Applocker windows 10 home

<#
.SYNOPSIS
This function creates new AppLocker settings using MDM WMI Bridge.
All previous rules will be deleted.

.CREDITS
The script is based on the script for EXE files made by Sandy Zeng (Sandy Tsang).
MSIntune/Intune-PowerShell/AppLocker at master · sandytsang/MSIntune
#>

$namespaceName = «root\cimv2\mdm\dmmap» #Do not change this
$GroupName = «AppLocker001» #Your own groupName
$parentID = «./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/$GroupName»

$classNameDLL = «MDM_AppLocker_DLL03» #Do not change this
Get-CimInstance -Namespace $namespaceName -ClassName $classNameDLL -Filter «ParentID=`’$parentID`’ and InstanceID=’DLL'» | Remove-CimInstance

$classNameEXE = «MDM_AppLocker_ApplicationLaunchRestrictions01_EXE03» #Do not change this
Get-CimInstance -Namespace $namespaceName -ClassName $classNameEXE -Filter «ParentID=`’$parentID`’ and InstanceID=’EXE'» | Remove-CimInstance

$classNameMSI = «MDM_AppLocker_MSI03» #Do not change this
Get-CimInstance -Namespace $namespaceName -ClassName $classNameMSI -Filter «ParentID=`’$parentID`’ and InstanceID=’MSI'» | Remove-CimInstance

$classNameScript = «MDM_AppLocker_Script03» #Do not change this
Get-CimInstance -Namespace $namespaceName -ClassName $classNameScript -Filter «ParentID=`’$parentID`’ and InstanceID=’Script'» | Remove-CimInstance

$classNameStoreApps = «MDM_AppLocker_ApplicationLaunchRestrictions01_StoreApps03»
Get-CimInstance -Namespace $namespaceName -ClassName $classNameStoreApps -Filter «ParentID=`’$parentID`’ and InstanceID=’Storeapps'» | Remove-CimInstance

Add-Type -AssemblyName System.Web

#This is example Rule Collection for EXE
$obj = [System.Net.WebUtility]::HtmlEncode(@»
<RuleCollection Type=»Exe» EnforcementMode=»Enabled»>
<FilePathRule Id=»921cc481-6e17-4653-8f75-050b80acca20″ Name=»All files located in the Program Files folder» Description=»» UserOrGroupSid=»S-1-1-0″ Action=»Allow»>
<Conditions>
<FilePathCondition Path=»%PROGRAMFILES%\*» />
</Conditions>
</FilePathRule>
<FilePathRule Id=»a61c8b2c-a319-4cd0-9690-d2177cad7b51″ Name=»All files located in the Windows folder» Description=»» UserOrGroupSid=»S-1-1-0″ Action=»Allow»>
<Conditions>
<FilePathCondition Path=»%WINDIR%\*» />
</Conditions>
<Exceptions>
<FilePathCondition Path=»%WINDIR%\registration\crmlog\*» />
<FilePathCondition Path=»%WINDIR%\servicing\packages\*» />
<FilePathCondition Path=»%WINDIR%\servicing\sessions\*» />
<FilePathCondition Path=»%WINDIR%\tasks\*» />
<FilePathCondition Path=»%WINDIR%\temp\*» />
<FilePathCondition Path=»%WINDIR%\tracing\*» />
<Exceptions>
<FilePathRule Id=»a61c8b2c-a319-4cd0-9690-d2177cad7b51″ Name=»All files located in the Windows folder» Description=»» UserOrGroupSid=»S-1-1-0″ Action=»Allow»>
<Conditions>
<FilePathCondition Path=»%OSDRIVE%\ProgramData\Microsoft\Windows Defender\*» />
</Conditions>
</FilePathRule>
<FilePublisherRule Id=»9ab086ea-40a8-4b05-875b-f9fdf9962ba8″ Name=»All signed» Description=»» UserOrGroupSid=»S-1-1-0″ Action=»Allow»>
<Conditions>
<FilePublisherCondition PublisherName=»*» ProductName=»*» BinaryName=»*»>
<BinaryVersionRange LowSection=»*» HighSection=»*» />
</FilePublisherCondition>
</Conditions>

</FilePublisherRule>
</RuleCollection>
«@)
New-CimInstance -Namespace $namespaceName -ClassName $classNameEXE -Property @{ParentID=$parentID;InstanceID=»EXE»;Policy=$obj}

#This is example Rule Collection for MSI
$obj = [System.Net.WebUtility]::HtmlEncode(@»
<RuleCollection Type=»Msi» EnforcementMode=»Enabled»>
<FilePublisherRule Id=»b7af7102-efde-4369-8a89-7a6a392d1473″ Name=»All signed» Description=»» UserOrGroupSid=»S-1-1-0″ Action=»Allow»>
<Conditions>
<FilePublisherCondition PublisherName=»*» ProductName=»*» BinaryName=»*»>
<BinaryVersionRange LowSection=»0.0.0.0″ HighSection=»*» />
</FilePublisherCondition>
</Conditions>
</FilePublisherRule>
<FilePathRule Id=»5b290184-345a-4453-b184-45305f6d9a54″ Name=»All files located in the folder %systemdrive%\Windows\Installer.» Description=»» UserOrGroupSid=»S-1-1-0″ Action=»Allow»>
<Conditions>
<FilePathCondition Path=»%WINDIR%\Installer\*» />
</Conditions>
</FilePathRule>
<FilePathRule Id=»64ad46ff-0d71-4fa0-a30b-3f3d30c5433d» Name=»Allow for Administrators» Description=»» UserOrGroupSid=»S-1-5-32-544″ Action=»Allow»>
<Conditions>
<FilePathCondition Path=»*.*» />
</Conditions>
</FilePathRule>
</RuleCollection>
«@)
New-CimInstance -Namespace $namespaceName -ClassName $classNameMSI -Property @{ParentID=$parentID;InstanceID=»MSI»;Policy=$obj}

