Hot Take Applocker on Windows Home.

[Andy Ful]

If one asks security experts about Applocker, then many of them know that Applocker can work via GPO on Windows Enterprise, Education, or Server editions. Here is the info from Microsoft (related to Windows 10 and 11):

You can use the AppLocker CSP to configure AppLocker policies on any edition of Windows 10 and Windows 11 supported by Mobile Device Management (MDM). You can only manage AppLocker with Group Policy on devices running Windows 10 and Windows 11 Enterprise, Windows 10 and Windows 11 Education, and Windows Server 2016.

Requirements to use AppLocker

This article for the IT professional lists software requirements to use AppLocker on the supported Windows operating systems.

learn.microsoft.com

But, as we can see from the above info, Applocker can work on Windows 10 and 11 without GPO, when managed by MDM. It is interesting because currently there are issues with Software Restriction Policies on Windows 11 ver 22H2. After some research, I found an interesting article about this possibility, written by Sandy Zeng:
:

Does AppLocker work in Windows 10 Pro? Yes, it does! - MSEndpointMgr

MSEndpointMgr Does AppLocker work in Windows 10 Pro? Yes, it does! In this post, I will show you how to maange AppLocker rules for Windows 10 Pro, by using PowerShell.

msendpointmgr.com

Sandy is skilled in Microsoft Endpoint Manager (ConfigMgr and Intune), Windows 10 and security. She applied Applocker policies for EXE files via MDM WMI Bridge. I tested this successfully also on Windows Home.
After some trial and error work, I managed to create some PowerShell scripts, similar to those used in the article. These scripts can create/add/remove Applocker policies also for DLLs, scripts, MSI Installer, and packaged apps.

Some interesting resources:

Enable AppLocker on Windows 10 Pro and Windows 11 Pro with PowerShell

In the past, AppLocker was available only for Windows Enterprise and Education subscribers. In this post, I will show you a way to use AppLocker on Windows 10 Pro and Windows 11 Pro.

4sysops.com

Applocker | Windows Pro | WMI Bridge | Deploy without Intune

Windows Pro | Deploy Applocker Without Intune | rootcimv2mdmdmmap | WBEMTest | WMI Bridge |

call4cloud.nl

MSIntune/Intune-PowerShell/AppLocker at master · sandytsang/MSIntune

Contribute to sandytsang/MSIntune development by creating an account on GitHub.

github.com

Edit.

Warning!!!
I strongly recommend making a System Restore Point before applying the Applocker rules.

 

[Andy Ful]

Currently, I am testing a simple Applocker policy as a more usable replacement for Smart App Control on Windows 11. This policy work as follows:

1. The digitally signed applications (EXE files and MSI Installers) are allowed by default.
2. Unsigned applications and all scripts are blocked by default, except when they are in %WinDir% or %ProgramFiles% folders.
3. The DLLs are allowed or blocked just as EXE files.
4. The policies can be easily turned OFF/ON.

This solution is similar to SAC on Windows 11, but SAC will block some unsigned applications installed in %ProgramFiles% (and also some signed applications that use unsigned DLLs). Furthermore, SAC cannot be temporarily switched OFF.

 

[ForgottenSeer 97327]

@Andy Ful

Great initiative. As a happy user of WDAC on Windows10Pro, I have one feature request.

Could you add an option to enable or disable the signed prerequisite for DLL's? I have seen some signed software which used unsigned DLL's running in user space folders. Second reason is that I thought Applocker did not block dotNet DLL's. so blocking DLL's is only a partial solution (as said I thought I had read that somewhere, but I would not stick my hand into a fire for that claim).

Thanks

Max

 

[Andy Ful]

@Andy Ful

Could you add an option to enable or disable the signed prerequisite for DLL's? I have seen some signed software which used unsigned DLL's running in user space folders.

It could be done, as many other possibilities. But, this would also require a full-fledged application similar to Hard_Configurator or Simple Windows Hardening. For now, I think about something very simple without losing the level of security provided by SAC.
Allowing unsigned DLLs in UserSpace is possible with a properly designed (classic) SRP, like with Hard_Configurator settings. The security design provided by Applocker (SRPV2) is different and requires DLL blocking - otherwise, one should block LOLBins to avoid bypassing Applocker.
I am not sure for now which option would be more useful for home users. Microsoft has chosen to block DLLs when using SAC.

Second reason is that I thought Applocker did not block dotNet DLL's. so blocking DLL's is only a partial solution (as said I thought I had read that somewhere, but I would not stick my hand into a fire for that claim).

If I correctly recall, only (classic) SRP cannot block .NET DLLs and Applocker (SRPV2) can correctly block them. For example:
https://www.linkedin.com/pulse/applocker-bypass-execute-dll-signed-binary-morten-brok

The author uses .NET DLL (C# ) to bypass Applocker, but the requirement for the bypass is execution from the whitelisted folder.

 

[ForgottenSeer 97327]

@Andy Ful when can we try it?

 

[Andy Ful]

@Andy Ful when can we try it?

