Sandy ZengThis is a short post, but it took me some time to test it out and make sure it works, hope this is useful. ๐
I often see questions about “Does AppLocker work in Windows 10 Pro?”, “Can we manage AppLocker in Windows 10 Pro”? The simple answer is YES! In this post, I will tell you how.
AppLocker requirements
Quote from official Microsoft Doc
You can use the AppLocker CSP to configure AppLocker policies on any edition of Windows 10 supported by Mobile Device Management (MDM). You can only manage AppLocker with Group Policy on devices running Windows 10 Enterprise, Windows 10 Education, and Windows Server 2016.
Being said, you cannot use Group Policy configure AppLocker for Windows 10 Pro, but it doesn’t mean that AppLocker doesn’t support Windows 10 Pro. If you use Group Policy, you will see a warning from AppLocker event log, that AppLocker component not available on this SKU.
From MDM Configuration Service Provider Reference, AppLocker CSP does support almost all Windows versions, except Business, you can use Intune OMA-URL configure AppLocker settings, there are lots of good blog posts about this. So the question is, if you are not managing your devices with Microsoft Intune or Co-Management, how to configure AppLocker for Windows 10 Pro?
The answer is fairly simple: Use PowerShell with the WMI Bridge Provider
MDM WMI Bridge Provider
Peter van der Woude has written an excellent blog post a few years ago about Windows 10 MDM and the MDM Bridge WMI Provider , it will give your more insights about what is MDM Bridge WMI Provider and how it works.
Quote from Microsoft Doc
CSPs are similar to Group Policy client-side extensions in that they provide an interface to read, set, modify, or delete configuration settings for a given feature. Typically, these settings map to registry keys, files, or permissions.
The WMI-to-CSP Bridge is a component allowing configuration of Windows 10 CSPs using scripts and traditional enterprise management software, such as Configuration Manager using WMI. The bridge is responsible for reading WMI commands and through a component called the common device configurator pass them to a CSP for application on the device.
Take AppLocker EXE rules for example, it’s MDM Bridge WMI Class is located in MDM_AppLocker_ApplicationLaunchRestrictions01_EXE03. This is a device setting, for all device settings, the WMI Bridge client must be executed under local system. Here is how we do it:
Step 1: Download pxexec tool from https://docs.microsoft.com/en-us/sysinternals/downloads/psexec
Step 2: unzip pxexec tool, run psexec.exe /i /s PowerShell_ISE.exe from an elevated admin command prompt
Step 3: Type whoami, you should see this is now running as nt authority\system
Step 4: Now you can run the following script as example, you can change $GroupName as your wish and configure your own AppLocker RuleCollections.
Now you should able to see this settings from WMI Explorer or with PowerShell (also need use psexec.exe /i /s)
And you will also find your settings in C:\Windows\System32\AppLocker\MDM folder .
And again, you will not find these AppLocker rules in GPO, because it is not using GPO. ๐
Verification
When I now log in as a standard user, tried open cmd.exe, I will get this notification, that this app has been blocked by your system administrator
There was discussion in Twitter, that I should use WinDbg with !Token output listing appid:// to prove AppLocker works in Windows 10 Pro. Here it is, a screenshot of !exts.Token output (!Token command didn’t give me any results), systeninfo shows this is Windows 10 Pro, PowerShell get-service shows AppIDSvc is running, AppLocker event logs shows what apps are allow to run.
Scripts for update and delete AppLocker settings can be found in my GitHub
Happy testing for the weekend!
(Feature picture is credit by Maxim Zhgulev )
(1461)
Michael Mardahl
Jan Ketil Skanke
Add comment