App Locker policy - Intune

Djordje Novakovic 626 Reputation points
2022-09-13T13:45:36.533+00:00

Hello,

right now we have setup where users are not local administrators on their machines.
If they need to install something they do "Run as administrator" and enter credentials for local administrator.
However, we want to block them to install winrar.exe even if they run installation as administrator.

I tried to block installation of winrar.exe for all users following this manual: https://techcommunity.microsoft.com/t5/intune-customer-success/support-tip-using-applocker-to-create-custom-intune-policies-for/ba-p/364981

Created rules in Local Security Policy > App Locker > Executable Rules > One Deny rule for winrar.exe and 3 default rules.

240631-1.jpg

Then those rules are exported to XML.
Is this a good logic for policy that I use in OMA-URI in Intune:

<RuleCollection Type="Exe" EnforcementMode="Enabled">
<FilePublisherRule Id="27baaef5-5717-4121-b4c9-be0a3df59a4d" Name="WINRAR, from O=WIN.RAR GMBH, L=BERLIN, S=BERLIN, C=DE" Description="Block winrar for Everyone" UserOrGroupSid="S-1-1-0" Action="Deny">
<Conditions>
<FilePublisherCondition PublisherName="O=WIN.RAR GMBH, L=BERLIN, S=BERLIN, C=DE" ProductName="WINRAR" BinaryName="">
<BinaryVersionRange LowSection="
" HighSection="" />
</FilePublisherCondition>
</Conditions>
</FilePublisherRule>
<FilePathRule Id="921cc481-6e17-4653-8f75-050b80acca20" Name="(Default Rule) All files located in the Program Files folder" Description="Allows members of the Everyone group to run applications that are located in the Program Files folder." UserOrGroupSid="S-1-1-0" Action="Allow">
<Conditions>
<FilePathCondition Path="%PROGRAMFILES%*" />
</Conditions>
</FilePathRule>
<FilePathRule Id="a61c8b2c-a319-4cd0-9690-d2177cad7b51" Name="(Default Rule) All files located in the Windows folder" Description="Allows members of the Everyone group to run applications that are located in the Windows folder." UserOrGroupSid="S-1-1-0" Action="Allow">
<Conditions>
<FilePathCondition Path="%WINDIR%*" />
</Conditions>
</FilePathRule>
<FilePathRule Id="fd686d83-a829-4351-8ff4-27c7de5755d2" Name="(Default Rule) All files" Description="Allows members of the local Administrators group to run all applications." UserOrGroupSid="S-1-5-32-544" Action="Allow">
<Conditions>
<FilePathCondition Path="
" />
</Conditions>
</FilePathRule>
</RuleCollection>

Policy in Intune successfully applied to test machine.
However it blocks all installations, if I try Run as administrator on some .exe file it is blocked but I only wanted to block installation of WinRAR.

240622-2.jpg

Does anyone have any idea? Is it possible to configure this in this kind of setup - when we have standard users and use local administrator account for installations?
I found here https://www.tenforums.com/tutorials/124008-use-applocker-allow-block-executable-files-windows-10-a.html
"You must be signed in as an administrator to use AppLocker."

Thanks

Microsoft Intune Configuration
Microsoft Intune Configuration
Microsoft Intune: A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.Configuration: The process of arranging or setting up computer systems, hardware, or software.
1,872 questions
0 comments No comments
{count} votes

Accepted answer
  1. Jason Sandys 31,286 Reputation points Microsoft Employee
    2022-09-15T15:58:59.027+00:00

    That rule exempts everything from AppLocker making AppLocker completely useless now except for blocking that one item.

    As noted, have you reviewed the event log?


2 additional answers

Sort by: Most helpful
  1. Jason Sandys 31,286 Reputation points Microsoft Employee
    2022-09-13T16:05:13.847+00:00

    Have you reviewed the AppLocker event log for details?

    and enter credentials for local administrator

    Not having users as local admin is a good thing, but then giving them the local admin password partially defeats the purpose of not allowing them to be local admins. You should consider ending this practice as well.

    0 comments No comments

  2. Djordje Novakovic 626 Reputation points
    2022-09-15T15:14:42.58+00:00

    Indeed, with this default policy it works with local administrator account only.

    However, I updated policy with one more rule that allow %OSDRIVE% location, and now it works as required- blocks only winrar:

    <FilePathRule Id="a61c8b2c-a319-4cd0-7690-d2177cad7b58" Name="(Default Rule) All files located in the Users folder" Description="Allows members of the Everyone group to run applications that are located in the Users folder." UserOrGroupSid="S-1-1-0" Action="Allow">  
      <Conditions>  
        <FilePathCondition Path="%OSDRIVE%\*" />  
      </Conditions>  
    </FilePathRule>
    
    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.