Hello,
I am testing app locker policy in Intune using OMA-URI and want to block some applications to be installed.
For example, I want to prevent Google Chrome, Notepad++ and KeePass applications from installing.
Below is the policy that I use in Intune.
However, it prevents all three applications from launching and Notepad++ from installing but doesn't prevent GoogleChrome and KeePass installations.
I used this guide: https://cloudinfra.net/how-to-implement-applocker-using-intune/
Does anyone have any idea?
<RuleCollection Type="Exe" EnforcementMode="Enabled">
<FilePublisherRule Id="43c7b776-a68f-4153-9c82-adb8493656ae" Name="KEEPASS, from O=OPEN SOURCE DEVELOPER, L=METZINGEN, C=DE" Description="" UserOrGroupSid="S-1-1-0" Action="Deny">
<Conditions>
<FilePublisherCondition PublisherName="O=OPEN SOURCE DEVELOPER, L=METZINGEN, C=DE" ProductName="KEEPASS" BinaryName="">
<BinaryVersionRange LowSection="" HighSection="" />
</FilePublisherCondition>
</Conditions>
</FilePublisherRule>
<FilePublisherRule Id="7c03abd1-34a7-4127-b58a-e727c176dc4a" Name="NOTEPAD++, from O=NOTEPAD++, L=SAINT CLOUD, S=ILE-DE-FRANCE, C=FR" Description="" UserOrGroupSid="S-1-1-0" Action="Deny">
<Conditions>
<FilePublisherCondition PublisherName="O=NOTEPAD++, L=SAINT CLOUD, S=ILE-DE-FRANCE, C=FR" ProductName="NOTEPAD++" BinaryName="">
<BinaryVersionRange LowSection="" HighSection="" />
</FilePublisherCondition>
</Conditions>
</FilePublisherRule>
<FilePublisherRule Id="ec244fc4-ec84-4a6a-8155-f4c2bdbe51fd" Name="GOOGLE CHROME, from O=GOOGLE LLC, L=MOUNTAIN VIEW, S=CALIFORNIA, C=US" Description="" UserOrGroupSid="S-1-1-0" Action="Deny">
<Conditions>
<FilePublisherCondition PublisherName="O=GOOGLE LLC, L=MOUNTAIN VIEW, S=CALIFORNIA, C=US" ProductName="GOOGLE CHROME" BinaryName="">
<BinaryVersionRange LowSection="" HighSection="" />
</FilePublisherCondition>
</Conditions>
</FilePublisherRule>
<FilePathRule Id="921cc481-6e17-4653-8f75-050b80acca20" Name="(Default Rule) All files located in the Program Files folder" Description="Allows members of the Everyone group to run applications that are located in the Program Files folder." UserOrGroupSid="S-1-1-0" Action="Allow">
<Conditions>
<FilePathCondition Path="%PROGRAMFILES%*" />
</Conditions>
</FilePathRule>
<FilePathRule Id="a61c8b2c-a319-4cd0-9690-d2177cad7b51" Name="(Default Rule) All files located in the Windows folder" Description="Allows members of the Everyone group to run applications that are located in the Windows folder." UserOrGroupSid="S-1-1-0" Action="Allow">
<Conditions>
<FilePathCondition Path="%WINDIR%*" />
</Conditions>
</FilePathRule>
<FilePathRule Id="a61c8b2c-a319-4cd0-7690-d2177cad7b16" Name="(Default Rule) All files located in the System32 folder" Description="Allows members of the Everyone group to run applications that are located in the System32 folder." UserOrGroupSid="S-1-1-0" Action="Allow">
<Conditions>
<FilePathCondition Path="%SYSTEM32%*" />
</Conditions>
</FilePathRule>
<FilePathRule Id="a61c8b2c-a319-4cd0-7690-d2177cad7b58" Name="(Default Rule) All files located in the Users folder" Description="Allows members of the Everyone group to run applications that are located in the Users folder." UserOrGroupSid="S-1-1-0" Action="Allow">
<Conditions>
<FilePathCondition Path="%OSDRIVE%*" />
</Conditions>
</FilePathRule>
<FilePathRule Id="a61c8b2c-a319-4cd0-7690-d2177cad7a85" Name="(Default Rule) All files located in the D partition " Description="Allows members of the Everyone group to run applications that are located in the D partition." UserOrGroupSid="S-1-1-0" Action="Allow">
<Conditions>
<FilePathCondition Path="D:*" />
</Conditions>
</FilePathRule>
<FilePathRule Id="a61c8b2c-a319-4cd0-7690-d2177caa4c82" Name="(Default Rule) All files located on Removable storage device " Description="Allows members of the Everyone group to run applications that are located in Removable storage device" UserOrGroupSid="S-1-1-0" Action="Allow">
<Conditions>
<FilePathCondition Path="%HOT%*" />
</Conditions>
</FilePathRule>
<FilePathRule Id="fd686d83-a829-4351-8ff4-27c7de5755d2" Name="(Default Rule) All files" Description="Allows members of the local Administrators group to run all applications." UserOrGroupSid="S-1-5-32-544" Action="Allow">
<Conditions>
<FilePathCondition Path="" />
</Conditions>
</FilePathRule>
</RuleCollection>