AppLocker profile doesn't work

Iron Contributor

Dear all,

I have created a AppLocker profile, but not successfully. Have no idea why.

Sk73_0-1649831247083.png

OMA-URI./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/Native/EXE/Policy
Data Type: String
Value:
<RuleCollection Type="Exe" EnforcementMode="Enabled">
<FilePathRule Id="921cc481-6e17-4653-8f75-050b80acca20" Name="(Default Rule) All files located in the Program Files folder" Description="Allows members of the Everyone group to run applications that are located in the Program Files folder." UserOrGroupSid="S-1-1-0" Action="Allow">
<Conditions>
<FilePathCondition Path="%PROGRAMFILES%\*" />
</Conditions>
</FilePathRule>
<FilePathRule Id="a61c8b2c-a319-4cd0-9690-d2177cad7b51" Name="(Default Rule) All files located in the Windows folder" Description="Allows members of the Everyone group to run applications that are located in the Windows folder." UserOrGroupSid="S-1-1-0" Action="Allow">
<Conditions>
<FilePathCondition Path="%WINDIR%\*" />
</Conditions>
</FilePathRule>
<FilePathRule Id="fd686d83-a829-4351-8ff4-27c7de5755d2" Name="(Default Rule) All files" Description="Allows members of the local Administrators group to run all applications." UserOrGroupSid="S-1-5-32-544" Action="Allow">
<Conditions>
<FilePathCondition Path="*" />
</Conditions>
</FilePathRule>
<FilePublisherRule Id="13bd601b-0f03-4ac1-bd80-ebaf375db674" Name="CHROME.EXE, in GOOGLE CHROME, from O=GOOGLE LLC, L=MOUNTAIN VIEW, S=CALIFORNIA, C=US" Description="" UserOrGroupSid="S-1-1-0" Action="Deny">
<Conditions>
<FilePublisherCondition PublisherName="O=GOOGLE LLC, L=MOUNTAIN VIEW, S=CALIFORNIA, C=US" ProductName="GOOGLE CHROME" BinaryName="CHROME.EXE">
<BinaryVersionRange LowSection="*" HighSection="*" />
</FilePublisherCondition>
</Conditions>
 
Sk73_1-1649831463516.png

 

Will be grateful for any help you can provide.

Thanks.

 

7 Replies

@Sk-73 

 

I would recommend starting using the "string (XML file)"  As I have seen it happen a lot when using string

 

Rudy_Ooms_MVP_0-1649842424096.png

When selecting the XML you will get an error when it is not properly formatted, besides this...

I would change the last part.. (or you forgot to copy some stuff :) )

 

</Conditions>
</FilePublisherCondition>
</RuleCollection>

 

As shown below.. you could check it out yourself by editing the XML

Rudy_Ooms_MVP_2-1649843006867.png

 

Hi@Rudy_Ooms_MVP Thank you. I just deleted the old configuration profile and create a new one but still failed.

Sk73_2-1649847158121.png

 

 

Sk73_1-1649847067372.png

 

<RuleCollection Type="Exe" EnforcementMode="Enabled">
    <FilePathRule Id="921cc481-6e17-4653-8f75-050b80acca20" Name="(Default Rule) All files located in the Program Files folder" Description="Allows members of the Everyone group to run applications that are located in the Program Files folder." UserOrGroupSid="S-1-1-0" Action="Allow">
      <Conditions>
        <FilePathCondition Path="%PROGRAMFILES%\*" />
      </Conditions>
    </FilePathRule>
    <FilePathRule Id="a61c8b2c-a319-4cd0-9690-d2177cad7b51" Name="(Default Rule) All files located in the Windows folder" Description="Allows members of the Everyone group to run applications that are located in the Windows folder." UserOrGroupSid="S-1-1-0" Action="Allow">
      <Conditions>
        <FilePathCondition Path="%WINDIR%\*" />
      </Conditions>
    </FilePathRule>
    <FilePathRule Id="fd686d83-a829-4351-8ff4-27c7de5755d2" Name="(Default Rule) All files" Description="Allows members of the local Administrators group to run all applications." UserOrGroupSid="S-1-5-32-544" Action="Allow">
      <Conditions>
        <FilePathCondition Path="*" />
      </Conditions>
    </FilePathRule>
    <FilePublisherRule Id="13bd601b-0f03-4ac1-bd80-ebaf375db674" Name="CHROME.EXE, in GOOGLE CHROME, from O=GOOGLE LLC, L=MOUNTAIN VIEW, S=CALIFORNIA, C=US" Description="" UserOrGroupSid="S-1-1-0" Action="Deny">
      <Conditions>
        <FilePublisherCondition PublisherName="O=GOOGLE LLC, L=MOUNTAIN VIEW, S=CALIFORNIA, C=US" ProductName="GOOGLE CHROME" BinaryName="CHROME.EXE">
          <BinaryVersionRange LowSection="*" HighSection="*" />
        </FilePublisherCondition>
      </Conditions>
    </FilePublisherRule>
  </RuleCollection>
 
I just found and follow the article create a new configuration profile (PROACTIVE REMEDIATIONS) as u mentioned.
Sk73_3-1649847431008.png

 

Waiting for the outcome.

What happens without that chrome part? just start with a basic export from applocker and import it into Intune to see what happens.
It only occurring on 1 device or multiple?

Hi, @Rudy_Ooms_MVP I have deleted the applocker profile yesterday, then I create the Proactive remediations. But still not successful.

Sk73_0-1649903151354.pngSk73_1-1649903165851.png

Sk73_3-1649903190497.png

 

I do not see any error msg in Intune manager, at the same time, the Google Chrome is still there on my laptop... The group I assigned have two accounts, me and my colleague, is a user group...

 

Hi @Rudy_Ooms_MVP 

I just found something. The Remediation status show Not run.

Device Status.png

Below is the Remediation script I uploaded:

# Start-Process Installers and Arguments
$Installer = "$env:ProgramFiles\Google\Chrome\Application\$ChromeVersion\Installer\chrmstp.exe"
$InstallerX86 = "${env:ProgramFiles(x86)}\Google\Chrome\Application\$ChromeVersion\Installer\chrmstp.exe"
$Arguements = "--uninstall --chrome --system-level --multi-install --force-uninstall"

$chromeInstalled = (Get-Item (Get-ItemProperty 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\chrome.exe' -ErrorAction SilentlyContinue).'(Default)').VersionInfo
$ChromeVersion = $chromeInstalled.ProductVersion

# Check for x64 Chrome
$Chromex64 = "C:\Program Files\Google\Chrome\Application\$ChromeVersion\Installer\chrmstp.exe"
$FileExistsx64 = Test-Path $Chromex64

# Check for x86 Chrome
$Chromex86 = "C:\Program Files (x86)\Google\Chrome\Application\$ChromeVersion\Installer\chrmstp.exe"
$FileExistsx86 = Test-Path $Chromex86

# Remove x64 Chrome
If ($FileExistsx64 -eq $True) {
Start-Process $Installer $Arguements -Wait
}

# Remove x86 Chrome
If ($FileExistsx86 -eq $True) {
Start-Process $InstallerX86 $Arguements -Wait
}

 

Below is the setting.

Sk73_1-1649903880267.png

 

Do you have any clue of why the remediation not run?

the remediation part is only launched when the detection exits with an 1.... so start looking at the detection script i guess

Hi, @Rudy_Ooms_MVP Below attached is the current status, it seems like the detection script working, but the remediation script is still not running.

 

Untitled.png