ConfigMgr CI to check Applocker is configured and running

Applocker is used more and more so I wrote this little Powershell script that can be run as a Configuration Item which checks that the Application Identity service is running and an Applocker policy is applied. We could also do a remediation script to start the AppIDSvc again if stopped but I normally use a Group Policy to set the service to start Automatically so if it isn’t started something else is wrong, GPO not being applied or something.
The discovery script(Note it requires WMF 4 or later):

$Applocker = Get-AppLockerPolicy -Effective |Where-Object {$_.rulecollections -ne $Null}

$AppIDSvc = Get-Service |Where-Object {$_.Name -eq "AppIDSvc" -and $_.Status -eq "Running"}

Return $Applocker -and $AppIDSvc

Using Configuration Manager CI’s and Baselines to configure your clients is an extremely powerful tool, GPO is basically fire and forget here vi get status back. It can also be used in many scenarios that Group Policy cannot, like when managing clients on the internet using the Cloud Management Gateway.

We need to start with checking the client agent settings so that it allows Powershell scripts that are not signed to be run by the SCCM client, or sign the script.

Powershell Client agent setting

Then we create a new Configuration Item, and select the option to apply to Windows Desktops and Servers (custom)

Applocker CI 1

Select the supported platforms:

Applocker CI 2

Select New in the Settings step

Applocker CI 3

Create a new Configuration Item with following settings:

-Settings Type: Script

-Data type: Boolean

Applocker configured and running CI

Then we edit the discovery script and paste the script as shown below.

Applocker CI Script

Then we create a compliance rule with the following settings.

Applocker CI Compliance

Then we can add it to a baseline and deploy it to our clients. For you all that took the time to read the whole post you can download an exported .Cab file which contains both a CI and the Baseline used from here: Applocker status

One Comment

Add a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.