Kiosk XML - Whitelist apps in %userprofile%

Copper Contributor

Hi all,

I have a problem with my multi app kiosk config (Assigned Access XML in Intune -> ./Device/Vendor/MSFT/AssignedAccess/Configuration). I want my users have the choice whether to use Teams, Starleaf, Zoom etc. - but, just StarLeaf isn't working.

 

Die Ausführung von %PROGRAMFILES%\STARLEAF\STARLEAF\STARLEAF.EXE wurde zugelassen. (fine)

Die Ausführung von %PROGRAMFILES%\STARLEAF\STARLEAF\MISC\STARLEAFINSTALLER.EXE wurde zugelassen. (fine)

Die Ausführung von %OSDRIVE%\USERS\063690\APPDATA\LOCAL\STARLEAF\STARLEAF\1\STARLEAF.EXE wurde verhindert. (blocked)

 

Is there any way to whitelist apps installing in the userprofile directory?


 

 

<?xml version="1.0" encoding="utf-8" ?>
<AssignedAccessConfiguration 
    xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config"
    xmlns:rs5="http://schemas.microsoft.com/AssignedAccess/201810/config"
    >
    <Profiles>
        <Profile Id="{a4457869-7414-4c11-bb0b-50fdff39d54a}">
            <AllAppsList>
                <AllowedApps>
					<App AppUserModelId="StarLeaf.Breeze2.Windows.2" />
					<App DesktopAppPath="%USERPROFILE%\AppData\Local\StarLeaf\StarLeaf\1\StarLeaf.exe" />
					
					<App DesktopAppPath="C:\PROGRAM FILES (x86)\StarLeaf\StarLeaf\StarLeaf.exe" />
					
					<App DesktopAppPath="C:\PROGRAM FILES (x86)\StarLeaf\StarLeaf\MISC\StarLeafInstaller.exe" />
                </AllowedApps>
            </AllAppsList>
            <StartLayout>
                <![CDATA[<LayoutModificationTemplate xmlns:defaultlayout="http://schemas.microsoft.com/Start/2014/FullDefaultLayout" xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout" Version="1" xmlns="http://schemas.microsoft.com/Start/2014/LayoutModification">
  <LayoutOptions StartTileGroupCellWidth="6" />
  <DefaultLayoutOverride>
    <StartLayoutCollection>
      <defaultlayout:StartLayout GroupCellWidth="6">
        <start:Group Name="Conferencing">
          <start:DesktopApplicationTile Size="2x2" Column="0" Row="0" DesktopApplicationID="StarLeaf.Breeze2.Windows.2" />
        </start:Group>
      </defaultlayout:StartLayout>
    </StartLayoutCollection>
  </DefaultLayoutOverride>
</LayoutModificationTemplate>
                ]]>
            </StartLayout>
            <Taskbar ShowTaskbar="true"/>
        </Profile>
    </Profiles>
    <Configs>
		 <Config>
            <UserGroup Type="AzureActiveDirectoryGroup" Name="057b819d-453c-4c25-8358-141e207d8076" />
            <DefaultProfile Id="{a4457869-7414-4c11-bb0b-50fdff39d54a}"/>
        </Config>
    </Configs>
</AssignedAccessConfiguration>

 

 

 

Thanks in advance! 

2 Replies

@fjaeger86 You can white list the apps by installing the same on your test computer and create a new rule by mapping the path to /user/appdata/roaming/<appname> 

 

 

 

Once implemented It will block Even administrators to perform certain installation tasks, In order to overcome this there is a workaround to remove the policy by deleting the entire folder of the deployed policies

 

 

Temp Solution (The policies will get reapplied automatically once the user syncs the setting)

step:1

C:/windows/system32/AppLocker/ <Delete the entire content in this folder>
step:2

CDM gpupdate /force

Reference

 

 

Windows 10 AppLocker Policies still affect after disabling the service


 

Whitelisting applications is really important before applying changes

 

 

Unsigned applications cannot be whitelisted

using the standard rule. It needs to be installed on the machine which is used to whitelist the app. This can be achieved by selecting a file hashing rule

 

 

AppLocker can be configured to allow only signed applications to run on the system.

To resolve this issue, you can configure AppLocker to create an exception for pgAdmin4 without requiring it to be signed. Here are the general steps to create an exception:

Open the "Local Security Policy" editor by searching for it in the Start Menu or using the secpol.msc command.

Navigate to "Security Settings" -> "Application Control Policies" -> "AppLocker".

Right-click on "Executable Rules" or "Packaged App Rules" and select "Create New Rule".

Follow the wizard to create a new rule allowing for eg:- pgAdmin4 v7 to run without requiring it to be signed.

(Here we used the Pgadmin4 v7 whitelist with is not signed by the developers)

 

 

The client should have the same version installed on his/her’s machine to make the app locker work

Note that exact steps may vary depending on your specific version of Windows and configuration, but this should give you an idea of how to resolve the issue.

 

 

 

How to Implement Applocker using Intune

 

 

In case you don't understand Please refer to the video

 

 

Basics of deploying Windows AppLocker using Intune

Applocker is a set of policies/rules to allow or deny apps from running on your Windows device. Applocker helps to improve the overall security of all your devices in your organization by controlling the execution of applications, scripts, dll files, packages apps, etc.

What are the requirements for Applocker

  • If you are using Intune Applocker CSP Policies to manage and deploy Applocker then any edition of Windows 10 and Windows 11 is supported.

  • If you are using Active Directory Group Policy to manage and deploy Applocker then devices running Windows 10 and Windows 11 Enterprise, Windows 10 and Windows 11 Education, and Windows Server 2016 are supported.

  • Application Identity service should not be disabled because it determines and verifies the identity of an app. Stopping this service will prevent AppLocker policies from being enforced. If the Application Identity service is set to Manual (Trigger Start) which is its default status then it will still work fine, there is no need to keep the service always in running state / no need to deploy a PowerShell script to change it to Automatic and Running status.

You can create Applocker rules for below file types:

  • Executable files: .exe and .com

  • Windows Installer files: .msi, mst, and .msp

  • Scripts: .ps1, .bat, .cmd, .vbs, and .js

  • DLLs: .dll and .ocx

  • Packaged apps and packaged app installers: .appx and .msix.

Applocker Tips

When you create Applocker Policy, you will have the option to create either an Allow rule or Deny rule. If there are no rules created for a specific rule collection then all files with that file format are allowed to run. For example. If you have not created any rules under the Executable files rule collection all .exe and .com files will be allowed to run.

If you start creating rules in rule collection (either allow or deny rules), only files which are explicitly allowed are permitted to run. For Example, if you create a rule under Executable Files to say Allow all files under C:\Program Files\* folder. Then all .exe and .com files under the Program Files location will be permitted to run and all .exe and .com files which are outside the Program Files folder will be blocked with the message “This app has been blocked by your system administrator“. You can then create rules specific to the file and choose the option to either allow or deny its execution.

 

Please note if you can create both allow and deny rules. Deny actions override allow actions in all cases. Microsoft recommendation is to use allow action with exceptions. However, you can have both allow and deny rules as per your organization requirements.

 

How to Create an Applocker Policy

To create an Applocker policy, you need to login as an administrator on any Windows 10 or Windows 11 device and follow the below steps:

Enable Applocker Rule Enforcement

  • Click on Start -> Type Run -> Type secpol.msc.

  • Expand Application Control Policies.

  • Right-click AppLocker and click on Properties.

  • Under the Enforcement tab. Select the checkbox for Executable rules and select Enforce rules. This will enforce Executable Rules when the policy will be applied. Instead of Enforce rules, you can also select the Audit option. Audit option will not enforce the rules and only generate audit events in Event Logs when user performs an action which match the applocker rules.

If there are any other types of rules you are creating under Windows Installer Rules, Script Rules and Packaged app Rules which you want to Enforce to the target device then check the box next to the corresponding option. For now, I have created rules under Executable rules only, therefore I have only checked and selected Enforce rules under the Executable rules option.

 

I would recommend to

 

check all to be on a safer side

 

Create Applocker Policy Rules

Once you have configured Applocker rule Enforcement, you can create the rules as per your requirement. There are two types of rules you can create, Allow and Deny. You should start with creating default rules first which whitelist Program Files and Windows Folder.

Program Files contains all your installed applications and Windows Folder contains Operating system files. Therefore, its recommended to whitelist / Allow both these locations. To create default rules:

  • Click on Start -> Type Run -> Type secpol.msc.

  • Expand Application Control Policies.

  • Expand AppLocker.

  • Right-click on Executable Rules and click on Create Default Rules.

 

 

Below Default Rules will be created under Executable Rules:

Everyone will be able to execute Files from:

  • C:\Program Files folder.

  • C:\Windows Folder.

  • Administrators are having no restrictions, they can execute and run files from anywhere.

 

 

Create Default Rules corresponding to each Applocker rule collection by right-clicking on Windows Installer Rules, Script Rules, Packaged app Rules and click Create Default Rules.

 

These Default rules can be modified as per your requirement. For example, you can also add a Rule to Allow C:\Program Files (x86) Folder by creating an allow rule. You can also deny execution of certain programs by creating a Deny Rule.

How to create Applocker Deny rule for an application

As we want to block executables (.exe) files by creating a deny rule, we will be creating all the rules under Executable Rules rule collection. Let’s create a deny rule to block Google Chrome application.

  • Click on Start -> Type Run -> Type secpol.msc.

  • Expand Application Control Policies.

  • Expand AppLocker.

  • Right-click on Executable Rules and click on Create New Rule.

Click on Next if you see Before you Begin screen. On Permissions screen, Select Deny Action.

 
 

 

Select Publisher.

To use a publisher condition, the files must be digitally signed by the software publisher, or you must do so by using an internal certificate.

 

Click on Browse and browse to Google Chrome application. Google Chrome application is installed at C:\Program Files\Google\Chrome\Application location. Select chrome.exe file. Please note the slider and move it up one level to generalize the File version.

If you keep the slider down then the rule will be created for the selected chrome.exe file version only. For example if chrome.exe you selected is of version 16.0.342 then next time if the application is updated to version 17.0, this rule will not work unless you update this applocker rule.

Therefore, if you want to create a rule which will work irrespective of Google chrome version then move this slider up a bit. File version will show as * which means that its valid of all application versions. Same rule applied when creating a rule for other applications as well.

 

 

On Exceptions window. Select Next as we do not want to add any exceptions to this rule.

 

 

You can change the Name of the Applocker rule to a simpler name. For example. I have provided below Name and Description.

  • Name: Block CHROME.EXE.

  • Description: This Deny Rule will Block Execution of Google Chrome Program on the Devices.

 

 

Once the rule is created, you should be able to find the rule under Executable Rules rule collection. As you can see in below screenshot, there is a Deny rule we created for blocking Google Chrome application.

 

 

How to Export Applocker Policy

We have created all the rules we needed in our Applocker policy. We can now export the policy in an XML file.

To Export the Applocker Policy, follow below steps:

  • Click on Start -> Type Run -> Type secpol.msc.

  • Expand Application Control Policies.

  • Right Click on AppLocker and select Export Policy.

 
  • Provide File Name and location where you want to save this XML file.

 

How to Deploy Applocker rules using Intune

Once we have divided our XML file into multiple files with respect to each rule collection. Now, we can create a device configuration profile to deploy these rules to target devices. Follow below steps to create a device configuration profile in Intune.

  • Login on Microsoft Endpoint Manager admin center.

  • Click on Devices.

  • Click on Configuration Profiles.

  • Click on +Create Profile.

  • Select Platform: Windows 10 and later.

  • Profile type: Templates.

  • Template Name: Custom.

Basics Tab

  • Name: Applocker Policy

  • Description: This is a Device Configuration Profile to Implement applocker rules on all organization devices.

Configuration Tab

Click on Add to add OMA-URI Setting.

 

You can find more information about the Applocker CSP at

 

 

AppLocker CSP - Windows Client Management location.

 
  • Name: EXE Rule Collection

  • Description: Executable Rules

  • OMA-URI: ./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/apprulset0001/EXE/Policy

  • Data type: String

  • Value: Paste the Rulecollection corresponding to EXE rule collection copied from the Exported XML file.

If you have created rules under Windows Installer Rules, Script Rules, Packaged app Rules or DLL rule collection as well then you can copy the rules from Exported XML file and paste it in the value text box under a separate OMA-URI by clicking on Add button.

OMA-URI for each Rule Collection:

  • ./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/app/MSI/Policy

  • ./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/app/Script/Policy

  • ./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/app/StoreApps/Policy

  • ./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/app/DLL/Policy

 

Applocker Rules Storage Location on End User Device

We have created an Applocker Policy and deployed using Intune to the target devices. Applocker rules deployed using Intune are cached at C:\Windows\System32\AppLocker\MDM location.

The applocker Policy which we deployed to the target device using intune was located at C:\Windows\System32\AppLocker\MDM\133059143793535136\95A24146-BB1B-41EA-8315-D7AC88A87976\AppLocker\ApplicationLaunchRestrictions\apprulset0001\EXE.

Some unique values in the path could be different in your case but you can start with C:\Windows\System32\AppLocker\MDM location and traverse to the folders to find your applocker policy. There is a Policy file which you can open with notepad. Policy file contains the RuleCollection XML for EXE Rules which we deployed via Intune.

 

 

 

 

 



@Sanoj_Vettat and @fjaeger86 I cannot get this to work, that is I have a stupid application that is installed/copied in the users profile and it does not have AUMID and even though I copy the shortcut to C:\ProgramData\Microsoft\Windows\Start Menu\Programs folder no AUMID gets created. Also I have created an Applocker policy to allow it and distribute it via Intune, I see it gets applied but the app still get denied. Seems that Assigned access and Applocker policy do not merge.

Does anyone have proper solution for this or is this just not possible?