Skip to content
Menu
ChrisOnSecurity
  • Blog
  • Microsoft Security portals
  • Presentations
  • GitHub
  • About me
  • Impressum
  • Disclaimer
ChrisOnSecurity

Cloud configuration of AppLocker using Intune and MDATP

Posted on 30. July 20191. December 2019

In this post I will give you a quick overview about cloud configuration of AppLocker using Intune and MDATP.

AppLocker has been with us for quite some time now reaching back all the way to good old Windows 7. Although it is not the best solution from a technical point of view (there’s Windows Defender Application Control including TPM-enforced policy signing) it is still a good way to build a quick solution to stop users from installing software or executing unwanted applications. It is one of my recommendations for a secure Windows 10 baseline.

In this post I assume that you are already some kind of familiar with AppLocker. I will focus on how you can shift it to Intune for deployment and Microsoft Defender ATP’s Advanced Hunting capabilities for monitoring and policy refinement.

Configuration in Intune

First export your AppLocker configuration from either the Group Policy Management Console in Active Directory or from your local GPEdit Console. Even in a cloud-only scenario with Azure AD joined clients you can still use the latter to build the policy. It will look something like this:

Now we need to jump over to the Intune console to create a new Windows 10 configuration profile using the “Custom” profile type:

For each of the five different rule collections a distinct entry must be added. These are the OMA-URIs you have to use:

  • AppLocker EXE:
    ./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/Native/EXE/Policy
  • AppLocker MSI:
    ./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/Native/MSI/Policy
  • AppLocker Script:
    ./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/Native/Script/Policy
  • AppLocker Appx:
    ./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/Native/StoreApps/Policy
  • AppLocker DLL:
    ./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/Native/DLL/Policy

Find out more in the official AppLocker CSP documentation:
https://docs.microsoft.com/en-us/windows/client-management/mdm/applocker-csp

Data type has to be set to “String”, Value equals each <RuleCollection> section from the AppLocker xml. Here’s an example for the EXE rule collection:

The Value text field must contain each rule collection xml section including <RullCollection …> and </RuleCollection> as marked here in Notepad++:

Once you have added all rule collection types it will look something like this:

Don’t forget to assign the profile to all users and/or devices you want to target. Although it might seem obvious please remember that deploying any kind of application control in enforced mode could break things without testing it first. So you might want to use AppLocker in audit mode first.

Monitor AppLocker events in MDATP

Now we head over to the Microsoft Defender Security Center selecting the Advanced hunting sub-menu. There we add the following query:

MiscEvents
| where EventTime > ago(14d) and
ActionType startswith "AppControl"
| order by EventTime desc

Just paste it to the query text field:

You can modify the query at any time, e.g. by changing the EventTime filter to cover more days in the past. Once you run the query you get all files that are recognized by AppLocker (or Defender Application Control):

Depending on how you use AppLocker you can extract information about either paths, file names, signature, or file hashes to enhance your policy which you would then edit in either GPMC or GPEdit. Then you can continue by exporting it as xml and pasting each rule collection into the Intune profile again.

Thanks for reading!

Chris

@ChrisOnSecurity@infosec.exchange

Recent posts

  • What’s new: Microsoft 365 Security & Compliance December 2022
  • What’s new: Microsoft 365 Security & Compliance November 2022
  • Counter MFA spam attacks with Azure Active Directory
  • Windows 11 security – a first look
  • Conditional Access – device identification using certificates

@ChrisOnSecurity

Tweets by ChrisOnSecurity

Recent posts

  • What’s new: Microsoft 365 Security & Compliance December 2022
  • What’s new: Microsoft 365 Security & Compliance November 2022
  • Counter MFA spam attacks with Azure Active Directory
  • Windows 11 security – a first look
  • Conditional Access – device identification using certificates

Tags

Administration Administrative Units Android AV Azure Active Directory Azure AD Azure Sentinel Client Security Conditional Access Conditional Access App Control Defender ATP Delegation EDR EMS Enterprise Mobility + Security Identity Protection Information Protection & Compliance Linux M365 M365 E3 Mail Security MCAS MDAPT MDATP MFA Microsoft 365 Microsoft 365 E3 Microsoft 365 Security Microsoft Cloud App Security Microsoft Defender ATP Microsoft Ignite Mobile Security Monitoring Network Control Office 365 Office ATP passwordless Perimeter Security Baseline Session Control Sysmon Unified Incidents User submissions Web Content Filtering Windows 10 Enterprise
©2023 ChrisOnSecurity | WordPress Theme by Superbthemes.com
We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept”, you consent to the use of ALL the cookies.
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Non-necessary
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
SAVE & ACCEPT