For now, I am using 2 PowerShell scripts in my real system. One to create the Applocker restrictions and the second to remove these restrictions. I can share them for testing. The system privileges are required to run the scripts, so something like AdvancedRun (Nir Soft utility) is required. The DLs are usually blocked silently, so one must look into the Event Log (Applocker/EXE and DLL, event ID=8004), or set an action for the event ID=8004. The scripts are rather simple, for example, the script that removes restrictions looks as follows:

<#
.SYNOPSIS
    This function will delete AppLocker settings applied via MDM WMI Bridge

.CREDITS
    The script is based on the script for EXE files made by Sandy Zeng (Sandy Tsang).
    https://github.com/sandytsang/MSIntune/tree/master/Intune-PowerShell/AppLocker
#>

$namespaceName = "root\cimv2\mdm\dmmap" #Do not change this
$GroupName = "AppLocker001" #Your own groupName
$parentID = "./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/$GroupName"

$className = "MDM_AppLocker_DLL03" #Do not change this
Get-CimInstance -Namespace $namespaceName -ClassName $className -Filter "ParentID=`'$parentID`' and InstanceID='DLL'"  | Remove-CimInstance

$className = "MDM_AppLocker_ApplicationLaunchRestrictions01_EXE03" #Do not change this
Get-CimInstance -Namespace $namespaceName -ClassName $className -Filter "ParentID=`'$parentID`' and InstanceID='EXE'"  | Remove-CimInstance

$className = "MDM_AppLocker_MSI03" #Do not change this
Get-CimInstance -Namespace $namespaceName -ClassName $className -Filter "ParentID=`'$parentID`' and InstanceID='MSI'"  | Remove-CimInstance

$className = "MDM_AppLocker_Script03" #Do not change this
Get-CimInstance -Namespace $namespaceName -ClassName $className -Filter "ParentID=`'$parentID`' and InstanceID='Script'"  | Remove-CimInstance

$className = "MDM_AppLocker_ApplicationLaunchRestrictions01_StoreApps03"
Get-CimInstance -Namespace $namespaceName -ClassName $className -Filter "ParentID=`'$parentID`' and InstanceID='Storeapps'"  | Remove-CimInstance

 

[Andy Ful]

The script that creates restrictions looks as follows:

<#
.SYNOPSIS
    This function creates new AppLocker settings using MDM WMI Bridge.
    All previous rules will be deleted.

.CREDITS
    The script is based on the script for EXE files made by Sandy Zeng (Sandy Tsang).
    https://github.com/sandytsang/MSIntune/tree/master/Intune-PowerShell/AppLocker
#>

$namespaceName = "root\cimv2\mdm\dmmap" #Do not change this
$GroupName = "AppLocker001" #Your own groupName
$parentID = "./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/$GroupName"

$classNameDLL = "MDM_AppLocker_DLL03" #Do not change this
Get-CimInstance -Namespace $namespaceName -ClassName $classNameDLL -Filter "ParentID=`'$parentID`' and InstanceID='DLL'"  | Remove-CimInstance

$classNameEXE = "MDM_AppLocker_ApplicationLaunchRestrictions01_EXE03" #Do not change this
Get-CimInstance -Namespace $namespaceName -ClassName $classNameEXE -Filter "ParentID=`'$parentID`' and InstanceID='EXE'"  | Remove-CimInstance

$classNameMSI = "MDM_AppLocker_MSI03" #Do not change this
Get-CimInstance -Namespace $namespaceName -ClassName $classNameMSI -Filter "ParentID=`'$parentID`' and InstanceID='MSI'"  | Remove-CimInstance

$classNameScript = "MDM_AppLocker_Script03" #Do not change this
Get-CimInstance -Namespace $namespaceName -ClassName $classNameScript -Filter "ParentID=`'$parentID`' and InstanceID='Script'"  | Remove-CimInstance

$classNameStoreApps = "MDM_AppLocker_ApplicationLaunchRestrictions01_StoreApps03"
Get-CimInstance -Namespace $namespaceName -ClassName $classNameStoreApps -Filter "ParentID=`'$parentID`' and InstanceID='Storeapps'"  | Remove-CimInstance

Add-Type -AssemblyName System.Web

#This is example Rule Collection for EXE
$obj = [System.Net.WebUtility]::HtmlEncode(@"
  <RuleCollection Type="Exe" EnforcementMode="Enabled">
    <FilePathRule Id="921cc481-6e17-4653-8f75-050b80acca20" Name="All files located in the Program Files folder" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">
      <Conditions>
        <FilePathCondition Path="%PROGRAMFILES%\*" />
      </Conditions>
    </FilePathRule>
    <FilePathRule Id="a61c8b2c-a319-4cd0-9690-d2177cad7b51" Name="All files located in the Windows folder" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">
      <Conditions>
        <FilePathCondition Path="%WINDIR%\*" />
      </Conditions>
    </FilePathRule>
    <FilePublisherRule Id="9ab086ea-40a8-4b05-875b-f9fdf9962ba8" Name="All signed" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">
      <Conditions>
        <FilePublisherCondition PublisherName="*" ProductName="*" BinaryName="*">
          <BinaryVersionRange LowSection="*" HighSection="*" />
        </FilePublisherCondition>
      </Conditions>
    </FilePublisherRule>
  </RuleCollection>
"@)
New-CimInstance -Namespace $namespaceName -ClassName $classNameEXE -Property @{ParentID=$parentID;InstanceID="EXE";Policy=$obj}


