MSEndpointMgr

Does AppLocker work in Windows 10 Pro? Yes, it does!

This is a short post, but it took me some time to test it out and make sure it works, hope this is useful. 🙂

I often see questions about “Does AppLocker work in Windows 10 Pro?”, “Can we manage AppLocker in Windows 10 Pro”? The simple answer is YES! In this post, I will tell you how.

AppLocker requirements

Quote from official Microsoft Doc

You can use the AppLocker CSP to configure AppLocker policies on any edition of Windows 10 supported by Mobile Device Management (MDM). You can only manage AppLocker with Group Policy on devices running Windows 10 Enterprise, Windows 10 Education, and Windows Server 2016.

Being said, you cannot use Group Policy configure AppLocker for Windows 10 Pro, but it doesn’t mean that AppLocker doesn’t support Windows 10 Pro. If you use Group Policy, you will see a warning from AppLocker event log, that AppLocker component not available on this SKU.

From MDM Configuration Service Provider Reference, AppLocker CSP does support almost all Windows versions, except Business, you can use Intune OMA-URL configure AppLocker settings, there are lots of good blog posts about this. So the question is, if you are not managing your devices with Microsoft Intune or Co-Management, how to configure AppLocker for Windows 10 Pro?

The answer is fairly simple: Use PowerShell with the WMI Bridge Provider

MDM WMI Bridge Provider

Peter van der Woude has written an excellent blog post a few years ago about Windows 10 MDM and the MDM Bridge WMI Provider , it will give your more insights about what is MDM Bridge WMI Provider and how it works.

Quote from Microsoft Doc

CSPs are similar to Group Policy client-side extensions in that they provide an interface to read, set, modify, or delete configuration settings for a given feature. Typically, these settings map to registry keys, files, or permissions.

The WMI-to-CSP Bridge is a component allowing configuration of Windows 10 CSPs using scripts and traditional enterprise management software, such as Configuration Manager using WMI. The bridge is responsible for reading WMI commands and through a component called the common device configurator pass them to a CSP for application on the device.

Take AppLocker EXE rules for example, it’s MDM Bridge WMI Class is located in MDM_AppLocker_ApplicationLaunchRestrictions01_EXE03. This is a device setting, for all device settings, the WMI Bridge client must be executed under local system. Here is how we do it:

Step 1: Download pxexec tool from https://docs.microsoft.com/en-us/sysinternals/downloads/psexec

Step 2: unzip pxexec tool, run psexec.exe /i /s PowerShell_ISE.exe from an elevated admin command prompt

Step 3: Type whoami, you should see this is now running as nt authority\system

Step 4: Now you can run the following script as example, you can change $GroupName as your wish and configure your own AppLocker RuleCollections.

Now you should able to see this settings from WMI Explorer or with PowerShell (also need use psexec.exe /i /s)

And you will also find your settings in C:\Windows\System32\AppLocker\MDM folder .

And again, you will not find these AppLocker rules in GPO, because it is not using GPO. 🙂

Verification

When I now log in as a standard user, tried open cmd.exe, I will get this notification, that this app has been blocked by your system administrator

There was discussion in Twitter, that I should use WinDbg with !Token output listing appid:// to prove AppLocker works in Windows 10 Pro. Here it is, a screenshot of !exts.Token output (!Token command didn’t give me any results), systeninfo shows this is Windows 10 Pro, PowerShell get-service shows AppIDSvc is running, AppLocker event logs shows what apps are allow to run.

How about Update or delete AppLocker settings

Yes, we can use PowerShell script to update or delete these AppLocker settings as well. You can find all these scripts in my GitHub

Happy testing for the weekend!

(Feature picture is credit by Maxim Zhgulev )

Sandy Zeng

Sandy is an Enterprise Mobility MVP since 2018. She is an experienced Information Technology Specialist for over 10 years. Skilled in Microsoft Endpoint Manager (ConfigMgr and Intune), Windows 10 and security. Sandy's interests are mostly related to Microsoft Technologies, she has passions learning new skill sets to improve her professional career and also as her hobbies. She uses her expertise to help customers achieve their goals and solve their issues.

Sandy founded the https://sandyzeng.com blog and is now a blogger on MSEndPointMgr.

13 comments

  • Hi Sandy,
    Thank you for writing this article, as this helped me a lot on deploying app locker on win 10. But I found that this only works on win 10 build 1903 & above. On all Windows 10 below 1903 it always generate 8008 error on applocker event log. I use the same ps script as yours to deploy the rule. Is it true that this method only applies to win 10 build 1903 & above? or is there any prerequisite for these builds?

  • What is the difference between the create applocker script and the update applocker script? Also, If I want to create additional rules, how to I get the FilePathRule ID identifier

    • My script still works for me. For the GitHub issue you mentioned, I don’t see “GroupName” in the example, and there is no way I can know what is in the XML file in the issue.

    • Hi,
      While executing this script ensure you are running it under the “System” account, any admin or no-admin account will not have the access to write.

  • Sandy, thank you so much for your great article. It would be really helpful if you could also add a few lines to tell the reader how to remove the added setting. I imagine we should use Remove-CimInstance?

    • Hello Andy. Yes, use Remove-CimInstance can remove added settings. Add, Update and remove scripts are in the same Github folder.

Sponsors

Categories

MSEndpointMgr.com use cookies to ensure that we give you the best experience on our website.