I the world we are living in now, security is the most important when we are talking about information technology. We need to look more into help our end user to be more secure on all there devices. In this blog post I will cover how to easy implement Applocker policies to help the end user not to run apps or scripts that are not approved from the IT department, I have seen many companies trying to implement blacklist of apps that are not allowed to run on a device, but it does not help against the threat of activating malware or ransomware. Using whitelist you are in control of what can be executed on your device, but to figure out what you need to need to whitelist in your organisation can be difficult, so AaronLocker is a easy way to getting started.
In this blog post I will walk trough how to implement it with Microsoft Intune, it only applies to Windows 10 as Windows 7 or Windows server does not have a build-in MDM stack.

From the AaronLocker docs:
AaronLocker’s strategy can be summed up as: if a non-admin could have put a program or script onto the computer – i.e., it is in a user-writable directory – don’t allow it to execute unless it has already been specifically allowed by an administrator. This will stop execution if a user is tricked into downloading malware, if an exploitable vulnerability in a program the user is running tries to put malware on the computer, or if a user intentionally tries to download and run unauthorized programs.

AaronLocker is created by Aaron Margosis @AaronMargosis from Microsoft Cybersecurity Services in the doc for AaronLocker there is a guide on how to implement with GPO, so I will not cover that in this blog post. Please read the AaronLocker docs before implementation it in your production environment.

 

First you need to create the AppLocker files:

You can use the AppLocker wizard as descripted in the AppLocker docs
or you can just run Create-Policies.ps1 from AaronLocker toolkit

AaronLocker Intune - 00.png

After the script is done running you will get “AppLockerRules-%date%-Audit.xml” and “AppLockerRules-%date%-Enforce.xml” that is perfect for using it directly with a GPO, but with Intune you need to split it up in different files with each section.

AaronLocker Intune - 00a.png

In my case the files was in encoding=”utf-16″ so I had to change it to UTF-8 before uploading to Intune.

Note: The AppLocker XML files need to be in UTF-8 encoding ween uploading to Intune

 

How to leverage Aarolocker on a Intune managed device:

In this blogpost I only show the “AaronLocker – Enforce” policy, you should always create a “AaronLocker – Audit” and deploy to a test group before deploying the enforce policy in production.

Start Microsoft Endpoint Manager admin Center

  1. Click Devices
  2. Click Windows

AaronLocker Intune - 01

  1. Click Configuration profiles
  2. Click Create profile

AaronLocker Intune - 02

  1. Enter name : AaronLocker – Enforce
  2. Enter Description : AaronLocker Enforce policy
  3. Platform : Windows 10 and later
  4. Profile type : Custom
  5. Click Setting
  6. Click Add

AaronLocker Intune - 03

  1. Name: AaronLocker Store Apps
  2. Description : AaronLocker configuration for inbox Microsoft store applications
  3. OMA-URI : ./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/StoreAppsGroup/StoreApps/Policy
  4. Data type: String (XML file)
  5. Upload the XML file “AppLockerRules-%date%-Enforce – APPX.xml” you got from the AaronLocker script

AaronLocker Intune - 04

  1. Name: AaronLocker EXE
  2. Description : AaronLocker configuration for inbox executables
  3. OMA-URI : ./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/EXEGroup/EXE/Policy
  4. Data type: String (XML file)
  5. Upload the XML file “AppLockerRules-%date%-Enforce – EXE.xml” you got from the AaronLocker script

AaronLocker Intune - 05

  1. Name: AaronLocker MSI
  2. Description : AaronLocker configuration for inbox MSIs
  3. OMA-URI : ./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/MSIGroup/MSI/Policy
  4. Data type: String (XML file)
  5. Upload the XML file “AppLockerRules-%date%-Enforce – MSI.xml” you got from the AaronLocker script

AaronLocker Intune - 06

  1. Name: AaronLocker Scripts
  2. Description : AaronLocker Configuration for inbox scripts
  3. OMA-URI : ./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/ScriptGroup/Script/Policy
  4. Data type: String (XML file)
  5. Upload the XML file “AppLockerRules-%date%-Enforce – SCRIPT.xml” you got from the AaronLocker script

AaronLocker Intune - 07

  1. Name: AaronLocker DLL
  2. Description : AaronLocker configuration for inbox DLLs
  3. OMA-URI : ./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/DLLGroup/DLL/Policy
  4. Data type: String (XML file)
  5. Upload the XML file “AppLockerRules-%date%-Enforce – DLL.xml” you got from the AaronLocker script

AaronLocker Intune - 08

Then you have all the configuration for each AppLocker section

  • Store Apps (APPX)
  • EXE
  • MSI
  • Script
  • DLL

AaronLocker Intune - 09

All the policy can also be imported with a script

  1. Value can be entered by converting the content of applocker.xml file to a Base64 encryption

Import script.png

Here is my import script for the script used in this blog post – Download from Github

Create a  Azure Active Directory group “AaronLocker – Enforce” and put device members where you want to enforce the AaronLocker policy to,

End user Experience being block by AppLocker:

When a end user is trying to run a application not in the approved list in the Applocker policy then this message will show up

End User Expirence.png

 

Happy testing

Read more:

“AaronLocker” update (v0.91) — and see “AaronLocker” in action on Channel 9!

Get AaronLocker

AppLocker CSP