#This is example Rule Collection for MSI
$obj = [System.Net.WebUtility]::HtmlEncode(@"
  <RuleCollection Type="Msi" EnforcementMode="Enabled">
    <FilePublisherRule Id="b7af7102-efde-4369-8a89-7a6a392d1473" Name="All signed" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">
      <Conditions>
        <FilePublisherCondition PublisherName="*" ProductName="*" BinaryName="*">
          <BinaryVersionRange LowSection="0.0.0.0" HighSection="*" />
        </FilePublisherCondition>
      </Conditions>
    </FilePublisherRule>
    <FilePathRule Id="5b290184-345a-4453-b184-45305f6d9a54" Name="All files located in the folder %systemdrive%\Windows\Installer." Description="" UserOrGroupSid="S-1-1-0" Action="Allow">
      <Conditions>
        <FilePathCondition Path="%WINDIR%\Installer\*" />
      </Conditions>
    </FilePathRule>
    <FilePathRule Id="64ad46ff-0d71-4fa0-a30b-3f3d30c5433d" Name="Allow for Administrators" Description="" UserOrGroupSid="S-1-5-32-544" Action="Allow">
      <Conditions>
        <FilePathCondition Path="*.*" />
      </Conditions>
    </FilePathRule>
  </RuleCollection>
"@)
New-CimInstance -Namespace $namespaceName -ClassName $classNameMSI -Property @{ParentID=$parentID;InstanceID="MSI";Policy=$obj}


$obj = [System.Net.WebUtility]::HtmlEncode(@"
  <RuleCollection Type="Script" EnforcementMode="Enabled">
    <FilePathRule Id="06dce67b-934c-454f-a263-2515c8796a5d" Name="All scripts in Program Files folder" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">
      <Conditions>
        <FilePathCondition Path="%PROGRAMFILES%\*" />
      </Conditions>
    </FilePathRule>
    <FilePathRule Id="9428c672-5fc3-47f4-808a-a0011f36dd2c" Name="All scripts in Windows folder" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">
      <Conditions>
        <FilePathCondition Path="%WINDIR%\*" />
      </Conditions>
    </FilePathRule>
    <FilePathRule Id="ed97d0cb-15ff-430f-b82c-8d7832957725" Name="Allow for Administrators" Description="" UserOrGroupSid="S-1-5-32-544" Action="Allow">
      <Conditions>
        <FilePathCondition Path="*" />
      </Conditions>
    </FilePathRule>
  </RuleCollection>
"@)
New-CimInstance -Namespace $namespaceName -ClassName $classNameScript -Property @{ParentID=$parentID;InstanceID="Script";Policy=$obj}


$obj = [System.Net.WebUtility]::HtmlEncode(@"
  <RuleCollection Type="Dll" EnforcementMode="Enabled">
    <FilePathRule Id="bac4b0bf-6f1b-40e8-8627-8545fa89c8b6" Name="All DLLs in Windows folder" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">
      <Conditions>
        <FilePathCondition Path="%WINDIR%\*" />
      </Conditions>
    </FilePathRule>
    <FilePathRule Id="3737732c-99b7-41d4-9037-9cddfb0de0d0" Name="All DLLs in Program Files folder" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">
      <Conditions>
        <FilePathCondition Path="%PROGRAMFILES%\*" />
      </Conditions>
    </FilePathRule>
    <FilePublisherRule Id="1f0d0ec5-8523-4aa0-976a-ad2d2c21eed7" Name="All signed" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">
      <Conditions>
        <FilePublisherCondition PublisherName="*" ProductName="*" BinaryName="*">
          <BinaryVersionRange LowSection="*" HighSection="*" />
        </FilePublisherCondition>
      </Conditions>
    </FilePublisherRule>
  </RuleCollection>
"@)
New-CimInstance -Namespace $namespaceName -ClassName $classNameDLL -Property @{ParentID=$parentID;InstanceID="DLL";Policy=$obj}


$obj = [System.Net.WebUtility]::HtmlEncode(@"
  <RuleCollection Type="Appx" EnforcementMode="Enabled">
    <FilePublisherRule Id="a9e18c21-ff8f-43cf-b9fc-db40eed693ba" Name="All signed" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">
      <Conditions>
        <FilePublisherCondition PublisherName="*" ProductName="*" BinaryName="*">
          <BinaryVersionRange LowSection="0.0.0.0" HighSection="*" />
        </FilePublisherCondition>
      </Conditions>
    </FilePublisherRule>
  </RuleCollection>
"@)
New-CimInstance -Namespace $namespaceName -ClassName $classNameStoreApps -Property @{ParentID=$parentID;InstanceID="Storeapps";Policy=$obj}

WARNING!!!
If one would like to modify the script, then please remember to not block PowerShell (powershell.exe).
The restrictions for EXE files (and also DLLs) block also Administrators. So, PowerShell would be blocked even with high privileges and Applocker management would be impossible.
The restrictions for PowerShell are for .ps1 files (but Administrators can still run scripts) and Constrained Language Mode.

PowerShell can be also blocked with administrative rights. The policies do not block processes started from the system shell (with system privileges).

Warning!!!
I strongly recommend making a System Restore Point before applying the Applocker rules.

Post edited/updated.

 

[ForgottenSeer 97327]

@Andy Ful Thanks for sharing

 

[Andy Ful]

Who can use such protection? Probably many users. There are many inexperienced users who treat computers like devices with predefined functions (TV, washing machine, etc.). They do not bother to change anything.
Most probable scenario:

1. Fresh Windows installation.
2. The experienced user installs all needed applications avoiding unsigned ones.
3. If it is necessary, a few unsigned applications can be installed, too. But, auto-updates for them should be disabled. Updating them (two or three times a year) must be done by an experienced user.
4. The experienced user applies the Applocker protection described in this thread and test if all works well. If not, then the application must be replaced.
5. The computer is ready. The inexperienced user can use it safely.

Such a scenario is possible if an experienced user can manage the computer a few times per year.
It would be nice to gather the popular (recommended) applications that can work well with Applocker from this thread. Also, the list of popular applications that do not work well, could be useful.

