Debugging on why the Intune AppLocker Device Configuration Policy failed to be enforced to enrolled Windows 10 Computers

AhDSuper 0 Reputation points
2024-05-11T01:16:50.78+00:00

I am running an Intune managed network of Windows 10 computers. We have an initial APP Lockdown policy deployed by Custom OMA-URI Setting: We used the following XML file:

<RuleCollection Type="Exe" EnforcementMode="NotConfigured" >

<FilePathRule Id="fd686d83-a829-4351-8ff4-27c7de5755d2" Name="(Default Rule) All files" Description="Allows members of the local Administrators group to run all applications." UserOrGroupSid="S-1-5-32-544" Action="Allow" >

<Conditions>

<FilePathCondition Path="*" />

</Conditions>

</FilePathRule>

<FilePathRule Id="ce9d9fd5-d765-48df-b87b-e1bafd5653ed" Name="All files" Description="Allows members of the Everyone group to run applications that are located in any folder." UserOrGroupSid="S-1-1-0" Action="Allow" >

<Conditions>

<FilePathCondition Path="*" />

</Conditions>

<Exceptions>

<FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="Microsoft® Windows® Operating System" BinaryName="CMD.EXE" >

<BinaryVersionRange LowSection="" HighSection="" />

</FilePublisherCondition>

<FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="Microsoft® Windows® Operating System" BinaryName="POWERSHELL.EXE" >

<BinaryVersionRange LowSection="" HighSection="" />

</FilePublisherCondition>

<FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="Microsoft® Windows® Operating System" BinaryName="POWERSHELL_ISE.EXE" >

<BinaryVersionRange LowSection="" HighSection="" />

</FilePublisherCondition>

<FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="Microsoft® Windows® Operating System" BinaryName="REGEDIT.EXE" >

<BinaryVersionRange LowSection="" HighSection="" />

</FilePublisherCondition>

<FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="Microsoft® Windows® Operating System" BinaryName="REG.EXE" >

<BinaryVersionRange LowSection="" HighSection="" />

</FilePublisherCondition>

</Exceptions>

</FilePathRule>

</RuleCollection> It works fine for this XML file.

However, we woud like to remove the blocking of CMD.exe from this policy. We then created another policy with this XML file but with the lines related to CMD.exe removed

<RuleCollection Type="Exe" EnforcementMode="NotConfigured" >

<FilePathRule Id="fd686d83-a829-4351-8ff4-27c7de5755d2" Name="(Default Rule) All files" Description="Allows members of the local Administrators group to run all applications." UserOrGroupSid="S-1-5-32-544" Action="Allow" >

<Conditions>

<FilePathCondition Path="*" />

</Conditions>

</FilePathRule>

<FilePathRule Id="ce9d9fd5-d765-48df-b87b-e1bafd5653ed" Name="All files" Description="Allows members of the Everyone group to run applications that are located in any folder." UserOrGroupSid="S-1-1-0" Action="Allow" >

<Conditions>

<FilePathCondition Path="*" />

</Conditions>

<Exceptions>

<FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="Microsoft® Windows® Operating System" BinaryName="POWERSHELL.EXE" >

<BinaryVersionRange LowSection="" HighSection="" />

</FilePublisherCondition>

<FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="Microsoft® Windows® Operating System" BinaryName="POWERSHELL_ISE.EXE" >

<BinaryVersionRange LowSection="" HighSection="" />

</FilePublisherCondition>

<FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="Microsoft® Windows® Operating System" BinaryName="REGEDIT.EXE" >

<BinaryVersionRange LowSection="" HighSection="" />

</FilePublisherCondition>

<FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="Microsoft® Windows® Operating System" BinaryName="REG.EXE" >

<BinaryVersionRange LowSection="" HighSection="" />

</FilePublisherCondition>

</Exceptions>

</FilePathRule>

</RuleCollection>

We have a test device prepared by removing from the previous old policy and applied with this newly revised Policy. After successful deployment, we have found out that the new policy have absolutely no effect on the test device.

It looks like now everything is not blocked for the test device. Have we missed anything? We just copied the old content to create the XML file in Notepad (in UTF-8 format) from the Intune Mangement GUI and deleted the several lines relatd to blocking the CMD.exe. Saved the revised XML file and used it to create the revised policy and applied to the test device. Anyone can help point us to some possible reasons why the revised policy does not work?

Microsoft Intune Configuration
Microsoft Intune Configuration
Microsoft Intune: A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.Configuration: The process of arranging or setting up computer systems, hardware, or software.
1,747 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Rudy Ooms 596 Reputation points MVP
    2024-05-11T05:53:40.2733333+00:00

    Hi... as i am mentioning here... the applocker configuration files should get deployed to your device

    https://call4cloud.nl/2021/01/applocker-the-meltdown/

    Can you spot them in the mdm applocker folder, are they the same as how you configured them?

    DId you also opened the applocker event log, does that log mentions anything at all?

    Did you also checked the application identity service? that service needs to be started (it should but i have seen issues in which it just wasn't started)

    https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/applocker/configure-the-application-identity-service