroupSid="S-1-5-32-544" Action="Allow">
<Conditions>
<FilePathCondition Path="*" />
</Conditions>
</FilePathRule>
<FilePublisherRule Id="2a4b27b4-681f-40f2-a1e4-18b6f1cfcf98" Name="BITTORRENT.EXE, version 7.10.0.0 and above, in BITTORRENT, from O=BITTORRENT INC, L=SAN FRANCISCO, S=CALIFORNIA, C=US" Description="" UserOrGroupSid="S-1-1-0" Action="Deny">
<Conditions>
<FilePublisherCondition PublisherName="O=BITTORRENT INC, L=SAN FRANCISCO, S=CALIFORNIA, C=US" ProductName="BITTORRENT" BinaryName="BITTORRENT.EXE">
<BinaryVersionRange LowSection="7.10.0.0" HighSection="*" />
</FilePublisherCondition>
</Conditions>
</FilePublisherRule>
</RuleCollection>
Hope this post is useful
Thanks