 

[ForgottenSeer 97327]

@Andy Ful

Andy-san Would you have a look at below rules? I want to allow DLL's everywhere (because this signed app has unsigned DLL's: link)

Spoiler: Adopted code

<#
.SYNOPSIS
This function creates new AppLocker settings using MDM WMI Bridge.
All previous rules will be deleted.

.CREDITS
The script is based on the script for EXE files made by Sandy Zeng (Sandy Tsang).
MSIntune/Intune-PowerShell/AppLocker at master · sandytsang/MSIntune
#>

$namespaceName = "root\cimv2\mdm\dmmap" #Do not change this
$GroupName = "AppLocker001" #Your own groupName
$parentID = "./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/$GroupName"

$classNameDLL = "MDM_AppLocker_DLL03" #Do not change this
Get-CimInstance -Namespace $namespaceName -ClassName $classNameDLL -Filter "ParentID=`'$parentID`' and InstanceID='DLL'" | Remove-CimInstance

$classNameEXE = "MDM_AppLocker_ApplicationLaunchRestrictions01_EXE03" #Do not change this
Get-CimInstance -Namespace $namespaceName -ClassName $classNameEXE -Filter "ParentID=`'$parentID`' and InstanceID='EXE'" | Remove-CimInstance

$classNameMSI = "MDM_AppLocker_MSI03" #Do not change this
Get-CimInstance -Namespace $namespaceName -ClassName $classNameMSI -Filter "ParentID=`'$parentID`' and InstanceID='MSI'" | Remove-CimInstance

$classNameScript = "MDM_AppLocker_Script03" #Do not change this
Get-CimInstance -Namespace $namespaceName -ClassName $classNameScript -Filter "ParentID=`'$parentID`' and InstanceID='Script'" | Remove-CimInstance

$classNameStoreApps = "MDM_AppLocker_ApplicationLaunchRestrictions01_StoreApps03"
Get-CimInstance -Namespace $namespaceName -ClassName $classNameStoreApps -Filter "ParentID=`'$parentID`' and InstanceID='Storeapps'" | Remove-CimInstance

Add-Type -AssemblyName System.Web

#This is example Rule Collection for EXE
$obj = [System.Net.WebUtility]::HtmlEncode(@"
<RuleCollection Type="Exe" EnforcementMode="Enabled">
<FilePathRule Id="921cc481-6e17-4653-8f75-050b80acca20" Name="All files located in the Program Files folder" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">
<Conditions>
<FilePathCondition Path="%PROGRAMFILES%\*" />
</Conditions>
</FilePathRule>
<FilePathRule Id="a61c8b2c-a319-4cd0-9690-d2177cad7b51" Name="All files located in the Windows folder" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">
<Conditions>
<FilePathCondition Path="%WINDIR%\*" />
</Conditions>
<Exceptions>
<FilePathCondition Path="%WINDIR%\registration\crmlog\*" />
<FilePathCondition Path="%WINDIR%\servicing\packages\*" />
<FilePathCondition Path="%WINDIR%\servicing\sessions\*" />
<FilePathCondition Path="%WINDIR%\tasks\*" />
<FilePathCondition Path="%WINDIR%\temp\*" />
<FilePathCondition Path="%WINDIR%\tracing\*" />
<Exceptions>
<FilePathRule Id="a61c8b2c-a319-4cd0-9690-d2177cad7b51" Name="All files located in the Windows folder" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">
<Conditions>
<FilePathCondition Path="%OSDRIVE%\ProgramData\Microsoft\Windows Defender\*" />
</Conditions>
</FilePathRule>
<FilePublisherRule Id="9ab086ea-40a8-4b05-875b-f9fdf9962ba8" Name="All signed" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">
<Conditions>
<FilePublisherCondition PublisherName="*" ProductName="*" BinaryName="*">
<BinaryVersionRange LowSection="*" HighSection="*" />
</FilePublisherCondition>
</Conditions>

</FilePublisherRule>
</RuleCollection>
"@)
New-CimInstance -Namespace $namespaceName -ClassName $classNameEXE -Property @{ParentID=$parentID;InstanceID="EXE";Policy=$obj}


#This is example Rule Collection for MSI
$obj = [System.Net.WebUtility]::HtmlEncode(@"
<RuleCollection Type="Msi" EnforcementMode="Enabled">
<FilePublisherRule Id="b7af7102-efde-4369-8a89-7a6a392d1473" Name="All signed" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">
<Conditions>
<FilePublisherCondition PublisherName="*" ProductName="*" BinaryName="*">
<BinaryVersionRange LowSection="0.0.0.0" HighSection="*" />
</FilePublisherCondition>
</Conditions>
</FilePublisherRule>
<FilePathRule Id="5b290184-345a-4453-b184-45305f6d9a54" Name="All files located in the folder %systemdrive%\Windows\Installer." Description="" UserOrGroupSid="S-1-1-0" Action="Allow">
<Conditions>
<FilePathCondition Path="%WINDIR%\Installer\*" />
</Conditions>
</FilePathRule>
<FilePathRule Id="64ad46ff-0d71-4fa0-a30b-3f3d30c5433d" Name="Allow for Administrators" Description="" UserOrGroupSid="S-1-5-32-544" Action="Allow">
<Conditions>
<FilePathCondition Path="*.*" />
</Conditions>
</FilePathRule>
</RuleCollection>
"@)
New-CimInstance -Namespace $namespaceName -ClassName $classNameMSI -Property @{ParentID=$parentID;InstanceID="MSI";Policy=$obj}


