CCMEXEC.COM – System Center blog

CCMEXEC.COM – by Jörgen Nilsson

Browsing Posts tagged Applocker

Applocker is used more and more so I wrote this little Powershell script that can be run as a Configuration Item which checks that the Application Identity service is running and an Applocker policy is applied. We could also do a remediation script to start the AppIDSvc again if stopped but I normally use a Group Policy to set the service to start Automatically so if it isn’t started something else is wrong, GPO not being applied or something.
The discovery script(Note it requires WMF 4 or later):

$Applocker = Get-AppLockerPolicy -Effective |Where-Object {$_.rulecollections -ne $Null}

$AppIDSvc = Get-Service |Where-Object {$_.Name -eq "AppIDSvc" -and $_.Status -eq "Running"}

Return $Applocker -and $AppIDSvc

Using Configuration Manager CI’s and Baselines to configure your clients is an extremely powerful tool, GPO is basically fire and forget here vi get status back. It can also be used in many scenarios that Group Policy cannot, like when managing clients on the internet using the Cloud Management Gateway.

We need to start with checking the client agent settings so that it allows Powershell scripts that are not signed to be run by the SCCM client, or sign the script.

Powershell Client agent setting

Then we create a new Configuration Item, and select the option to apply to Windows Desktops and Servers (custom)

Applocker CI 1

Select the supported platforms:

Applocker CI 2

Select New in the Settings step

Applocker CI 3

Create a new Configuration Item with following settings:

-Settings Type: Script

-Data type: Boolean

Applocker configured and running CI

Then we edit the discovery script and paste the script as shown below.

Applocker CI Script

Then we create a compliance rule with the following settings.

Applocker CI Compliance

Then we can add it to a baseline and deploy it to our clients. For you all that took the time to read the whole post you can download an exported .Cab file which contains both a CI and the Baseline used from here: Applocker status

I wrote a blog post earlier about how to uninstall built-in apps from Windows 10 CBB using Powershell, http://ccmexec.com/2015/08/removing-built-in-apps-from-windows-10-using-powershell/ however some apps cannot be uninstalled like Microsoft Edge, Contact Support and Windows Feedback.

They can be blocked using Applocker instead that is the best workaround I have found. Blocking them using an Applocker policy is working really well, if the user never logged on to the computer before the Applocker policy is applied the application, in this case Contact support is not installed for the user at all and therefor not present either on start or by using search which is really great!

If the user have logged on to the computer before the Applocker policy is applied the applications is present but the user can no longer start it, and will get the below message displayed.
BlockContactSupport10So this method could be used instead of uninstalling the apps as the end result for the end-user is basically the same if they haven’t logged on to the computer before the policy is applied.

The challenge with that right now is there is no RSAT for Windows 10 available yet so creating the policy is a a bit of a challenge. So I ended up creating the Applocker policy locally on a Windows 10 computer and then export it and then import it on a Windows 2012 R2 server with the Group Policy Management MMC installed.

Here are the steps for creating a Group Policy to block Contact Support, the same steps would be used to block Microsoft Edge and Windows Feedback if that is a requirement for you as well.

1. Create a new Group Policy for this test.

2. Under Computer Configuration\Policies\Windows Settings\Security Settings\System Services change the startup to Automatic for the Application Identity Service. This service must be started for the Applocker policies to be enforced on the client computers.
BlockContactSupport

3. On a Windows 10 computer running the Enterprise version start Group Policy Editor by typing Edit Group Policy in the search Taskbar.

4. Under Computer Configuration\Windows Settings\Security Settings\Application Control Policies\Applocker right-click and select Properties and enable Packaged app Rules and select Enforce rules.
BlockContactSupport1

5. Then we need to create two Packaged app Rules one default rule to allow all apps to run and one rule to block the Contact Support app in this scenario.

6. Right-Click Packaged app Rules and select Create default Rules, this will create a rule that allows all signed apps to be executed. Note that this setting only applies to Apps and not Win32 applications.
BlockContactSupport3 7. Then we create a new Package app Rule by right-clicking Packaged app Rules and select Create New Rule

BlockContactSupport28. On the next screen we select to Deny this app to run for Everyone.
BlockContactSupport4

9.  Then select Use and installed packaged app as a reference and click select.
BlockContactSupport5 10. In the next dialog select the apps you want to block, in my case the Contact Support app, then select OK, and Create
BlockContactSupport6

11. Now we have a policy created locally on the Windows 10 computer with the correct policy shown below.

BlockContactSupport11

12 In the Applocker node in Group policy editor Right-Click and select Export policy. Save the file on a share so you can access it from the computer where you are running the Group Policy Management MMC.
BlockContactSupport7 13. On the computer running the Group Policy Management MMC edit the Group Policy we created in AD in step 1 and under Applocker in the group policy editor select Import Policy and import the policy exported from the Windows 10 computer.
BlockContactSupport814. You will be prompted that it will overwrite all existing policies.
BlockContactSupport9Now we have a policy that can be deployed to Windows 10 that will block the Contact Support app!

Time to start testing.