$obj = [System.Net.WebUtility]::HtmlEncode(@»
<RuleCollection Type=»Script» EnforcementMode=»Enabled»>
<FilePathRule Id=»06dce67b-934c-454f-a263-2515c8796a5d» Name=»All scripts in Program Files folder» Description=»» UserOrGroupSid=»S-1-1-0″ Action=»Allow»>
<Conditions>
<FilePathCondition Path=»%PROGRAMFILES%\*» />
</Conditions>
</FilePathRule>
<FilePathRule Id=»9428c672-5fc3-47f4-808a-a0011f36dd2c» Name=»All scripts in Windows folder» Description=»» UserOrGroupSid=»S-1-1-0″ Action=»Allow»>
<Conditions>
<FilePathCondition Path=»%WINDIR%\*» />
</Conditions>
<Exceptions>
<FilePathCondition Path=»%WINDIR%\registration\crmlog\*» />
<FilePathCondition Path=»%WINDIR%\servicing\packages\*» />
<FilePathCondition Path=»%WINDIR%\servicing\sessions\*» />
<FilePathCondition Path=»%WINDIR%\tasks\*» />
<FilePathCondition Path=»%WINDIR%\temp\*» />
<FilePathCondition Path=»%WINDIR%\tracing\*» />
</Exceptions>
</FilePathRule>
<FilePathRule Id=»ed97d0cb-15ff-430f-b82c-8d7832957725″ Name=»Allow for Administrators» Description=»» UserOrGroupSid=»S-1-5-32-544″ Action=»Allow»>
<Conditions>
<FilePathCondition Path=»*» />
</Conditions>
</FilePathRule>
</RuleCollection>
«@)
New-CimInstance -Namespace $namespaceName -ClassName $classNameScript -Property @{ParentID=$parentID;InstanceID=»Script»;Policy=$obj}

$obj = [System.Net.WebUtility]::HtmlEncode(@»
<RuleCollection Type=»Dll» EnforcementMode=»Enabled»>
<FilePathRule Id=»bac4b0bf-6f1b-40e8-8627-8545fa89c8b6″ Name=»All DLLs» Description=»» UserOrGroupSid=»S-1-1-0″ Action=»Allow»>
<Conditions>
<FilePathCondition Path=»*» />
</Conditions>
<Exceptions>
<FilePathCondition Path=»%WINDIR%\registration\crmlog\*» />
<FilePathCondition Path=»%WINDIR%\servicing\packages\*» />
<FilePathCondition Path=»%WINDIR%\servicing\sessions\*» />
<FilePathCondition Path=»%WINDIR%\tasks\*» />
<FilePathCondition Path=»%WINDIR%\temp\*» />
<FilePathCondition Path=»%WINDIR%\tracing\*» />
</Exceptions>
</FilePathRule>
</FilePublisherRule>
</RuleCollection>
«@)
New-CimInstance -Namespace $namespaceName -ClassName $classNameDLL -Property @{ParentID=$parentID;InstanceID=»DLL»;Policy=$obj}

$obj = [System.Net.WebUtility]::HtmlEncode(@»
<RuleCollection Type=»Appx» EnforcementMode=»Enabled»>
<FilePublisherRule Id=»a9e18c21-ff8f-43cf-b9fc-db40eed693ba» Name=»All signed» Description=»» UserOrGroupSid=»S-1-1-0″ Action=»Allow»>
<Conditions>
<FilePublisherCondition PublisherName=»*» ProductName=»*» BinaryName=»*»>
<BinaryVersionRange LowSection=»0.0.0.0″ HighSection=»*» />
</FilePublisherCondition>
</Conditions>
</FilePublisherRule>
</RuleCollection>
«@)
New-CimInstance -Namespace $namespaceName -ClassName $classNameStoreApps -Property @{ParentID=$parentID;InstanceID=»Storeapps»;Policy=$obj}

Are you on the lookout for methods so as to add one other layer of safety to your native laptop or throughout a website? Contemplate stepping up your sport with the Home windows 10 AppLocker!

AppLocker provides you the facility to manage which apps and recordsdata customers can run. And on this tutorial, you’ll learn to arrange AppLocker and safe your Home windows 10 working system.

Really feel such as you want extra privateness? Learn on and begin securing your system!

Stipulations

This tutorial might be a hands-on demonstration. In the event you’d prefer to observe alongside, be certain you might have the next:

  • A Home windows 10 Schooling or Enterprise laptop – This tutorial makes use of Home windows 10 Enterprise 21H2.
  • An administrator consumer account to arrange domestically or entry a website controller for an organizational setup.
  • A area controller server for a multi-computer setup – This tutorial makes use of Home windows Server 2019 Datacenter.