$obj = [System.Net.WebUtility]::HtmlEncode(@"
<RuleCollection Type="Script" EnforcementMode="Enabled">
<FilePathRule Id="06dce67b-934c-454f-a263-2515c8796a5d" Name="All scripts in Program Files folder" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">
<Conditions>
<FilePathCondition Path="%PROGRAMFILES%\*" />
</Conditions>
</FilePathRule>
<FilePathRule Id="9428c672-5fc3-47f4-808a-a0011f36dd2c" Name="All scripts in Windows folder" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">
<Conditions>
<FilePathCondition Path="%WINDIR%\*" />
</Conditions>
<Exceptions>
<FilePathCondition Path="%WINDIR%\registration\crmlog\*" />
<FilePathCondition Path="%WINDIR%\servicing\packages\*" />
<FilePathCondition Path="%WINDIR%\servicing\sessions\*" />
<FilePathCondition Path="%WINDIR%\tasks\*" />
<FilePathCondition Path="%WINDIR%\temp\*" />
<FilePathCondition Path="%WINDIR%\tracing\*" />
</Exceptions>
</FilePathRule>
<FilePathRule Id="ed97d0cb-15ff-430f-b82c-8d7832957725" Name="Allow for Administrators" Description="" UserOrGroupSid="S-1-5-32-544" Action="Allow">
<Conditions>
<FilePathCondition Path="*" />
</Conditions>
</FilePathRule>
</RuleCollection>
"@)
New-CimInstance -Namespace $namespaceName -ClassName $classNameScript -Property @{ParentID=$parentID;InstanceID="Script";Policy=$obj}


$obj = [System.Net.WebUtility]::HtmlEncode(@"
<RuleCollection Type="Dll" EnforcementMode="Enabled">
<FilePathRule Id="bac4b0bf-6f1b-40e8-8627-8545fa89c8b6" Name="All DLLs" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">
<Conditions>
<FilePathCondition Path="*" />
</Conditions>
<Exceptions>
<FilePathCondition Path="%WINDIR%\registration\crmlog\*" />
<FilePathCondition Path="%WINDIR%\servicing\packages\*" />
<FilePathCondition Path="%WINDIR%\servicing\sessions\*" />
<FilePathCondition Path="%WINDIR%\tasks\*" />
<FilePathCondition Path="%WINDIR%\temp\*" />
<FilePathCondition Path="%WINDIR%\tracing\*" />
</Exceptions>
</FilePathRule>
</FilePublisherRule>
</RuleCollection>
"@)
New-CimInstance -Namespace $namespaceName -ClassName $classNameDLL -Property @{ParentID=$parentID;InstanceID="DLL";Policy=$obj}


$obj = [System.Net.WebUtility]::HtmlEncode(@"
<RuleCollection Type="Appx" EnforcementMode="Enabled">
<FilePublisherRule Id="a9e18c21-ff8f-43cf-b9fc-db40eed693ba" Name="All signed" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">
<Conditions>
<FilePublisherCondition PublisherName="*" ProductName="*" BinaryName="*">
<BinaryVersionRange LowSection="0.0.0.0" HighSection="*" />
</FilePublisherCondition>
</Conditions>
</FilePublisherRule>
</RuleCollection>
"@)
New-CimInstance -Namespace $namespaceName -ClassName $classNameStoreApps -Property @{ParentID=$parentID;InstanceID="Storeapps";Policy=$obj}

I use your ConfigureDefender on Windows home versions and always add Code Integrity Exploit protection rules to Microsoft Office and Edge and add additional "block starting programs" MD Exploit protection restriction to third-party programs living in user space (like this photobook application), so I can live with the reduced protection (excluding user space DLL's)

 

[Andy Ful]

Allowing DLLs in UserSpace means that your protection can be bypassed via DLL hijacking. Here are some examples in the wild:

https://malwaretips.com/threads/simple-windows-hardening.102265/post-945840
https://malwaretips.com/threads/simple-windows-hardening.102265/post-974122
https://malwaretips.com/threads/simple-windows-hardening.102265/post-978585
https://malwaretips.com/threads/simple-windows-hardening.102265/post-985951
https://malwaretips.com/threads/simple-windows-hardening.102265/post-988985
https://malwaretips.com/threads/simple-windows-hardening.102265/post-995348
https://malwaretips.com/threads/simple-windows-hardening.102265/post-998128
https://malwaretips.com/threads/tes...against-security-features.101171/post-1001945
https://malwaretips.com/threads/tes...against-security-features.101171/post-1007070

So, you can use your Applocker setup, remembering about those vulnerabilities (archives, disk images, HTML smuggling, etc.).

Many of these attacks can be prevented by allowing DLLs only in the AppData\Local folder:
%OSDRIVE%\Users\*\AppData\Local\* (or %OSDRIVE%\Users\*\AppData\Local\Temp\*).

    <FilePathRule Id="068c7caf-8542-400b-ae91-f9f59b113f72" Name="%OSDRIVE%\Users\*\AppData\Local\Temp\*" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">
      <Conditions>
        <FilePathCondition Path="%OSDRIVE%\Users\*\AppData\Local\Temp\*" />
      </Conditions>
    </FilePathRule>

Sometimes is necessary to allow DLLs also in the ProgramData folder.
Do not forget to allow DLLs in %WinDir% and %ProgramFiles%.

 

[Andy Ful]

@Max90 ,

You have an error in your script. The below rule GUID in the EXE section is the same for two different rules:
FilePathRule Id="a61c8b2c-a319-4cd0-9690-d2177cad7b51"

Please check if all your rules have got different GUIDs.

 

[ForgottenSeer 97327]

@Andy Ful thanks for the feedback

 

[eonline]

Thank you very much Andy. I'm having problems with the Blizzard Battle Net DDL not being able to run, I think it's because it's installed outside the C: disk of the operating system. Thank you very much.

