Forum Discussion

Sk-73's avatar
Sk-73
Iron Contributor
Apr 13, 2022

AppLocker profile doesn't work

Dear all, I have created a AppLocker profile, but not successfully. Have no idea why. OMA-URI : ./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/Native/EXE/Policy Data Type: String Va...
Intune
Software Management
Sk-73's avatar
Sk-73
Iron Contributor
Apr 13, 2022

HiRudy_Ooms_MVP Thank you. I just deleted the old configuration profile and create a new one but still failed.

 

 

 

<RuleCollection Type="Exe" EnforcementMode="Enabled">
    <FilePathRule Id="921cc481-6e17-4653-8f75-050b80acca20" Name="(Default Rule) All files located in the Program Files folder" Description="Allows members of the Everyone group to run applications that are located in the Program Files folder." UserOrGroupSid="S-1-1-0" Action="Allow">
      <Conditions>
        <FilePathCondition Path="%PROGRAMFILES%\*" />
      </Conditions>
    </FilePathRule>
    <FilePathRule Id="a61c8b2c-a319-4cd0-9690-d2177cad7b51" Name="(Default Rule) All files located in the Windows folder" Description="Allows members of the Everyone group to run applications that are located in the Windows folder." UserOrGroupSid="S-1-1-0" Action="Allow">
      <Conditions>
        <FilePathCondition Path="%WINDIR%\*" />
      </Conditions>
    </FilePathRule>
    <FilePathRule Id="fd686d83-a829-4351-8ff4-27c7de5755d2" Name="(Default Rule) All files" Description="Allows members of the local Administrators group to run all applications." UserOrGroupSid="S-1-5-32-544" Action="Allow">
      <Conditions>
        <FilePathCondition Path="*" />
      </Conditions>
    </FilePathRule>
    <FilePublisherRule Id="13bd601b-0f03-4ac1-bd80-ebaf375db674" Name="CHROME.EXE, in GOOGLE CHROME, from O=GOOGLE LLC, L=MOUNTAIN VIEW, S=CALIFORNIA, C=US" Description="" UserOrGroupSid="S-1-1-0" Action="Deny">
      <Conditions>
        <FilePublisherCondition PublisherName="O=GOOGLE LLC, L=MOUNTAIN VIEW, S=CALIFORNIA, C=US" ProductName="GOOGLE CHROME" BinaryName="CHROME.EXE">
          <BinaryVersionRange LowSection="*" HighSection="*" />
        </FilePublisherCondition>
      </Conditions>
    </FilePublisherRule>
  </RuleCollection>
 
I just found and follow the https://sccmentor.com/2021/01/11/using-proactive-remediations-to-remove-google-chrome/comment-page-1/ create a new configuration profile (PROACTIVE REMEDIATIONS) as u mentioned.

 

Waiting for the outcome.

Rudy_Ooms_MVP's avatar
Rudy_Ooms_MVP
MVP
Apr 13, 2022
What happens without that chrome part? just start with a basic export from applocker and import it into Intune to see what happens.
It only occurring on 1 device or multiple?
  • Sk-73's avatar
    Sk-73
    Iron Contributor
    Apr 13, 2022

    Hi Rudy_Ooms_MVP 

    I just found something. The Remediation status show Not run.

    Below is the Remediation script I uploaded:

    # Start-Process Installers and Arguments
    $Installer = "$env:ProgramFiles\Google\Chrome\Application\$ChromeVersion\Installer\chrmstp.exe"
    $InstallerX86 = "${env:ProgramFiles(x86)}\Google\Chrome\Application\$ChromeVersion\Installer\chrmstp.exe"
    $Arguements = "--uninstall --chrome --system-level --multi-install --force-uninstall"

    $chromeInstalled = (Get-Item (Get-ItemProperty 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\chrome.exe' -ErrorAction SilentlyContinue).'(Default)').VersionInfo
    $ChromeVersion = $chromeInstalled.ProductVersion

    # Check for x64 Chrome
    $Chromex64 = "C:\Program Files\Google\Chrome\Application\$ChromeVersion\Installer\chrmstp.exe"
    $FileExistsx64 = Test-Path $Chromex64

    # Check for x86 Chrome
    $Chromex86 = "C:\Program Files (x86)\Google\Chrome\Application\$ChromeVersion\Installer\chrmstp.exe"
    $FileExistsx86 = Test-Path $Chromex86

    # Remove x64 Chrome
    If ($FileExistsx64 -eq $True) {
    Start-Process $Installer $Arguements -Wait
    }

    # Remove x86 Chrome
    If ($FileExistsx86 -eq $True) {
    Start-Process $InstallerX86 $Arguements -Wait
    }

     

    Below is the setting.

     

    Do you have any clue of why the remediation not run?

    • Rudy_Ooms_MVP's avatar
      Rudy_Ooms_MVP
      MVP
      Apr 13, 2022
      the remediation part is only launched when the detection exits with an 1.... so start looking at the detection script i guess
      • Sk-73's avatar
        Sk-73
        Iron Contributor
        Apr 14, 2022

        Hi, Rudy_Ooms_MVP Below attached is the current status, it seems like the detection script working, but the remediation script is still not running.

         

  • Sk-73's avatar
    Sk-73
    Iron Contributor
    Apr 13, 2022

    Hi, Rudy_Ooms_MVP I have deleted the applocker profile yesterday, then I create the Proactive remediations. But still not successful.

     

    I do not see any error msg in Intune manager, at the same time, the Google Chrome is still there on my laptop... The group I assigned have two accounts, me and my colleague, is a user group...

     

Resources