Sandy ZengThis is a short post, but it took me some time to test it out and make sure it works, hope this is useful. 🙂
I often see questions about “Does AppLocker work in Windows 10 Pro?”, “Can we manage AppLocker in Windows 10 Pro”? The simple answer is YES! In this post, I will tell you how.
AppLocker requirements
Quote from official Microsoft Doc
You can use the AppLocker CSP to configure AppLocker policies on any edition of Windows 10 supported by Mobile Device Management (MDM). You can only manage AppLocker with Group Policy on devices running Windows 10 Enterprise, Windows 10 Education, and Windows Server 2016.
Being said, you cannot use Group Policy configure AppLocker for Windows 10 Pro, but it doesn’t mean that AppLocker doesn’t support Windows 10 Pro. If you use Group Policy, you will see a warning from AppLocker event log, that AppLocker component not available on this SKU.
From MDM Configuration Service Provider Reference, AppLocker CSP does support almost all Windows versions, except Business, you can use Intune OMA-URL configure AppLocker settings, there are lots of good blog posts about this. So the question is, if you are not managing your devices with Microsoft Intune or Co-Management, how to configure AppLocker for Windows 10 Pro?
The answer is fairly simple: Use PowerShell with the WMI Bridge Provider
MDM WMI Bridge Provider
Peter van der Woude has written an excellent blog post a few years ago about Windows 10 MDM and the MDM Bridge WMI Provider , it will give your more insights about what is MDM Bridge WMI Provider and how it works.
Quote from Microsoft Doc
CSPs are similar to Group Policy client-side extensions in that they provide an interface to read, set, modify, or delete configuration settings for a given feature. Typically, these settings map to registry keys, files, or permissions.
The WMI-to-CSP Bridge is a component allowing configuration of Windows 10 CSPs using scripts and traditional enterprise management software, such as Configuration Manager using WMI. The bridge is responsible for reading WMI commands and through a component called the common device configurator pass them to a CSP for application on the device.
Take AppLocker EXE rules for example, it’s MDM Bridge WMI Class is located in MDM_AppLocker_ApplicationLaunchRestrictions01_EXE03. This is a device setting, for all device settings, the WMI Bridge client must be executed under local system. Here is how we do it:
Step 1: Download pxexec tool from https://docs.microsoft.com/en-us/sysinternals/downloads/psexec
Step 2: unzip pxexec tool, run psexec.exe /i /s PowerShell_ISE.exe from an elevated admin command prompt
Step 3: Type whoami, you should see this is now running as nt authority\system
Step 4: Now you can run the following script as example, you can change $GroupName as your wish and configure your own AppLocker RuleCollections.
Now you should able to see this settings from WMI Explorer or with PowerShell (also need use psexec.exe /i /s)
And you will also find your settings in C:\Windows\System32\AppLocker\MDM folder .
And again, you will not find these AppLocker rules in GPO, because it is not using GPO. 🙂
Verification
When I now log in as a standard user, tried open cmd.exe, I will get this notification, that this app has been blocked by your system administrator
There was discussion in Twitter, that I should use WinDbg with !Token output listing appid:// to prove AppLocker works in Windows 10 Pro. Here it is, a screenshot of !exts.Token output (!Token command didn’t give me any results), systeninfo shows this is Windows 10 Pro, PowerShell get-service shows AppIDSvc is running, AppLocker event logs shows what apps are allow to run.
How about Update or delete AppLocker settings
Yes, we can use PowerShell script to update or delete these AppLocker settings as well. You can find all these scripts in my GitHub
Happy testing for the weekend!
(Feature picture is credit by Maxim Zhgulev )
Nickolaj Andersen
Maurice Daly
Michael Mardahl
Hi Sandy,
Thank you for writing this article, as this helped me a lot on deploying app locker on win 10. But I found that this only works on win 10 build 1903 & above. On all Windows 10 below 1903 it always generate 8008 error on applocker event log. I use the same ps script as yours to deploy the rule. Is it true that this method only applies to win 10 build 1903 & above? or is there any prerequisite for these builds?
Hello Ary. I don’t remember which Windows 10 build I tested.
Amazed to read a complete detailed article. Thanks, sandy. Keep u your good work.
What is the difference between the create applocker script and the update applocker script? Also, If I want to create additional rules, how to I get the FilePathRule ID identifier
Great Sandy. Couldn’t find that anywhere else.
I can’t get my policy to be accepted via PowerShell. I get an object not found error. The exact issue has been documented here:
https://github.com/MicrosoftDocs/windows-itpro-docs/issues/7932
My script still works for me. For the GitHub issue you mentioned, I don’t see “GroupName” in the example, and there is no way I can know what is in the XML file in the issue.
Hi,
While executing this script ensure you are running it under the “System” account, any admin or no-admin account will not have the access to write.
Sandy
Is there a way to run this in audit-only mode?
Yes, you can change EnforcementMode=”Enabled” to EnforcementMode=”AuditOnly”
great conscise and straight-forward info on Applocker for Windows 10 Pro! Kudos!
Sandy, thank you so much for your great article. It would be really helpful if you could also add a few lines to tell the reader how to remove the added setting. I imagine we should use Remove-CimInstance?
Hello Andy. Yes, use Remove-CimInstance can remove added settings. Add, Update and remove scripts are in the same Github folder.