 

[ForgottenSeer 97327]

New rules with the correction of @Andy Ful (thanks ) Allow DLL's everywhere, but block unsigned executables/iinstalleers and unsigned scripts in user space

Spoiler: Allow DLL's everywhere

<#
.SYNOPSIS
This function creates new AppLocker settings using MDM WMI Bridge.
All previous rules will be deleted.

.CREDITS
The script is based on the script for EXE files made by Sandy Zeng (Sandy Tsang).
MSIntune/Intune-PowerShell/AppLocker at master · sandytsang/MSIntune
#>

$namespaceName = "root\cimv2\mdm\dmmap" #Do not change this
$GroupName = "AppLocker001" #Your own groupName
$parentID = "./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/$GroupName"

$classNameDLL = "MDM_AppLocker_DLL03" #Do not change this
Get-CimInstance -Namespace $namespaceName -ClassName $classNameDLL -Filter "ParentID=`'$parentID`' and InstanceID='DLL'" | Remove-CimInstance

$classNameEXE = "MDM_AppLocker_ApplicationLaunchRestrictions01_EXE03" #Do not change this
Get-CimInstance -Namespace $namespaceName -ClassName $classNameEXE -Filter "ParentID=`'$parentID`' and InstanceID='EXE'" | Remove-CimInstance

$classNameMSI = "MDM_AppLocker_MSI03" #Do not change this
Get-CimInstance -Namespace $namespaceName -ClassName $classNameMSI -Filter "ParentID=`'$parentID`' and InstanceID='MSI'" | Remove-CimInstance

$classNameScript = "MDM_AppLocker_Script03" #Do not change this
Get-CimInstance -Namespace $namespaceName -ClassName $classNameScript -Filter "ParentID=`'$parentID`' and InstanceID='Script'" | Remove-CimInstance

$classNameStoreApps = "MDM_AppLocker_ApplicationLaunchRestrictions01_StoreApps03"
Get-CimInstance -Namespace $namespaceName -ClassName $classNameStoreApps -Filter "ParentID=`'$parentID`' and InstanceID='Storeapps'" | Remove-CimInstance

Add-Type -AssemblyName System.Web

#This is example Rule Collection for EXE
$obj = [System.Net.WebUtility]::HtmlEncode(@"
<RuleCollection Type="Exe" EnforcementMode="Enabled">
<FilePathRule Id="921cc481-6e17-4653-8f75-050b80acca20" Name="All files located in the Program Files folder" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">
<Conditions>
<FilePathCondition Path="%PROGRAMFILES%\*" />
</Conditions>
</FilePathRule>
<FilePathRule Id="a61c8b2c-a319-4cd0-9690-d2177cad7b51" Name="All files located in the Windows folder" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">
<Conditions>
<FilePathCondition Path="%WINDIR%\*" />
</Conditions>
<Exceptions>
<FilePathCondition Path="%WINDIR%\registration\crmlog\*" />
<FilePathCondition Path="%WINDIR%\servicing\packages\*" />
<FilePathCondition Path="%WINDIR%\servicing\sessions\*" />
<FilePathCondition Path="%WINDIR%\tasks\*" />
<FilePathCondition Path="%WINDIR%\temp\*" />
<FilePathCondition Path="%WINDIR%\tracing\*" />
<Exceptions>
</FilePathRule>
<FilePublisherRule Id="9ab086ea-40a8-4b05-875b-f9fdf9962ba8" Name="All signed" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">
<Conditions>
<FilePublisherCondition PublisherName="*" ProductName="*" BinaryName="*">
<BinaryVersionRange LowSection="*" HighSection="*" />
</FilePublisherCondition>
</Conditions>
</FilePublisherRule>
</RuleCollection>
"@)
New-CimInstance -Namespace $namespaceName -ClassName $classNameEXE -Property @{ParentID=$parentID;InstanceID="EXE";Policy=$obj}


#This is example Rule Collection for MSI
$obj = [System.Net.WebUtility]::HtmlEncode(@"
<RuleCollection Type="Msi" EnforcementMode="Enabled">
<FilePublisherRule Id="b7af7102-efde-4369-8a89-7a6a392d1473" Name="All signed" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">
<Conditions>
<FilePublisherCondition PublisherName="*" ProductName="*" BinaryName="*">
<BinaryVersionRange LowSection="0.0.0.0" HighSection="*" />
</FilePublisherCondition>
</Conditions>
</FilePublisherRule>
<FilePathRule Id="5b290184-345a-4453-b184-45305f6d9a54" Name="All files located in the folder %systemdrive%\Windows\Installer." Description="" UserOrGroupSid="S-1-1-0" Action="Allow">
<Conditions>
<FilePathCondition Path="%WINDIR%\Installer\*" />
</Conditions>
</FilePathRule>
<FilePathRule Id="64ad46ff-0d71-4fa0-a30b-3f3d30c5433d" Name="Allow for Administrators" Description="" UserOrGroupSid="S-1-5-32-544" Action="Allow">
<Conditions>
<FilePathCondition Path="*.*" />
</Conditions>
</FilePathRule>
</RuleCollection>
"@)
New-CimInstance -Namespace $namespaceName -ClassName $classNameMSI -Property @{ParentID=$parentID;InstanceID="MSI";Policy=$obj}


$obj = [System.Net.WebUtility]::HtmlEncode(@"
<RuleCollection Type="Script" EnforcementMode="Enabled">
<FilePathRule Id="06dce67b-934c-454f-a263-2515c8796a5d" Name="All scripts in Program Files folder" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">
<Conditions>
<FilePathCondition Path="%PROGRAMFILES%\*" />
</Conditions>
</FilePathRule>
<FilePathRule Id="9428c672-5fc3-47f4-808a-a0011f36dd2c" Name="All scripts in Windows folder" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">
<Conditions>
<FilePathCondition Path="%WINDIR%\*" />
</Conditions>
</FilePathRule>
<FilePathRule Id="ed97d0cb-15ff-430f-b82c-8d7832957725" Name="Allow for Administrators" Description="" UserOrGroupSid="S-1-5-32-544" Action="Allow">
<Conditions>
<FilePathCondition Path="*" />
</Conditions>
</FilePathRule>
</RuleCollection>
"@)
New-CimInstance -Namespace $namespaceName -ClassName $classNameScript -Property @{ParentID=$parentID;InstanceID="Script";Policy=$obj}


$obj = [System.Net.WebUtility]::HtmlEncode(@"
<RuleCollection Type="Dll" EnforcementMode="Enabled">
<FilePathRule Id="bac4b0bf-6f1b-40e8-8627-8545fa89c8b6" Name="Aloow all DLLs everywhere" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">
<Conditions>
<FilePathCondition Path="*" />
</Conditions>
</RuleCollection>
"@)
New-CimInstance -Namespace $namespaceName -ClassName $classNameDLL -Property @{ParentID=$parentID;InstanceID="DLL";Policy=$obj}


$obj = [System.Net.WebUtility]::HtmlEncode(@"
<RuleCollection Type="Appx" EnforcementMode="Enabled">
<FilePublisherRule Id="a9e18c21-ff8f-43cf-b9fc-db40eed693ba" Name="All signed" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">
<Conditions>
<FilePublisherCondition PublisherName="*" ProductName="*" BinaryName="*">
<BinaryVersionRange LowSection="0.0.0.0" HighSection="*" />
</FilePublisherCondition>
</Conditions>
</FilePublisherRule>
</RuleCollection>
"@)
New-CimInstance -Namespace $namespaceName -ClassName $classNameStoreApps -Property @{ParentID=$parentID;InstanceID="Storeapps";Policy=$obj}

As said my wife's laptop is using nearly Microsoft only software so I can use MD exploit Protection enabling Code Integrity Guard as an additional layer of protection (allow only Microsoft signed DLL's) for Microsoft Office, Edge and Explorer. All third-party software is not allowed to start other programs (also restricted by MD's exploit protection). My wife has a HP laptop which updates fine with Configure Defender on MAX, so I am aware of the holes, but happy with the extra protection Andy-san provides us with Configure Defender and now these AppLocler scripts for Windows 11H2

 

[wat0114]

Hi @Andy Ful

if running your security tool, Hard_Configurator, does it need to be disabled in part or fully before running the AppLocker scripts you've provided?

 

[Andy Ful]

Hi @Andy Ful

if running your security tool, Hard_Configurator, does it need to be disabled in part or fully before running the AppLocker scripts you've provided?

Hard_Configurator on Recommended_Settings does not require HomeAppLocker scripts. One can use modified scripts for Windows_10_Basic_Recommended_Settings, for example:

<#
.SYNOPSIS
    This function creates new AppLocker settings for SimpleWindowsHardening using MDM WMI Bridge.
    All previous rules will be deleted.

.CREDITS
    These scripts are based on the script for EXE files made by Sandy Zeng (Sandy Tsang).
    https://github.com/sandytsang/MSIntune/tree/master/Intune-PowerShell/AppLocker
#>

$namespaceName = "root\cimv2\mdm\dmmap" #Do not change this
$GroupName = "AppLocker001" #Your own groupName
$parentID = "./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/$GroupName"

$classNameDLL = "MDM_AppLocker_DLL03" #Do not change this
Get-CimInstance -Namespace $namespaceName -ClassName $classNameDLL -Filter "ParentID=`'$parentID`' and InstanceID='DLL'"  | Remove-CimInstance

$classNameEXE = "MDM_AppLocker_ApplicationLaunchRestrictions01_EXE03" #Do not change this
Get-CimInstance -Namespace $namespaceName -ClassName $classNameEXE -Filter "ParentID=`'$parentID`' and InstanceID='EXE'"  | Remove-CimInstance

$classNameMSI = "MDM_AppLocker_MSI03" #Do not change this
Get-CimInstance -Namespace $namespaceName -ClassName $classNameMSI -Filter "ParentID=`'$parentID`' and InstanceID='MSI'"  | Remove-CimInstance

$classNameScript = "MDM_AppLocker_Script03" #Do not change this
Get-CimInstance -Namespace $namespaceName -ClassName $classNameScript -Filter "ParentID=`'$parentID`' and InstanceID='Script'"  | Remove-CimInstance

$classNameStoreApps = "MDM_AppLocker_ApplicationLaunchRestrictions01_StoreApps03"
Get-CimInstance -Namespace $namespaceName -ClassName $classNameStoreApps -Filter "ParentID=`'$parentID`' and InstanceID='Storeapps'"  | Remove-CimInstance

Add-Type -AssemblyName System.Web

#This is example Rule Collection for EXE
$obj = [System.Net.WebUtility]::HtmlEncode(@"
  <RuleCollection Type="Exe" EnforcementMode="Enabled">
    <FilePathRule Id="921cc481-6e17-4653-8f75-050b80acca20" Name="All files in the Program Files folder" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">
      <Conditions>
        <FilePathCondition Path="%PROGRAMFILES%\*" />
      </Conditions>
    </FilePathRule>
    <FilePathRule Id="a61c8b2c-a319-4cd0-9690-d2177cad7b51" Name="All files in the Windows folder" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">
      <Conditions>
        <FilePathCondition Path="%WINDIR%\*" />
      </Conditions>
    </FilePathRule>
    <FilePublisherRule Id="9ab086ea-40a8-4b05-875b-f9fdf9962ba8" Name="All signed" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">
      <Conditions>
        <FilePublisherCondition PublisherName="*" ProductName="*" BinaryName="*">
          <BinaryVersionRange LowSection="*" HighSection="*" />
        </FilePublisherCondition>
      </Conditions>
    </FilePublisherRule>
  </RuleCollection>
"@)
New-CimInstance -Namespace $namespaceName -ClassName $classNameEXE -Property @{ParentID=$parentID;InstanceID="EXE";Policy=$obj}


#This is example Rule Collection for MSI
$obj = [System.Net.WebUtility]::HtmlEncode(@"
  <RuleCollection Type="Msi" EnforcementMode="Enabled">
    <FilePublisherRule Id="b7af7102-efde-4369-8a89-7a6a392d1473" Name="All signed" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">
      <Conditions>
        <FilePublisherCondition PublisherName="*" ProductName="*" BinaryName="*">
          <BinaryVersionRange LowSection="0.0.0.0" HighSection="*" />
        </FilePublisherCondition>
      </Conditions>
    </FilePublisherRule>
    <FilePathRule Id="5b290184-345a-4453-b184-45305f6d9a54" Name="All files in the folder %systemdrive%\Windows\Installer." Description="" UserOrGroupSid="S-1-1-0" Action="Allow">
      <Conditions>
        <FilePathCondition Path="%WINDIR%\Installer\*" />
      </Conditions>
    </FilePathRule>
    <FilePathRule Id="64ad46ff-0d71-4fa0-a30b-3f3d30c5433d" Name="Allow for Administrators" Description="" UserOrGroupSid="S-1-5-32-544" Action="Allow">
      <Conditions>
        <FilePathCondition Path="*.*" />
      </Conditions>
    </FilePathRule>
  </RuleCollection>
"@)
New-CimInstance -Namespace $namespaceName -ClassName $classNameMSI -Property @{ParentID=$parentID;InstanceID="MSI";Policy=$obj}


$obj = [System.Net.WebUtility]::HtmlEncode(@"
  <RuleCollection Type="Dll" EnforcementMode="Enabled">
    <FilePathRule Id="bac4b0bf-6f1b-40e8-8627-8545fa89c8b6" Name="All DLLs in Windows folder" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">
      <Conditions>
        <FilePathCondition Path="%WINDIR%\*" />
      </Conditions>
    </FilePathRule>
    <FilePathRule Id="3737732c-99b7-41d4-9037-9cddfb0de0d0" Name="All DLLs in Program Files folder" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">
      <Conditions>
        <FilePathCondition Path="%PROGRAMFILES%\*" />
      </Conditions>
    </FilePathRule>
    <FilePublisherRule Id="1f0d0ec5-8523-4aa0-976a-ad2d2c21eed7" Name="All Signed" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">
      <Conditions>
        <FilePublisherCondition PublisherName="*" ProductName="*" BinaryName="*">
          <BinaryVersionRange LowSection="*" HighSection="*" />
        </FilePublisherCondition>
      </Conditions>
    </FilePublisherRule>
  </RuleCollection>
"@)
New-CimInstance -Namespace $namespaceName -ClassName $classNameDLL -Property @{ParentID=$parentID;InstanceID="DLL";Policy=$obj}


$obj = [System.Net.WebUtility]::HtmlEncode(@"
  <RuleCollection Type="Appx" EnforcementMode="Enabled">
    <FilePublisherRule Id="a9e18c21-ff8f-43cf-b9fc-db40eed693ba" Name="All signed" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">
      <Conditions>
        <FilePublisherCondition PublisherName="*" ProductName="*" BinaryName="*">
          <BinaryVersionRange LowSection="0.0.0.0" HighSection="*" />
        </FilePublisherCondition>
      </Conditions>
    </FilePublisherRule>
  </RuleCollection>
"@)
New-CimInstance -Namespace $namespaceName -ClassName $classNameStoreApps -Property @{ParentID=$parentID;InstanceID="Storeapps";Policy=$obj}

The above script is similar to the previous one, but the Script section is deleted (H_C settings provide better script protection).

The script that removes restrictions is like in my previous post.

Warning!!!
I strongly recommend making a System Restore Point before applying the Applocker rules.

Post updated.

 

[wat0114]

Hard_Configurator on Recommended_Settings does not require HomeAppLocker scripts. One can use modified scripts for Windows_10_Basic_Recommended_Settings, ...

Okay thanks, Andy. I'm currently using Win 11 21H2, so SRP is still working under my H_C configuration. I guess whenever I "upgrade" to 22H2, then SRP wi;; not work, at which time I assume enabling and using Applocker instead would be a better alternative, even if if an unnecessary one?

 

[Andy Ful]

Okay thanks, Andy. I'm currently using Win 11 21H2, so SRP is still working under my H_C configuration. I guess whenever I "upgrade" to 22H2, then SRP wi;; not work, at which time I assume enabling and using Applocker instead would be a better alternative, even if if an unnecessary one?

I am not sure. You are using OSArmor which can possibly be tweaked to do similar things.

 

[WhiteMouse]

I thought Andy gave up and switched to WDAC after Microsoft killed SRP. But no, he found a way to run AppLocker on Home and Pro SKU.