Configuring the Utility Identification Service to Begin on Bootup

Earlier than you even start to arrange AppLocker guidelines and apply them to your native laptop, you first must tweak the Utility Identification Service. Setting the Utility Identification Service to begin routinely on bootup enforces Home windows 10 AppLocker guidelines.

Open a PowerShell console as an administrator, and run the beneath command to begin the Utility Identification service on bootup routinely.

sc.exe config appidsvc begin= auto

The output beneath reveals that the configuration was profitable.

Setting Application Identity service to start automatically

Setting Utility Identification service to begin routinely

Subsequent, run the next Get-Service command to confirm the Utility Identification service begins routinely and runs.

Get-Service AppIDSvc | choose -Property Title, Standing, StartType

Beneath, you may see the AppIDSvc standing is Operating with the beginning kind set to Computerized.

Scanning Application Identity status and start type

Scanning Utility Identification standing and begin kind

In the event you see a stopped standing, run the Begin-Service command beneath to begin the Utility Identification Service (AppIDSvc).

Begin-Service -Title “AppIDSvc”

Creating Default Home windows 10 AppLocker Guidelines

Now that you’ve configured the Utility Identification service, the subsequent step is to create default AppLocker guidelines. Creating AppLocker guidelines enables you to management which apps are allowed and denied.

You’ll be able to set Home windows 10 AppLocker guidelines for 4 classes of merchandise, as follows:

  • Executable Guidelines – Executable recordsdata (.exe, and the much less frequent .com).
  • Home windows Installer Guidelines – Home windows installer recordsdata (.msi, .msp, and .mst).
  • Script Guidelines – Script recordsdata (.bat, .cmd, .js, .ps1, and .vbs).
  • Packaged app Guidelines – Packaged apps and Packaged app installers (.appx).

The rule of thumb is to create default guidelines to permit all of the permitted apps that fall in any of the classes already working on an area laptop.

To create default AppLocker guidelines, you’ll first want entry to the Native Safety Coverage instrument:

1. Open the Run dialog field, kind secpol.msc, and click on OK (or press Enter) to entry the Native Safety Coverage.

Running the Local Security Policy

Operating the Native Safety Coverage

2. On the Native Safety Coverage window, broaden the Utility Management Insurance policies and AppLocker.

Accessing AppLocker rules via Local Security Policy

Accessing AppLocker guidelines through Native Safety Coverage

3. Choose, and right-click on Executable Guidelines → choose Create Default Guidelines to create the default AppLocker guidelines for the chosen class.

Repeat this step for the remainder classes (Home windows Installer, Script Guidelines, and Packaged app Guidelines).

Creating default rules for all categories

Creating default guidelines for all classes

4. Lastly, choose every class and confirm the default AppLocker guidelines exist, as proven beneath.

Beneath, you may see a gaggle of three default guidelines, much like others aside from Packaged app Guidelines, which has just one.

Viewing default executable rules

Viewing default executable guidelines

Creating Guidelines to Deny Purposes

Now that your default AppLocker guidelines are in place, you can begin creating guidelines to disclaim apps. Denying apps provides safety to your machine because you get to disclaim entry to malicious apps. The Native Safety Coverage additionally performs a component in creating guidelines to disclaim apps in your system.

On this tutorial, you’ll create guidelines for the Executable Guidelines class and take a look at if they really work. However when you’re assured in creating guidelines, you may create guidelines for different classes and see their variations.

Notice that the steps in creating guidelines for every class are comparable aside from the Packaged app Rule.

Denying Purposes through the Writer Circumstances

While you launch an app, you’re granting the writer permissions to make adjustments to your system, particularly if the app is continually related to the web. Sounds too dangerous?

Creating guidelines to disclaim purposes through the Writer circumstances will do the trick in the event you don’t belief a selected writer.

1. Choose and right-click on the class of your alternative (Executable Guidelines) → select Create New Rule to provoke creating a brand new rule.

Creating a new rule

Creating a brand new rule

2. Subsequent, click on Subsequent once you see the Earlier than You Start web page because it’s simply an introductory web page.

3. On the Permissions tab, select the Deny possibility, which is the Motion the rule will take.

Make sure you outline the customers affected by this rule. However go away Everybody chosen for this tutorial, and click on Subsequent.

Setting rule permissions

Setting rule permissions

4. Now, select from three choices for making a rule (besides Packaged app):

  • Writer – For an software that the software program writer indicators.
  • Path – For a selected file or folder.
  • File hash – For a file that isn’t signed.

However on this tutorial, choose the Writer possibility, and click on Subsequent.

Creating an AppLocker rule with the Writer situation permits you to set a roughly particular rule a few file.

Choosing a condition for the rule

Selecting a situation for the rule

5. Configure the Writer circumstances with the next:

Selecting the Any writer possibility may not be a smart resolution in any respect. A few of your apps from the identical writer might not work, so take warning when selecting this feature.

  • Browse your native laptop for the file that you must make a deny rule for.
  • Regulate the slider in keeping with your want to pick which properties outline the rule; it might be as detailed because the file model or the writer.

On this instance, the chosen property is Google Chrome’s File model.

  • Click on Subsequent to proceed setting exceptions to the rule circumstances.
Choosing a file property for the deny rule

Selecting a file property for the deny rule

6. At this level, click on Subsequent, as there is no such thing as a must make exceptions for the deny rule.

Skipping adding exceptions

Skipping including exceptions

7. Present a descriptive title for the rule, and click on Create to create the rule with the Writer situation.

Creating an AppLocker rule with the Publisher condition

Creating an AppLocker rule with the Writer situation

8. In the end, strive accessing purposes from the writer you set the deny rule for. If the deny rule works, you’ll get the next message.

No matter your chosen situation, you’ll get the identical message beneath once you launch an app denied beneath the Executable Guidelines class.

Verifying the AppLocker deny rules work

Verifying the AppLocker deny guidelines work

Denying Purposes through the Path Circumstances

Suppose you belief a writer however are skeptical about certainly one of their purposes. In that case, your best option is to create guidelines to disclaim particular purposes or folder paths.

1. Create one other rule as you probably did in steps one to 4 of the “Denying Purposes through the Writer Circumstances” part.

However this time, select the Path situation for a selected file or folder path.

Choosing the Path condition for the new deny rule

Selecting the Path situation for the brand new deny rule

2. On the Path tab, select the file or folder path to which you need to apply the rule, and click on Subsequent.

As an example, you need to prohibit customers from pulling up Notepad. In that case, specify or browse Notepad’s full path.

Notice that selecting a folder applies the AppLocker rule to all of the recordsdata in that folder.

Choosing a file or a folder path

Selecting a file or a folder path

3. Skip including exceptions within the Exceptions tab and click on Subsequent.

Skipping adding exceptions

Skipping including exceptions

4. Lastly, change the rule’s Title and Description, and click on Create to finalize the deny rule.

Setting the deny rule’s name and description

Setting the deny rule’s title and outline

Denying Purposes through the File Hash

As , a malicious app can disguise itself as certainly one of your every day instruments that controls your system’s habits. Stumbling upon an app (unsigned or from an unverified writer) can wreak havoc in your machine.

Learn how to keep away from unintentionally working these malicious apps? Apart from having a strong anti-virus, creating guidelines to disclaim purposes through file hash is a large assist.

1. Create a brand new deny rule, and select the File hash situation this time.

2. Subsequent, browse, choose the file or folder that you must set a rule, and click on Subsequent.

Selecting a file or a folder using file hash

Choosing a file or a folder utilizing file hash

3. Lastly, change the deny rule’s Title and Description (non-obligatory), and click on Create to create the brand new deny rule.

Naming the new deny rule with File Hash condition

Naming the brand new deny rule with File Hash situation

Deploying Home windows 10 AppLocker Guidelines Utilizing a Group Coverage Object (GPO)

By now, you already know the right way to deny purposes in your laptop. However what if that you must apply AppLocker guidelines to multiple laptop or for a corporation? Utilizing a GPO, you may deploy AppLocker guidelines to computer systems in a corporation’s area.

Making a GPO enables you to deploy AppLocker to a number of Home windows 10 computer systems concurrently with out manually doing so on every laptop.

To create an AppLocker GPO, you’ll first must create an OU:

Notice that it’s finest observe to initially deploy a GPO in a “take a look at organizational unit” (OU) to keep away from messing issues up in your AD construction.

1. Launch Lively Listing Customers and Computer systems, right-click your area (left panel) → New → Organizational Unit to provoke including a brand new OU.

Creating a new OU in the domain controller

Creating a brand new OU within the area controller

2. Subsequent, present a reputation you like in your take a look at OU. Hold the unintended deletion safety checked and click on OK to create the brand new OU.

Naming a new OU

Naming a brand new OU

3. Add a pc to your take a look at OU with the next:

  • Click on Computer systems (left panel) to entry the checklist of accessible computer systems in your area controller.
  • Drag and drop a pc to your take a look at OU.
  • Click on Sure to proceed including the chosen laptop to your take a look at OU once you get the warning message field.
Adding a computer to the test OU

Including a pc to the take a look at OU

4. Now, launch Group Coverage Administration, the place you’ll create a GPO.

Develop your area (left panel) → right-click in your take a look at OU → Create a GPO on this area, and Hyperlink it right here… to provoke making a GPO.

Creating an AppLocker GPO

Creating an AppLocker GPO

5. Title the GPO as you want, and click on OK to finalize creating the GPO.

Naming the AppLocker GPO

6. As soon as created, right-click in your AppLocker GPO, choose Enforced within the context menu, and click on OK within the message field.

Altering the Enforced setting for the GPO applies the settings within the GPO to the item (a Native System, Area, Web site, or Organizational Unit).

Enforcing the AppLocker GPO

Imposing the AppLocker GPO

7. Subsequent, right-click on the AppLocker GPO and select Edit to open the Group Coverage Administration Editor.

Opening Group Policy Management Editor

Opening Group Coverage Administration Editor

8. Configure the Utility Identification properties with the next:

  • Underneath Laptop Configuration, broaden Insurance policies → Home windows Settings → Safety Settings.
  • Choose System Settings and double-click on Utility Identification to entry its properties.
  • Tick the Outline this coverage setting field, and select Computerized to set the Utility Identification to begin routinely on bootup.

Routinely beginning Utility Identification is essential because it acts as a swap for AppLocker to work.

  • Click on Apply and OK to avoid wasting the adjustments to the Utility Identification properties.
Making Application Identity start automatically

Making Utility Identification begin routinely

9. Scroll down and broaden Utility Management Insurance policies (left panel) → broaden AppLocker.

Locating AppLocker in Group Policy Management Editor

Finding AppLocker in Group Coverage Administration Editor

10. Now, create your default AppLocker guidelines by replicating all of the steps from the Creating Default AppLocker Guidelines part.

11. Lastly, observe the steps within the Creating AppLocker Deny Guidelines part to create your deny guidelines.

Verifying Utility Identification and AppLocker GPO Standing

After deploying your AppLocker guidelines through a GPO, verify the standing of AppIDSvc on the pc you added to the take a look at OU. You’ll additionally confirm in the event you efficiently utilized your AppLocker GPO to the take a look at OU.

1. Log in to the pc you added to the take a look at OU.

2. Subsequent, run the beneath command to verify the AppIDSvc standing.

Get-Service AppIDSvc | choose -Property Title, Standing, StartType
Scanning Application Identity status and start type

Scanning Utility Identification standing and begin kind

3. Now, run the gpresult command beneath to verify the utilized GPOs

Search for the AppLocker GPO beneath Laptop Settings, which confirms the GPO has been utilized.

Checking the AppLocker GPO status

Checking the AppLocker GPO standing

4. Lastly, take a look at your AppLocker deny guidelines once more. And in the event that they work, you will notice a message field much like the one beneath.

Nice job! You are actually prepared to duplicate these steps and deploy your AppLocker to a dwell organizational unit.

Testing if the deny rules work correctly

Testing if the deny guidelines work appropriately

Conclusion

Whether or not an software, bundle, or script, AppLocker enables you to management which to permit or deny making adjustments in your system. And on this tutorial, you discovered the right way to create Home windows 10 AppLocker guidelines to safe your system to an area laptop and deploy these guidelines to a number of machines with a GPO.

With this newfound data, will you think about AppLocker to guard your system from malicious assaults?

Are you looking for ways to add another layer of security to your local computer or across a domain? Consider stepping up your game with the Windows 10 AppLocker!

AppLocker gives you the power to control which apps and files users can run. And in this tutorial, you’ll learn how to set up AppLocker and secure your Windows 10 operating system.

Feel like you need more privacy? Read on and start securing your system!

Prerequisites

This tutorial will be a hands-on demonstration. If you’d like to follow along, be sure you have the following:

  • A Windows 10 Education or Enterprise computer – This tutorial uses Windows 10 Enterprise 21H2.
  • An administrator user account to set up locally or access a domain controller for an organizational setup.
  • A domain controller server for a multi-computer setup – This tutorial uses Windows Server 2019 Datacenter.

Configuring the Application Identity Service to Start on Bootup

Before you even begin to set up AppLocker rules and apply them to your local computer, you first need to tweak the Application Identity Service. Setting the Application Identity Service to start automatically on bootup enforces Windows 10 AppLocker rules.

Open a PowerShell console as an administrator, and run the below command to start the Application Identity service on bootup automatically.

sc.exe config appidsvc start= auto

The output below shows that the configuration was successful.

Setting Application Identity service to start automatically

Setting Application Identity service to start automatically

Next, run the following Get-Service command to verify the Application Identity service starts automatically and runs.

Get-Service AppIDSvc | select -Property Name, Status, StartType

Below, you can see the AppIDSvc status is Running with the start type set to Automatic.

Scanning Application Identity status and start type

Scanning Application Identity status and start type

If you see a stopped status, run the Start-Service command below to start the Application Identity Service (AppIDSvc).

Start-Service -Name “AppIDSvc”

Creating Default Windows 10 AppLocker Rules

Now that you have configured the Application Identity service, the next step is to create default AppLocker rules. Creating AppLocker rules lets you control which apps are allowed and denied.

You can set Windows 10 AppLocker rules for four categories of products, as follows:

  • Executable Rules – Executable files (.exe, and the less common .com).
  • Windows Installer Rules – Windows installer files (.msi, .msp, and .mst).
  • Script Rules – Script files (.bat, .cmd, .js, .ps1, and .vbs).
  • Packaged app Rules – Packaged apps and Packaged app installers (.appx).

The rule of thumb is to create default rules to allow all the approved apps that fall in any of the categories already running on a local computer.

To create default AppLocker rules, you’ll first need access to the Local Security Policy tool:

1. Open the Run dialog box, type secpol.msc, and click OK (or press Enter) to access the Local Security Policy.

Running the Local Security Policy

Running the Local Security Policy

2. On the Local Security Policy window, expand the Application Control Policies and AppLocker.

Accessing AppLocker rules via Local Security Policy

Accessing AppLocker rules via Local Security Policy

3. Select, and right-click on Executable Rules → select Create Default Rules to create the default AppLocker rules for the selected category.

Repeat this step for the rest categories (Windows Installer, Script Rules, and Packaged app Rules).

Creating default rules for all categories

Creating default rules for all categories

4. Lastly, select each category and verify the default AppLocker rules exist, as shown below.

Below, you can see a group of three default rules, similar to others except for Packaged app Rules, which has only one.

