Forum Discussion

Sk-73's avatar
Sk-73
Iron Contributor
Apr 13, 2022

AppLocker profile doesn't work

Dear all,

I have created a AppLocker profile, but not successfully. Have no idea why.

OMA-URI./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/Native/EXE/Policy
Data Type: String
Value:
<RuleCollection Type="Exe" EnforcementMode="Enabled">
<FilePathRule Id="921cc481-6e17-4653-8f75-050b80acca20" Name="(Default Rule) All files located in the Program Files folder" Description="Allows members of the Everyone group to run applications that are located in the Program Files folder." UserOrGroupSid="S-1-1-0" Action="Allow">
<Conditions>
<FilePathCondition Path="%PROGRAMFILES%\*" />
</Conditions>
</FilePathRule>
<FilePathRule Id="a61c8b2c-a319-4cd0-9690-d2177cad7b51" Name="(Default Rule) All files located in the Windows folder" Description="Allows members of the Everyone group to run applications that are located in the Windows folder." UserOrGroupSid="S-1-1-0" Action="Allow">
<Conditions>
<FilePathCondition Path="%WINDIR%\*" />
</Conditions>
</FilePathRule>
<FilePathRule Id="fd686d83-a829-4351-8ff4-27c7de5755d2" Name="(Default Rule) All files" Description="Allows members of the local Administrators group to run all applications." UserOrGroupSid="S-1-5-32-544" Action="Allow">
<Conditions>
<FilePathCondition Path="*" />
</Conditions>
</FilePathRule>
<FilePublisherRule Id="13bd601b-0f03-4ac1-bd80-ebaf375db674" Name="CHROME.EXE, in GOOGLE CHROME, from O=GOOGLE LLC, L=MOUNTAIN VIEW, S=CALIFORNIA, C=US" Description="" UserOrGroupSid="S-1-1-0" Action="Deny">
<Conditions>
<FilePublisherCondition PublisherName="O=GOOGLE LLC, L=MOUNTAIN VIEW, S=CALIFORNIA, C=US" ProductName="GOOGLE CHROME" BinaryName="CHROME.EXE">
<BinaryVersionRange LowSection="*" HighSection="*" />
</FilePublisherCondition>
</Conditions>
 

 

Will be grateful for any help you can provide.

Thanks.

 

  • Sk-73 

     

    I would recommend starting using the "string (XML file)"  As I have seen it happen a lot when using string

     

    When selecting the XML you will get an error when it is not properly formatted, besides this...

    I would change the last part.. (or you forgot to copy some stuff 🙂 )

     

    </Conditions>
    </FilePublisherCondition>
    </RuleCollection>

     

    As shown below.. you could check it out yourself by editing the XML

     

    • Sk-73's avatar
      Sk-73
      Iron Contributor

      HiRudy_Ooms_MVP Thank you. I just deleted the old configuration profile and create a new one but still failed.

       

       

       

      <RuleCollection Type="Exe" EnforcementMode="Enabled">
          <FilePathRule Id="921cc481-6e17-4653-8f75-050b80acca20" Name="(Default Rule) All files located in the Program Files folder" Description="Allows members of the Everyone group to run applications that are located in the Program Files folder." UserOrGroupSid="S-1-1-0" Action="Allow">
            <Conditions>
              <FilePathCondition Path="%PROGRAMFILES%\*" />
            </Conditions>
          </FilePathRule>
          <FilePathRule Id="a61c8b2c-a319-4cd0-9690-d2177cad7b51" Name="(Default Rule) All files located in the Windows folder" Description="Allows members of the Everyone group to run applications that are located in the Windows folder." UserOrGroupSid="S-1-1-0" Action="Allow">
            <Conditions>
              <FilePathCondition Path="%WINDIR%\*" />
            </Conditions>
          </FilePathRule>
          <FilePathRule Id="fd686d83-a829-4351-8ff4-27c7de5755d2" Name="(Default Rule) All files" Description="Allows members of the local Administrators group to run all applications." UserOrGroupSid="S-1-5-32-544" Action="Allow">
            <Conditions>
              <FilePathCondition Path="*" />
            </Conditions>
          </FilePathRule>
          <FilePublisherRule Id="13bd601b-0f03-4ac1-bd80-ebaf375db674" Name="CHROME.EXE, in GOOGLE CHROME, from O=GOOGLE LLC, L=MOUNTAIN VIEW, S=CALIFORNIA, C=US" Description="" UserOrGroupSid="S-1-1-0" Action="Deny">
            <Conditions>
              <FilePublisherCondition PublisherName="O=GOOGLE LLC, L=MOUNTAIN VIEW, S=CALIFORNIA, C=US" ProductName="GOOGLE CHROME" BinaryName="CHROME.EXE">
                <BinaryVersionRange LowSection="*" HighSection="*" />
              </FilePublisherCondition>
            </Conditions>
          </FilePublisherRule>
        </RuleCollection>
       
      I just found and follow the article create a new configuration profile (PROACTIVE REMEDIATIONS) as u mentioned.

       

      Waiting for the outcome.

      • What happens without that chrome part? just start with a basic export from applocker and import it into Intune to see what happens.
        It only occurring on 1 device or multiple?

Resources