1/17/2024 0 Comments Applocker policy intune![]() ![]() Make note of the exact path mentioned in the AppLocker logs Install the application on a test computer and try and run itĬheck the AppLocker event log and see if the app requires additional dll/files which are also blocked If so then consider moving the application to one of the locations mentioned aboveĪsk if the computer and the app in question is only used by a group of users (v%3Dws.11) Process for whitelisting an applicationĮnsure you understand what the application does and that it does not present any security concernsĪsk the customer if this is a one-time use application or meant for only one or two computers. For more information on event ids relating to AppLocker consult the following article: For example, event id 8004 is when something is blocked by AppLocker. You can remove the # and filter the events to a specific event id. This script will need to be run from your PAW device with your workstation admin account. This will give you an output like the following:Ĭhange the log name as appropriate (look this up in the Event View as shown in the above screenshot). Get-WinEvent -LogName “Microsoft-Windows-AppLocker/EXE and DLL” -ComputerName $Computer # | Where-Object To monitor the AppLocker logs on a remote computer you can use the following PowerShell code: The location of the logs are shown in the following screenshot: You can examine the logs in the Event Viewer to troubleshoot AppLocker. The following article can help understand inheritance: To enforce the rules you have to right-click AppLocker, select Properties and choose “Enforce rules” from the drop down under each rule collection:įurthermore, it is necessary to understand how AppLocker rule collections are inherited in Group Policy. The logs will say if the executables, scripts, etc was allowed to run or if it would have been blocked if the rules were enforced. In this case the hash will need to be regenerated in AppLocker or else the rule will no longer apply to the application (since it has a different hash now).įor further information on understanding rule conditions consult the following Microsoft guide:īy default, the rules you create are set to “Audit only” which means the executables, scripts, etc will be allowed to run on client devices but everything will be logged in the Event Viewer so you can monitor what the behaviour will be like on a client device. If the executable is updated at any time in the future, the hash that was originally generated will not identify the updated executable. If the application is not signed by a publisher then you can select the executable and AppLocker will generate a hash which uniquely identifies this executable. If the executable is moved a location which is not covered by a rule then the application will be allowed to run (since the executable was not in the path specified in this rule). You can use wildcards for folder paths and filenames. This tells AppLocker to expect to find the executable in a specific location. Alternatively you can sign the item using a certificate. ![]() This will only work if the executable is signed by a software publisher. Another way of looking at this is to work out how to identify the said executable. You then have the option to choose a condition to meet to be able to apply this rule to an executable. You can also choose to apply this rule to a specific group of users by choosing an Active Directory security group or leave the default which is applied to the “Everyone” group. In other words, Allow is whitelisting an app and Deny is blacklisting an app. ![]() To create a rule for a executable right-click on “Executable Rules” under AppLocker and select “Create New Rule…”.Īt this point you choose whether your rule is to Allow or Deny an executable from running. This is already done in the two GPOs that currently have AppLocker policies. It is recommended to create a set of default rules for each of the collection of rules. *If your script, exe or installer require the use of DLL files then you must also create rules for the DLL files in addition to the script/exe/installer.ĪppLocker rules are only configured in the Computer Configuration of a GPO but you can apply any rule to a specific group of users or set it to apply to the “Everyone” group. To use DLL rules you have to enable it by right-clicking on “AppLocker” > Advanced tab > check “Enable the DLL rule collection”. *Note that the DLL rules node is not visible by default (as shown in the previous screenshot). ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |