![]() ![]() On Microsoft Intune Console, I went to Devices -> Windows -> Configuration Profiles -> Profiles -> Create Profile -> Selected "Windows 10 or later" as Platform -> Selected "Template" as profile type -> "Custom" as Template NameĬlicked On "Add Row" under "OMA-URI Settings"ĭescription: XML doc to restrict. Similarly, created default rules for Script Rules, DLL Rules and Packaged App Rules without enabling them. Opened up the local group policy editor again, went to Windows Installer Rules, and created default policy only without enabling it (Set to: Not Configured) Have followed the same steps again and created a rule for AnyDesk as well.Įxported this as a XML file and saved it as a XML file. No exceptions are required, so clicked on Next Under AppLocker,Ĭlicked on Configure Rule Enforcement -> Enabled Executable Rules.Ĭreated default rules and created a new rule to Deny the applications: AnyDesk and TeamViewerīrowsed and chose Teamviewer.exe under reference file. Went to Computer Configuration -> Windows Settings -> Security Policy -> Application Control Policies. On my laptop, opened up Local Group Policy Editor So I've created a app locker policy and implemented through that. DifferenceObject (( Get-Content 'C:\windows\temp\polApplocker.xml ')).InnerXmlĭestinationPath = 'C:\windows\temp\polApplocker.I wanted to block specific remote assist applications (such as TeamViewer, AnyDesk) through Intune Portal. Set-AppLockerPolicy -XMLPolicy 'C:\windows\temp\polApplocker.xml 'Ĭompare-Object -ReferenceObject (( Get-AppLockerPolicy -Effective -Xml)).InnerXML ` Result = (( Get-AppLockerPolicy -Effective -Xml)).InnerXML Here is what the DSC configuration looks like to deploy locally an Applocker policy.ĭependsOn = "XMLPol ", "ApplyLocalApplockerPol " Once the Applocker policy is applied, I’ll start the required service. To decide whether to apply the policy, I’ll export the current effective Applocker policy and compare it to the XML file. The second step consists in creating the file locally with the XML content thanks to the built-in File DSC resource. Out-File -FilePath ~/Documents\Applocker-pol.xml -Encoding ascii $XmlWriter = New-Object $StringWriterįormat-XML ((Get-AppLockerPolicy -Effective -Xml)) -indent 2 | $StringWriter = New-Object System.IO.StringWriter To solve the indentation issue, I’ve used the Format-XML function written by Jeffrey Snover that you can find on this page.įunction Format-XML ($xml, $indent=2) ![]() ![]() To configure Applocker, I need first to export the Applocker policy to XML and dump its indented representation to a file. The applocker policy depends on the ‘Application Identity’ service to be enforced.īased on the above light requirements, it seems that built-in DSC resources would actually make it and allow to deploy an Applocker policy locally. XML seems to better way to go although the Applocker policy can be found in the registry under the HKLM\SOFTWARE\Policies\Microsoft\Windows\SrpV2 key. Let’s also quickly examine the Applocker requirements:Īpplocker rules can be imported from/exported to a XML file using the GUI or using the cmdlets of the built-in Applocker module (it exists since PowerShell version 2.0 on Windows 7). Yes, I know that’s not the most secure Applocker configuration as the example below mixes both a very permissive (default) whitelist and a very specific blacklist.I don’t have anything against these software editors. Do not apply this on your servers/workstations if you don’t understand what Applocker does.I also wondered what it really takes to configure Applocker with PowerShell Desired State Configuration. I was working with Desired State Configuration and wondered why a custom DSC resources hasn’t been published yet for Applocker.īitlocker has already its experimental DSC resource. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |