That rule exempts everything from AppLocker making AppLocker completely useless now except for blocking that one item.
As noted, have you reviewed the event log?
This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Hello,
right now we have setup where users are not local administrators on their machines.
If they need to install something they do "Run as administrator" and enter credentials for local administrator.
However, we want to block them to install winrar.exe even if they run installation as administrator.
I tried to block installation of winrar.exe for all users following this manual: https://techcommunity.microsoft.com/t5/intune-customer-success/support-tip-using-applocker-to-create-custom-intune-policies-for/ba-p/364981
Created rules in Local Security Policy > App Locker > Executable Rules > One Deny rule for winrar.exe and 3 default rules.
Then those rules are exported to XML.
Is this a good logic for policy that I use in OMA-URI in Intune:
<RuleCollection Type="Exe" EnforcementMode="Enabled">
<FilePublisherRule Id="27baaef5-5717-4121-b4c9-be0a3df59a4d" Name="WINRAR, from O=WIN.RAR GMBH, L=BERLIN, S=BERLIN, C=DE" Description="Block winrar for Everyone" UserOrGroupSid="S-1-1-0" Action="Deny">
<Conditions>
<FilePublisherCondition PublisherName="O=WIN.RAR GMBH, L=BERLIN, S=BERLIN, C=DE" ProductName="WINRAR" BinaryName="">
<BinaryVersionRange LowSection="" HighSection="" />
</FilePublisherCondition>
</Conditions>
</FilePublisherRule>
<FilePathRule Id="921cc481-6e17-4653-8f75-050b80acca20" Name="(Default Rule) All files located in the Program Files folder" Description="Allows members of the Everyone group to run applications that are located in the Program Files folder." UserOrGroupSid="S-1-1-0" Action="Allow">
<Conditions>
<FilePathCondition Path="%PROGRAMFILES%*" />
</Conditions>
</FilePathRule>
<FilePathRule Id="a61c8b2c-a319-4cd0-9690-d2177cad7b51" Name="(Default Rule) All files located in the Windows folder" Description="Allows members of the Everyone group to run applications that are located in the Windows folder." UserOrGroupSid="S-1-1-0" Action="Allow">
<Conditions>
<FilePathCondition Path="%WINDIR%*" />
</Conditions>
</FilePathRule>
<FilePathRule Id="fd686d83-a829-4351-8ff4-27c7de5755d2" Name="(Default Rule) All files" Description="Allows members of the local Administrators group to run all applications." UserOrGroupSid="S-1-5-32-544" Action="Allow">
<Conditions>
<FilePathCondition Path="" />
</Conditions>
</FilePathRule>
</RuleCollection>
Policy in Intune successfully applied to test machine.
However it blocks all installations, if I try Run as administrator on some .exe file it is blocked but I only wanted to block installation of WinRAR.
Does anyone have any idea? Is it possible to configure this in this kind of setup - when we have standard users and use local administrator account for installations?
I found here https://www.tenforums.com/tutorials/124008-use-applocker-allow-block-executable-files-windows-10-a.html
"You must be signed in as an administrator to use AppLocker."
Thanks
That rule exempts everything from AppLocker making AppLocker completely useless now except for blocking that one item.
As noted, have you reviewed the event log?
Have you reviewed the AppLocker event log for details?
and enter credentials for local administrator
Not having users as local admin is a good thing, but then giving them the local admin password partially defeats the purpose of not allowing them to be local admins. You should consider ending this practice as well.
Indeed, with this default policy it works with local administrator account only.
However, I updated policy with one more rule that allow %OSDRIVE% location, and now it works as required- blocks only winrar:
<FilePathRule Id="a61c8b2c-a319-4cd0-7690-d2177cad7b58" Name="(Default Rule) All files located in the Users folder" Description="Allows members of the Everyone group to run applications that are located in the Users folder." UserOrGroupSid="S-1-1-0" Action="Allow">
<Conditions>
<FilePathCondition Path="%OSDRIVE%\*" />
</Conditions>
</FilePathRule>