AppLocker in Intune using OMA-URI

Djordje Novakovic 626 Reputation points
2022-11-03T16:33:21.54+00:00

Hello,

I am testing app locker policy in Intune using OMA-URI and want to block some applications to be installed.
For example, I want to prevent Google Chrome, Notepad++ and KeePass applications from installing.

Below is the policy that I use in Intune.
However, it prevents all three applications from launching and Notepad++ from installing but doesn't prevent GoogleChrome and KeePass installations.

I used this guide: https://cloudinfra.net/how-to-implement-applocker-using-intune/

Does anyone have any idea?

<RuleCollection Type="Exe" EnforcementMode="Enabled">
<FilePublisherRule Id="43c7b776-a68f-4153-9c82-adb8493656ae" Name="KEEPASS, from O=OPEN SOURCE DEVELOPER, L=METZINGEN, C=DE" Description="" UserOrGroupSid="S-1-1-0" Action="Deny">
<Conditions>
<FilePublisherCondition PublisherName="O=OPEN SOURCE DEVELOPER, L=METZINGEN, C=DE" ProductName="KEEPASS" BinaryName="">
<BinaryVersionRange LowSection="
" HighSection="" />
</FilePublisherCondition>
</Conditions>
</FilePublisherRule>
<FilePublisherRule Id="7c03abd1-34a7-4127-b58a-e727c176dc4a" Name="NOTEPAD++, from O=NOTEPAD++, L=SAINT CLOUD, S=ILE-DE-FRANCE, C=FR" Description="" UserOrGroupSid="S-1-1-0" Action="Deny">
<Conditions>
<FilePublisherCondition PublisherName="O=NOTEPAD++, L=SAINT CLOUD, S=ILE-DE-FRANCE, C=FR" ProductName="NOTEPAD++" BinaryName="
">
<BinaryVersionRange LowSection="" HighSection="" />
</FilePublisherCondition>
</Conditions>
</FilePublisherRule>
<FilePublisherRule Id="ec244fc4-ec84-4a6a-8155-f4c2bdbe51fd" Name="GOOGLE CHROME, from O=GOOGLE LLC, L=MOUNTAIN VIEW, S=CALIFORNIA, C=US" Description="" UserOrGroupSid="S-1-1-0" Action="Deny">
<Conditions>
<FilePublisherCondition PublisherName="O=GOOGLE LLC, L=MOUNTAIN VIEW, S=CALIFORNIA, C=US" ProductName="GOOGLE CHROME" BinaryName="">
<BinaryVersionRange LowSection="
" HighSection="" />
</FilePublisherCondition>
</Conditions>
</FilePublisherRule>
<FilePathRule Id="921cc481-6e17-4653-8f75-050b80acca20" Name="(Default Rule) All files located in the Program Files folder" Description="Allows members of the Everyone group to run applications that are located in the Program Files folder." UserOrGroupSid="S-1-1-0" Action="Allow">
<Conditions>
<FilePathCondition Path="%PROGRAMFILES%*" />
</Conditions>
</FilePathRule>
<FilePathRule Id="a61c8b2c-a319-4cd0-9690-d2177cad7b51" Name="(Default Rule) All files located in the Windows folder" Description="Allows members of the Everyone group to run applications that are located in the Windows folder." UserOrGroupSid="S-1-1-0" Action="Allow">
<Conditions>
<FilePathCondition Path="%WINDIR%*" />
</Conditions>
</FilePathRule>
<FilePathRule Id="a61c8b2c-a319-4cd0-7690-d2177cad7b16" Name="(Default Rule) All files located in the System32 folder" Description="Allows members of the Everyone group to run applications that are located in the System32 folder." UserOrGroupSid="S-1-1-0" Action="Allow">
<Conditions>
<FilePathCondition Path="%SYSTEM32%*" />
</Conditions>
</FilePathRule>
<FilePathRule Id="a61c8b2c-a319-4cd0-7690-d2177cad7b58" Name="(Default Rule) All files located in the Users folder" Description="Allows members of the Everyone group to run applications that are located in the Users folder." UserOrGroupSid="S-1-1-0" Action="Allow">
<Conditions>
<FilePathCondition Path="%OSDRIVE%*" />
</Conditions>
</FilePathRule>
<FilePathRule Id="a61c8b2c-a319-4cd0-7690-d2177cad7a85" Name="(Default Rule) All files located in the D partition " Description="Allows members of the Everyone group to run applications that are located in the D partition." UserOrGroupSid="S-1-1-0" Action="Allow">
<Conditions>
<FilePathCondition Path="D:*" />
</Conditions>
</FilePathRule>
<FilePathRule Id="a61c8b2c-a319-4cd0-7690-d2177caa4c82" Name="(Default Rule) All files located on Removable storage device " Description="Allows members of the Everyone group to run applications that are located in Removable storage device" UserOrGroupSid="S-1-1-0" Action="Allow">
<Conditions>
<FilePathCondition Path="%HOT%*" />
</Conditions>
</FilePathRule>
<FilePathRule Id="fd686d83-a829-4351-8ff4-27c7de5755d2" Name="(Default Rule) All files" Description="Allows members of the local Administrators group to run all applications." UserOrGroupSid="S-1-5-32-544" Action="Allow">
<Conditions>
<FilePathCondition Path="
" />
</Conditions>
</FilePathRule>
</RuleCollection>

Windows 10 Security
Windows 10 Security
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
2,805 questions
Microsoft Intune
Microsoft Intune
A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.
4,570 questions
0 comments No comments
{count} votes

Accepted answer
  1. Jason Sandys 31,181 Reputation points Microsoft Employee
    2022-11-03T17:25:00.547+00:00

    First, this really has nothing to do with Intune, Intune is just delivering a policy. What AppLocker does with that policy is not under the control or visibility of Intune. Thus, I've added a Windows security tag to this thread.

    Next, blocking app installation is not what AppLocker is really designed for. Why does installation matter though if you've blocked execution?

    0 comments No comments

1 additional answer

Sort by: Most helpful
  1. Djordje Novakovic 626 Reputation points
    2022-11-04T14:30:43.163+00:00

    Hi, trying to prevent users from installing unlicensed software.

    0 comments No comments