AppLocker has the ability to deny apps from running when you exclude them from the list of allowed apps. When AppLocker rules are enforced in the production environment, any apps that are not included in the allowed rules are blocked from running. Licensing conformance. AppLocker can help you create rules that preclude unlicensed software from running and restrict licensed software to authorized users. Software standardization. How to set up AppLocker restrictions on Windows 10 Pro? It seems like I've set them up in the gpedit.msc console, then started up AppIdentity service (set it to auto-run) but no matter what I do, the restrictions are not enabled, even though this site says that AppLocker is supported on Windows 10 Pro. Hi Sergey, You can only manage AppLocker with Group Policy on devices running Windows 10 Enterprise, Windows 10 Education. If you want to restrict applications on other user account, we could add those applications to registry HKEYCURRENTUSER SOFTWARE Microsoft Windows CurrentVersion Policies Explorer DisallowRun. Windows 7 Pro has Applocker console where you can create rules and export them, you cannot enforce them. There are no business decisions to limit Applocker to top desktop editions (Ultimate and Enterprise). In small business (SMB) it is easier to keep similar operating systems (say, Windows 7 Pro clients and SBS servers) than for large enterprises.
In this post I will give you a quick overview about cloud configuration of AppLocker using Intune and MDATP.
AppLocker has been with us for quite some time now reaching back all the way to good old Windows 7. Although it is not the best solution from a technical point of view (there’s Windows Defender Application Control including TPM-enforced policy signing) it is still a good way to build a quick solution to stop users from installing software or executing unwanted applications. It is one of my recommendations for a secure Windows 10 baseline.
In this post I assume that you are already some kind of familiar with AppLocker. I will focus on how you can shift it to Intune for deployment and Microsoft Defender ATP’s Advanced Hunting capabilities for monitoring and policy refinement.
Configuration in Intune
First export your AppLocker configuration from either the Group Policy Management Console in Active Directory or from your local GPEdit Console. Even in a cloud-only scenario with Azure AD joined clients you can still use the latter to build the policy. It will look something like this:
Now we need to jump over to the Intune console to create a new Windows 10 configuration profile using the “Custom” profile type:
For each of the five different rule collections a distinct entry must be added. These are the OMA-URIs you have to use:
- AppLocker EXE:
./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/Native/EXE/Policy - AppLocker MSI:
./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/Native/MSI/Policy - AppLocker Script:
./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/Native/Script/Policy - AppLocker Appx:
./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/Native/StoreApps/Policy - AppLocker DLL:
./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/Native/DLL/Policy
Find out more in the official AppLocker CSP documentation:
https://docs.microsoft.com/en-us/windows/client-management/mdm/applocker-csp
Data type has to be set to “String”, Value equals each <RuleCollection> section from the AppLocker xml. Here’s an example for the EXE rule collection:
The Value text field must contain each rule collection xml section including <RullCollection …> and </RuleCollection> as marked here in Notepad++:
Once you have added all rule collection types it will look something like this:
Don’t forget to assign the profile to all users and/or devices you want to target. Although it might seem obvious please remember that deploying any kind of application control in enforced mode could break things without testing it first. So you might want to use AppLocker in audit mode first.
Monitor AppLocker events in MDATP
Now we head over to the Microsoft Defender Security Center selecting the Advanced hunting sub-menu. There we add the following query:
MiscEvents
| where EventTime > ago(14d) and
ActionType startswith 'AppControl'
| order by EventTime desc
Just paste it to the query text field:
You can modify the query at any time, e.g. by changing the EventTime filter to cover more days in the past. Once you run the query you get all files that are recognized by AppLocker (or Defender Application Control):
Depending on how you use AppLocker you can extract information about either paths, file names, signature, or file hashes to enhance your policy which you would then edit in either GPMC or GPEdit. Then you can continue by exporting it as xml and pasting each rule collection into the Intune profile again.
Thanks for reading!
Chris
AppLocker on Windows 10 is an often-underrated security layer that addresses what is now coming to the forefront of enterprise security – threats from ransomware and other malware. First introduced with Windows 7/Server 2008 R2 as an update from the Software Restriction Policies feature (XP/2003), it allows non-admins to be restricted to a certain set of applications.
How Can AppLocker Protect Networks from Ransomware Attacks?
AppLocker can be used to predefine what types of apps can be run by which users. Specifically, it controls apps such as executable .exe and .com files, .js, .ps1, .vbs, .cmd, and .bat scripts, .msi and .msp Windows Installer files and DLL files like .dll and .ocx.
