Configure AppLocker in Intune 

Good question, it is if you block by Application/EXE there are some others if you base it on other criteria's.

well done! interesting idea and use discovered apps as source, I don't think it lists the exe file and more product name, but if it does it sounds like a MS Graph could help there, still very difficult. For now AppLocker is a bit of a manual process and maybe that is good to not make errors and lock out too much

Thank you very much, to create the XML file if the app is not installed? that is much possible, but if you are looking at signature it could be difficult, if it is just a path rule, much possible, with that said, I always prefer to have a test Virtual Machine, install what I want to block and then do rule based on that, find that a lot easier, but yeah not a must.

Hi, there is the default rules that could include Snipping Tools since it is signed by Microsoft I assume. I got pretty many comments with some issues, so could justify a seconadry video for AppLocker with Intune. I got one ready soon in a few hours about Enterprise App new feature in Intune and got Windows 365 planned, but will try to add in an AppLocker when time allows

Hi, that is a sign it is something it doesn't like, could you please post here your OMA-URI a la ./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/apps/EXE/Policy and your value (string) a la

@@IntuneVitaDoctrina ./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/apps/EXE/Policy

Hi! :) That is specified in the XML file. Got so many questions around AppLocker I think a second video showing some more configuration and tricks would be good, will think about it and hope time allows to do it soon

exactly that! just another XML block for another EXE, created in the same way but then merged

@@IntuneVitaDoctrina Thanks for the info. Do you know what the behavior is with end user systems getting this AppLocker policy if you have an error? Like if you goof something when copying over the new RuleCollection value to add a new EXE app to allow/block but it errors out, how the systems will react? I've been curious if they will skip changing the policy locally due to the error and just continue using the old previous AppLocker config that was successful, or if it just grenades itself for some reason and everything goes belly up. A former tech colleague once spoke to me about AppLocker and said something along the lines of "it's great, but you need to be careful or it can cause a lot of problems." I never got more context. Made me wonder if you just need to be sensible and ensure you have default rules to allow C:\Windows, C:\Program Files, etc., or if it was this ultra sensitive monster prone to breaking badly under particular circumstances. :D

if it fails, that would mean the XML is bad formated and then all will fail, so even GIMP etc, it is a bit all or nothing deal here :)

@@IntuneVitaDoctrina Oh, well that's only slightly (extremely) horrifying then. I'll be sure to set up a duplicate AppLocker policy with a few test machines, and if the code in the value field on AppLocker-Test policy works, I'll just do a direct select all + copy + paste to the value field on AppLocker-Prod policy. :D

If you set in audit mode you get xml Also but set to audit mode. To download applocker will not help but to block them from running it for sure can! :)

@@IntuneVitaDoctrina Second question, I am needing to block gaming applications in Intune so users WONT be able to download/install games on their WINDOWS devices. Do I personally need to have all the game applications installed on my windows device in order to set the rules up for them in APPLOCKER?? Its over 10 gaming applications we've been able to identify so far

to prevent DOWNLOAD you need change in browser or alike, to prevent INSTALLATION, yes then you can just download the installer and block them... if the installer is signed by a company such as JBN Games and you know they do no other software that you need, you can just block on signature (certificate) of those files. If you install the app and then block, they be able to install but not run the game, so I would advice to block the installer of the game :) preferable by blocking on the signature of the installer/setup file :)

thanks excellent comment! I do this step in the wizard around 7:17

You only export 4 rules, not 5. You never right clicked packaged app rules and created the 5th default rule. Either way, thank you for the videos, they help so much ☀️

thanks again for this, I might do another video about AppLocker and make sure that be done correctly this time.

thanks for the comment, and happy to hear it helped.

Thank you so much for comment

thanks, so true, I'm planning to make a second video about AppLocker in Intune and explain more those steps, current video is weak there.

Intune/AppLocker with MDM configuration policies will work, the video shows it. Legacy GPO should work also but it uses a different way

thanks you so much

Hi, you are the second to tell similiar. For me it works perfect, I wonder where things can go wrong, should be the XML file. Could you please email me your XML file to john@bryntze.cloud and I'll look at it, and if that shows something that leads to an error or something I missed in the video I'll be happy to add it.