Viewing default executable rules

Viewing default executable rules

Creating Rules to Deny Applications

Now that your default AppLocker rules are in place, you can start creating rules to deny apps. Denying apps adds security to your machine since you get to deny access to malicious apps. The Local Security Policy also plays a part in creating rules to deny apps on your system.

In this tutorial, you’ll create rules for the Executable Rules category and test if they actually work. But once you’re confident in creating rules, you can create rules for other categories and see their differences.

Note that the steps in creating rules for each category are similar except for the Packaged app Rule.

Denying Applications via the Publisher Conditions

When you launch an app, you’re granting the publisher permissions to make changes to your system, especially if the app is constantly connected to the internet. Sounds too risky?

Creating rules to deny applications via the Publisher conditions will do the trick if you don’t trust a particular publisher.

1. Select and right-click on the category of your choice (Executable Rules) → choose Create New Rule to initiate creating a new rule.

Creating a new rule

Creating a new rule

2. Next, click Next when you see the Before You Begin page since it’s just an introductory page.

3. On the Permissions tab, choose the Deny option, which is the Action the rule will take.

Ensure you define the users affected by this rule. But leave Everyone selected for this tutorial, and click Next.

Setting rule permissions

Setting rule permissions

4. Now, choose from three options for creating a rule (except Packaged app):

  • Publisher – For an application that the software publisher signs.
  • Path – For a specific file or folder.
  • File hash – For a file that is not signed.

But in this tutorial, select the Publisher option, and click Next.

Creating an AppLocker rule with the Publisher condition allows you to set a more or less specific rule about a file.

Choosing a condition for the rule

Choosing a condition for the rule

5. Configure the Publisher conditions with the following:

Choosing the Any publisher option might not be a wise decision at all. Some of your apps from the same publisher may not work, so take caution when choosing this option.

  • Browse your local computer for the file you need to make a deny rule for.
  • Adjust the slider according to your need to select which properties define the rule; it could be as detailed as the file version or the publisher.

In this example, the chosen property is Google Chrome’s File version.

  • Click Next to continue setting exceptions to the rule conditions.
Choosing a file property for the deny rule

Choosing a file property for the deny rule

6. At this point, click Next, as there is no need to make exceptions for the deny rule.

Skipping adding exceptions

Skipping adding exceptions

7. Provide a descriptive name for the rule, and click Create to create the rule with the Publisher condition.

Creating an AppLocker rule with the Publisher condition

Creating an AppLocker rule with the Publisher condition

8. Ultimately, try accessing applications from the publisher you set the deny rule for. If the deny rule works, you’ll get the following message.

Regardless of your chosen condition, you’ll get the same message below when you launch an app denied under the Executable Rules category.

Verifying the AppLocker deny rules work

Verifying the AppLocker deny rules work

Denying Applications via the Path Conditions

Suppose you trust a publisher but are skeptical about one of their applications. If so, your best choice is to create rules to deny specific applications or folder paths.

1. Create another rule as you did in steps one to four of the “Denying Applications via the Publisher Conditions” section.

But this time, choose the Path condition for a specific file or folder path.

Choosing the Path condition for the new deny rule

Choosing the Path condition for the new deny rule

2. On the Path tab, choose the file or folder path to which you want to apply the rule, and click Next.

For instance, you want to prohibit users from pulling up Notepad. In that case, specify or browse Notepad’s full path.

Note that choosing a folder applies the AppLocker rule to all the files in that folder.

Choosing a file or a folder path

Choosing a file or a folder path

3. Skip adding exceptions in the Exceptions tab and click Next.

Skipping adding exceptions

Skipping adding exceptions

4. Finally, change the rule’s Name and Description, and click Create to finalize the deny rule.

Setting the deny rule’s name and description

Setting the deny rule’s name and description

Denying Applications via the File Hash

As you know, a malicious app can disguise itself as one of your daily tools that controls your system’s behavior. Stumbling upon an app (unsigned or from an unverified publisher) can wreak havoc on your machine.

How to avoid unintentionally running these malicious apps? Besides having a powerful anti-virus, creating rules to deny applications via file hash is a huge help.

1. Create a new deny rule, and choose the File hash condition this time.

2. Next, browse, select the file or folder you need to set a rule, and click Next.

Selecting a file or a folder using file hash

Selecting a file or a folder using file hash

3. Lastly, change the deny rule’s Name and Description (optional), and click Create to create the new deny rule.

Naming the new deny rule with File Hash condition

Naming the new deny rule with File Hash condition

Deploying Windows 10 AppLocker Rules Using a Group Policy Object (GPO)

By now, you already know how to deny applications on your computer. But what if you need to apply AppLocker rules to more than one computer or for an organization? Using a GPO, you can deploy AppLocker rules to computers in an organization’s domain.

Creating a GPO lets you deploy AppLocker to multiple Windows 10 computers simultaneously without manually doing so on each computer.

To create an AppLocker GPO, you’ll first need to create an OU:

Note that it’s best practice to initially deploy a GPO in a “test organizational unit” (OU) to avoid messing things up in your AD structure.

1. Launch Active Directory Users and Computers, right-click your domain (left panel) → New → Organizational Unit to initiate adding a new OU.