When the threat of unwanted software is high, AppLocker can be used to reduce that threat to a great degree.
Specific to ransomware, the job of AppLocker is to prevent software from a non-admin’s writable workspace from being executed. And the reason that’s required is that the Windows file system, NTFS, grants read/write permission to all non-admin users, and some “authenticated users” (also non-admins) even get read/write permissions to %WinDir%/Temp.
While AppLocker doesn’t change NTFS permissions; what it does is to prevent non-admins from saving files to an executable location. In doing this, AppLocker reduces the surface area for potential malware attacks, including ransomware.
Earlier this month, the United States Computer Emergency Readiness Team, or US-CERT, issued Alert (TA17-163A), which recommends application whitelisting (AWL) in order to “detect and prevent attempted execution of malware uploaded by adversaries.”
The alert specifically mentions AWL tools such as AppLocker to implement application or application directory whitelisting.
One important thing to remember is that the default rules in AppLocker are only the starting point. To be truly effective, admins need to know which folders non-admins have both execute and write permissions on.
This is why the initial planning stage for rolling out AppLocker delivery is critical. New applications will naturally create new folders and files, and admins have to be on top of these changes.
One way to do this is by creating scripts to read non-admin system folders to identify which locations they have execution capabilities in. The rule set in AppLocker should necessarily depend on on where these writable and executable folders are. There are also other tools created by independent security researchers that you can use, such as AppLocker Bypass Checker. You can also use accesschk from Windows Sysinternals to find user-writable folders.
The point is, the tools are there, but they need to be used effectively.
AppLocker is merely one layer in a series that protects your systems, but it is a critical one that needs to be addressed sooner rather than later. Too many admins merely use the default rules and assume that everything is taken care of, and that’s where the real danger lies.
Windows 10 may be far more resilient to attacks from ransomware and malware, but assuming that Microsoft is going to do all the work is possibly the biggest mistake a SysAdmin can make.
Note: Windows 10 is not the only version where AppLocker can be configured and enforced, but other versions may have some restrictions. Please see the table below, and the additional resource link below that:
Install Applocker Windows 10 Pro
| Version | Can be configured | Can be enforced | Available rules | Notes |
|---|---|---|---|---|
| Windows 10 | Yes | Yes | Packaged apps Executable Windows Installer Script DLL | You can use the AppLocker CSP to configure AppLocker policies on any edition of Windows 10. You can only manage AppLocker with Group Policy on devices running Windows 10 Enterprise, Windows 10 Education, and Windows Server 2016. |
| Windows Server 2016 Windows Server 2012 R2 Windows Server 2012 | Yes | Yes | Packaged apps Executable Windows Installer Script DLL | |
| Windows 8.1 | Yes | Yes | Packaged apps Executable Windows Installer Script DLL | Only the Enterprise edition supports AppLocker |
| Windows RT 8.1 | No | No | N/A | |
| Windows 8 Pro | No | No | N/A | |
| Windows 8 Enterprise | Yes | Yes | Packaged apps Executable Windows Installer Script DLL | |
| Windows RT | No | No | N/A | |
| Windows Server 2008 R2 Standard | Yes | Yes | Executable Windows Installer Script DLL | Packaged app rules will not be enforced. |
| Windows Server 2008 R2 Enterprise | Yes | Yes | Executable Windows Installer Script DLL | Packaged app rules will not be enforced. |
| Windows Server 2008 R2 Datacenter | Yes | Yes | Executable Windows Installer Script DLL | Packaged app rules will not be enforced. |
| Windows Server 2008 R2 for Itanium-Based Systems | Yes | Yes | Executable Windows Installer Script DLL | Packaged app rules will not be enforced. |
| Windows 7 Ultimate | Yes | Yes | Executable Windows Installer Script DLL | Packaged app rules will not be enforced. |
| Windows 7 Enterprise | Yes | Yes | Executable Windows Installer Script DLL | Packaged app rules will not be enforced. |
| Windows 7 Professional | Yes | No | Executable Windows Installer Script DLL | No AppLocker rules are enforced. |
Additional Resource: Requirements to Use AppLocker
Applocker Windows 10 Pro Activation
Thanks for visiting! Would you do us a favor? If you think it’s worth a few seconds, please like ourFacebook pageand follow us onTwitter. It would mean a lot to us. Thank you.
App Lock For Windows 10
Sources: 1 | 2 | 3