I guess that could be possible, but in that case it is maybe better to setup Windows in Kiosk mode and auto start Notepad.exe

@@IntuneVitaDoctrina kiosk mode is based on devices not on users based and we want to display some background message which is not possible if notepad open directly

Then AppLocker could probably do the job, it is difficult to lock down all, like if you got Notepad you get access to the open file menu and can browse etc, but if you do a AppLocker config that only allows notepad. For fun I asked ChatGPT, but I highly doubt this one would work :)

@@IntuneVitaDoctrina thank you. I did that with the help of ChatGPT but it's not working with the user group

Good question, if they are in same path you can use wild cards, if different paths you will have to do one entry per app.

Thanks, and an excellent question, I don't got any own experience because I have only used AppLocker. Reading about it, seems they do the same job, however AppLocker is easier and Application Control if you do mistakes can render the device not able to boot. "AppLocker is much easier and less risky to update than WDAC. AppLocker XML files are simple text files that you can edit manually. WDAC XML files are also text files, but it is not practical to edit them manually. AppLocker uses the Subject Name of a certificate to identify a signed file. It is the same subject name regardless of the certificate used to sign. WDAC uses the thumbprint. The same name might be used in multiple different certificates with different thumbprints. A mistake in an AppLocker policy might cause some processes not to run. A mistake in a WDAC policy might cause Windows not to boot. If it cannot boot, the only solution is to re-image the device. Imagine doing that for 30 or 50,000 devices!"

@@IntuneVitaDoctrina Appreciate the feedback. Those are great points around WDAC, I haven't used it myself but am considering it for modern management.

Thank you for the tip! good idea

that is a really good question, by default no, but you can for example do a Configuration Policy that doesn't allow the users to start the Microsoft Store App at all, very common solution. Then if it is just some users, you must have a AzureAD group and target your policy to them

@@IntuneVitaDoctrina thank you for your response. I configured a policy from Intune to block Microsoft Store, but I am unable to open other apps like: Photos, Camera, etc. those who are pre-installed with Windows that can be found in M. Store as well. Also, I created another policy in Intune to block non-Admin users to install apps from Microsoft Store, and I noticed that you will be asked for Admin credentials only for specific apps.

true, you can in Intune even with store on clients block, add them in Intune apps and push to all you want or put in self services

Hi Kim, thanks a lot for you support my Intune friend :) Good question, there should be a configuration profile to set this, else do a script to make sure the service is started, can even do it as a Remediation script to ensure no one stops the service # Define the service name AppIDSvc/Application Identity $JBNserviceName = "AppIDSvc # Set the service to automatic start Set-Service -Name $JBNserviceName -StartupType Automatic # Start the service Start-Service -Name $JBNserviceName

@@IntuneVitaDoctrina if there is a Configuration profile do you where? - have try to look after that, but could not find that Config profil... 🙂

If you import ADMX files into Intune you can control services, as you have this option in GPO. That is the best way I can think of it. I think Intune got a limit of 10 ADMX files to import, I got one for Firefox settings for example.

that works :-) thanks 🙂@@IntuneVitaDoctrina

Hi, always best to test on one device first or run on all but in Audit mode to find out these things when it doesn't work as one hoped. You will need to recreate the XML file and add allow path to those that are blocked, but by default should all in Program Files work except those you specify to block, but maybe those are outside program files.

im just create default rule one more in packaged app-Excution and now everything working fine. thank you

excellent and thanks for sharing the solution: well done

now for real machince is still block 😅

i dont understand now on machince testing it block only app that i want to block but when im using it with real machince it block noted ++ , block microsoft team T_T i dont know how to fixing it now, could you help me check

Well done! thanks for sharing your success

Hi bro, please help me to block execution of portable applications in user mode via Intune

There are two versions of Microsoft Teams, could you please provide me the full path to the ms teams that get blocked and I will re-look on my device. Nothing in the XML should block Teams

@@IntuneVitaDoctrina this path, C:\Users\A\AppData\Roaming\Microsoft\Windows\Start Menu\Programs

That is the path to the shortcut in start menu, can you please right click on that shortcut and chose ‘file location’ what that shortcut lnk file points to?