Creating a new OU in the domain controller

Creating a new OU in the domain controller

2. Next, provide a name you prefer for your test OU. Keep the accidental deletion protection checked and click OK to create the new OU.

Naming a new OU

Naming a new OU

3. Add a computer to your test OU with the following:

  • Click Computers (left panel) to access the list of available computers on your domain controller.
  • Drag and drop a computer to your test OU.
  • Click Yes to continue adding the selected computer to your test OU when you get the warning message box.
Adding a computer to the test OU

Adding a computer to the test OU

4. Now, launch Group Policy Management, where you’ll create a GPO.

Expand your domain (left panel) → right-click on your test OU → Create a GPO in this domain, and Link it here… to initiate creating a GPO.

Creating an AppLocker GPO

Creating an AppLocker GPO

5. Name the GPO as you like, and click OK to finalize creating the GPO.

Naming the AppLocker GPO

6. Once created, right-click on your AppLocker GPO, select Enforced in the context menu, and click OK in the message box.

Changing the Enforced setting for the GPO applies the settings in the GPO to the object (a Local System, Domain, Site, or Organizational Unit).

Enforcing the AppLocker GPO

Enforcing the AppLocker GPO

7. Next, right-click on the AppLocker GPO and choose Edit to open the Group Policy Management Editor.

Opening Group Policy Management Editor

Opening Group Policy Management Editor

8. Configure the Application Identity properties with the following:

  • Under Computer Configuration, expand Policies → Windows Settings → Security Settings.
  • Select System Settings and double-click on Application Identity to access its properties.
  • Tick the Define this policy setting box, and choose Automatic to set the Application Identity to start automatically on bootup.

Automatically starting Application Identity is crucial as it acts as a switch for AppLocker to work.

  • Click Apply and OK to save the changes to the Application Identity properties.
Making Application Identity start automatically

Making Application Identity start automatically

9. Scroll down and expand Application Control Policies (left panel) → expand AppLocker.

Locating AppLocker in Group Policy Management Editor

Locating AppLocker in Group Policy Management Editor

10. Now, create your default AppLocker rules by replicating all the steps from the Creating Default AppLocker Rules section.

11. Lastly, follow the steps in the Creating AppLocker Deny Rules section to create your deny rules.

Verifying Application Identity and AppLocker GPO Status

After deploying your AppLocker rules via a GPO, check the status of AppIDSvc on the computer you added to the test OU. You’ll also verify if you successfully applied your AppLocker GPO to the test OU.

1. Log in to the computer you added to the test OU.

2. Next, run the below command to check the AppIDSvc status.

Get-Service AppIDSvc | select -Property Name, Status, StartType
Scanning Application Identity status and start type

Scanning Application Identity status and start type

3. Now, run the gpresult command below to check the applied GPOs

Look for the AppLocker GPO under Computer Settings, which confirms the GPO has been applied.

Checking the AppLocker GPO status

Checking the AppLocker GPO status

4. Finally, test your AppLocker deny rules again. And if they work, you will see a message box similar to the one below.

Great job! You are now ready to replicate these steps and deploy your AppLocker to a live organizational unit.

Testing if the deny rules work correctly

Testing if the deny rules work correctly

Conclusion

Whether an application, package, or script, AppLocker lets you control which to allow or deny making changes in your system. And in this tutorial, you learned how to create Windows 10 AppLocker rules to secure your system to a local computer and deploy those rules to multiple machines with a GPO.

With this newfound knowledge, will you consider AppLocker to protect your system from malicious attacks?

Windows Applocker was introduced in Windows 7 and includes some new features in Windows 11/10. With AppLocker, an administrator can block or allow certain users or user groups from installing or using certain applications. You can use blacklisting rules or whitelisting rules to achieve this result. AppLocker helps administrators control which applications and files users can run. These include executable files, scripts, Windows Installer files, DLLs, Packaged apps, and Packaged app installers.

Windows AppLocker prevents users from installing or running applications

AppLocker helps administrators create rules to allow or deny specific applications based on criteria like file attributes, publisher names, file paths, and more. This can be useful for preventing unauthorized software from running, ensuring compliance with licensing agreements, and maintaining a standard software environment across an organization

In Windows 11 and Windows 11, Applocker has evolved and lets you block legacy as well as Windows Store apps.

To prevent users from installing or running Windows Store Apps with AppLocker in Windows, type secpol.msc in Run and hit Enter to open the Local Security Policy Editor.

How to use AppLocker in Windows 10

In the console tree, navigate to Security Settings > Application Control Policies > AppLocker.

Select where you want to create the rule. This could be for an Executable, Windows Installer, Scripts or in the case of Windows 10, a Windows Store packaged app.

Let us say you want to create a rule for Packaged apps. Right-click on Packaged apps and select Create Rule. You will see a Before You Begin page.

How to use AppLocker in Windows 10

Click Next to reach the Permissions page.

app-3

On this page, select the action viz. Allow or Deny and the User or User Group you want the rule to apply. Click Next to reach the Conditions page.

app-4

Select how you want to create the rules – base on Publishers, File Path, or Has. I have selected Publishers, which is the default.

Click Next to reach the Publisher page.

app-5

Here you can browse for and select a Reference for the Packaged app and set the Scope for the rule.

