Microsoft Technical Takeoff: Windows and Microsoft Intune
Oct 24 2022 07:00 AM - Oct 27 2022 12:00 PM (PDT)
SOLVED

AppLocker CSP, grouping and multiple policies

Contributor

Morning all,

 

Very shortly my organisation will be looking to migrate the AppLocker policy management from GPO to MEM which has raised a few questions.

 

1. Can you assign multiple AppLocker CSP policies to a target device? I have always assumed that you can only assign the CSP once as it does not have merge support.

2. I have read about grouping guids in the CSP OMA-URI path, anyone have any practical experience in using this feature?

3. We need to manage the rule set better so we are looking at AaronLocker for management. Now the output is a single XML file which is great for GPO but not CSP. Anyone have a PowerShell script which can split the RuleCollection Type="xxx" into separate files to make the upload to the CSP easier?

4. Anyone have a PowerShell to automate the creation of an AppLocker CSP policy and upload the XML components? Looking to have a process which new AppLocker changes will create a new policy to avoid human error and allow strict testing before mass deployment.

 

Regards

 

Mike

6 Replies
best response confirmed by MikePalmer75 (Contributor)
Solution
Hi.. I guess this could be your answers you are looking for

1.One csp, one applocker policy :) https://call4cloud.nl/2021/01/applocker-the-meltdown/
2.Check my blog in question 4
3. Notepad and export the rules to seperate files? takes some couple of minutes
4. https://call4cloud.nl/2020/06/applocker-a-la-minute/
Hi @Rudy_Ooms_MVP,

Thank-you for coming back to me so quickly. Will take a look at your PowerShell script for the importing using MS Graph shortly.

Regards

Mike

@Rudy_Ooms_MVPlooked at the PowerShell script and the JSON file. What data format is the value fields in? For example, if I was to load the json into PowerShell and wish to replace the value content with the data from an updated exe.xml what would I need to convert it into?

Mike

Asked my own question :) The value field is encoded in Base 64.

@MikePalmer75 

 

hehe it is indeed :) , did it worked for you?

Not going to get a chance this week to try an import. Now researching how to take our full applocker xml which is managed by GPO to split it into the five separate xml files so I can automate the whole process from start to end.

My objective is to manage the rules using Aaronlocker then take output, split it down and the upload new policy to MEM all using PowerShell. Makes it easier to manage and removes human error.