You'll need a separate Publisher rule for Teams. This won't be captured by the default rules as it's installed in the users \AppData\Local folder 📁

Tackar så mycket

is Firefox installed under c:\program files\Mozilla etc?

You'll need a separate Publisher rule for Teams. This won't be captured by the default rules as it's installed in the users \AppData\Local folder 📁

Hi, Often best to set it to Audit mode before enforce block, to be sure you get the correct result. I can for sure help, could you please tell me more what you block on? what is the criteria? is it signature? path? etc? Sounds like maybe you blocked the signature of Microsoft since Teams is getting blocked. Was it a Microsoft software you initially wanted to block?

Also as I show in the video, did you add in the default three rules to allow Microsoft? maybe it is only those missing, I show in the video how you with one click add them in.

Yes default rules are added but same issue one more question is this will work on windows 11 devices ?@@IntuneVitaDoctrina

yes in the video I use Windows 11 Enterprise, but it works on Pro also

Hello John, I am facing the exact same issue. The targeted app is blocked but at the same time Microsoft teams app gets blocked as well. Default executable rules are created. As mentioned in my another comment, unable to access the generated XML file as well.

Interesting, that leans that the policy isn't working for your platform, here is from Microsoft Docs describing this "Policy states: Not Applicable: This policy isn't supported on this platform. For example, iOS/iPadOS policies don't work on Android. Samsung KNOX policies don't work on Windows devices." learn.microsoft.com/en-us/troubleshoot/mem/intune/device-configuration/troubleshoot-policies-in-microsoft-intune You are sure it is a Windows 10 or later Configuration Profile? and the OMA-URI is correct?

@@IntuneVitaDoctrina it's windows 10 or later, the os it deploys to is Windows 10 enterprise. The VM is a gallery image and part of a AVD hostpool.

tricky, you don't happen to be in Co-managed and have Intune linked to SCCM? The Windows version of the Windows 10 Enterprise shows what version: 10.0.19045.3155 ?

@@IntuneVitaDoctrina It's not co-managed, no SCCM, just simple environment. Windows 10 Enterprise for Virtual Desktops Version 22H2 (OS Build 19045.3324)

Is this the first Configuration Profiles you have, or do you got others that work?, and it is only the AppLocker one that gives "Not Applicable"?

Hi Anas, do you have the three default rules that allows Microsoft? does your rule even block like notepad.exe right now? Would love to see your XML file of rules

Hello John, Appreciate your prompt response. The policy blocks the targeted application but at the same time it blocks Microsoft teams app as well. Yes, I do have default executable rules created. Notepad.exe working fine. I'm able to export the XML file but unable to access it in the browser. Error - The XML file doesn't appear to have any style information associated with it.

might be ok without the XML file, however I'm extremally interested to know what is the targeted application is? if it is another Microsoft software that you try to block I think I know why Teams is blocked too. Please just reply short what application you try to block and I think I might have an idea for a fix

​@@IntuneVitaDoctrina Really appreciate your swift response sir. We are trying to block VNC connect app. It is a type of remote access applications.

the publisher of the VNC connect app doesn't happen to be Microsoft? (shouldn't but since your rule block Teams I have to ask :) )

Thanks a lot! My first IT job 1997, was at the largest elementary school in Scandinavia, St Eriksskolan in Stockholm, we ran at that time Windows 3.11, which had no security at all, we installed Windows on C: and redirect ALL temp folders and user profiles to D: then we had a third party program that blocked all on C:... guess what I found on the D: GAMES :) GTA (car game) and stuff :) So if an organization needs to protect itself from it's own users, which sometimes is the case in schools, then AppLocker could be a solution. I'll think about doing such video, it would basically be to find the Signing Certificate for the game makers and block execution of them. Maybe it exists already ready AppLocker rules to copy for that. I'll think about it, could be a good video and useful for certain orgnaizations.