Settings for Scope include:

  1. Applies to Any publisher
  2. Applies to a specific Publisher
  3. Applies to a Package name
  4. Applies to a Package version
  5. Applying custom values to the rule

The options for Reference include:

  1. Use an installed packaged app as a reference
  2. Use a packaged app installer as a reference

After making your selections, click Next again.

If you wish, on the Exceptions page you may specify conditions when to exclude the rules, and on the Name and Description page, you can accept the automatically generated rule name or type a new rule name, and click Create. You can read more about creating rules for Packaged Windows Store apps here at Technet.

Do note that for the AppLocker to work on your system, the Application Identity service must be running on your computer. Also, the Group Policy Client service, gpsvc, required for running AppLOcker, is disabled by default on Windows RT, so you may have to enable it via services.msc.

Difference between AppLocker in Windows 11/10 & Windows 7

The AppLocker in Windows 11/10 allows you to also create rules for Packaged Windows Store apps. Moreover, the Windows 11/10 AppLocker rules can also additionally control the .mst and .appx file formats.

This app has been blocked by your system administrator

If as a user, you find that when you start any Windows Store app (or traditional software) you receive the message: This app has been blocked by your system administrator, you will have to contact your Administrator and ask him to create rules to allow you to use (or install) the software.

app-blocked

To create and enforce AppLocker rules, the computer must be running Windows 11/10, Windows 8 Enterprise, Windows 7 Ultimate, Windows 7 Enterprise, Windows Server 2008 R2 or Windows Server 2012.

You can also block users from installing or running programs using the Registry or Group Policy.

PS: Windows Program Blocker is a free App or Application blocker software to block software from running.

I wrote a blog post earlier about how to uninstall built-in apps from Windows 10 CBB using Powershell, https://ccmexec.com/2015/08/removing-built-in-apps-from-windows-10-using-powershell/ however some apps cannot be uninstalled like Microsoft Edge, Contact Support and Windows Feedback.

They can be blocked using Applocker instead that is the best workaround I have found. Blocking them using an Applocker policy is working really well, if the user never logged on to the computer before the Applocker policy is applied the application, in this case Contact support is not installed for the user at all and therefor not present either on start or by using search which is really great!

If the user have logged on to the computer before the Applocker policy is applied the applications is present but the user can no longer start it, and will get the below message displayed.

BlockContactSupport10

So this method could be used instead of uninstalling the apps as the end result for the end-user is basically the same if they haven’t logged on to the computer before the policy is applied.

The challenge with that right now is there is no RSAT for Windows 10 available yet so creating the policy is a a bit of a challenge. So I ended up creating the Applocker policy locally on a Windows 10 computer and then export it and then import it on a Windows 2012 R2 server with the Group Policy Management MMC installed.

Here are the steps for creating a Group Policy to block Contact Support, the same steps would be used to block Microsoft Edge and Windows Feedback if that is a requirement for you as well.

1. Create a new Group Policy for this test.

2. Under Computer Configuration\Policies\Windows Settings\Security Settings\System Services change the startup to Automatic for the Application Identity Service. This service must be started for the Applocker policies to be enforced on the client computers.

BlockContactSupport

3. On a Windows 10 computer running the Enterprise version start Group Policy Editor by typing Edit Group Policy in the search Taskbar.

4. Under Computer Configuration\Windows Settings\Security Settings\Application Control Policies\Applocker right-click and select Properties and enable Packaged app Rules and select Enforce rules.

BlockContactSupport1

5. Then we need to create two Packaged app Rules one default rule to allow all apps to run and one rule to block the Contact Support app in this scenario.

6. Right-Click Packaged app Rules and select Create default Rules, this will create a rule that allows all signed apps to be executed. Note that this setting only applies to Apps and not Win32 applications.

BlockContactSupport3

7. Then we create a new Package app Rule by right-clicking Packaged app Rules and select Create New Rule

BlockContactSupport2

8. On the next screen we select to Deny this app to run for Everyone.

BlockContactSupport4

9.  Then select Use and installed packaged app as a reference and click select.

BlockContactSupport5

10. In the next dialog select the apps you want to block, in my case the Contact Support app, then select OK, and Create

BlockContactSupport6

11. Now we have a policy created locally on the Windows 10 computer with the correct policy shown below.

BlockContactSupport11

12 In the Applocker node in Group policy editor Right-Click and select Export policy. Save the file on a share so you can access it from the computer where you are running the Group Policy Management MMC.

BlockContactSupport7

13. On the computer running the Group Policy Management MMC edit the Group Policy we created in AD in step 1 and under Applocker in the group policy editor select Import Policy and import the policy exported from the Windows 10 computer.

BlockContactSupport8

14. You will be prompted that it will overwrite all existing policies.

BlockContactSupport9

Now we have a policy that can be deployed to Windows 10 that will block the Contact Support app!

Time to start testing.

Понравилась статья? Поделить с друзьями:
0 0 голоса
Рейтинг статьи
Подписаться
Уведомить о
guest

0 комментариев
Старые
Новые Популярные
Межтекстовые Отзывы
Посмотреть все комментарии
  • Как проверить на компьютере какая стоит windows
  • Как сократить размер windows 10
  • Install keras windows pip
  • Kms auto windows server 2019
  • Как кастомизировать cmd windows 10