In the past, AppLocker was available only for Windows Enterprise and Education subscribers. In this post, I will show you a way to use AppLocker on Windows 10 Pro and Windows 11 Pro.
Avatar

AppLocker is a Group-Policy-based mechanism that allows you to control the applications that run on your PC. It is a core security feature.

Microsoft also lists other use cases, namely:

  • Application inventory
  • Licensing conformance
  • Software standardization

Unfortunately, Microsoft has decided to treat AppLocker as an enterprise benefit and has made it unavailable in the Home and Professional editions of Windows. However, ever since Microsoft has come up with Mobile Device Management (MDM) as a sort of Group Policy 2.0, its documentation now contains this claim:

You can use the AppLocker CSP to configure AppLocker policies on any edition of Windows 10 and Windows 11 supported by Mobile Device Management (MDM).

You might wonder which editions MDM supports—any edition, Microsoft has included MDM capabilities in all editions!

It did not take long until someone had a look at the internals and found out that not even MDM licenses were required to make it work. In fact, you only need to know how to script it.

UPDATE: since build 22H2, AppLocker works on Win10/11 Pro without needing my script. As it seems, Microsoft has changed its mind after all.

Update2: https://support.microsoft.com/en-us/topic/kb5024351-removal-of-windows-edition-checks-for-applocker-e3a763c9-6a3e-4d9c-8623-0ffe69046470 finally confirms the change. So AppLocker is now supported on Win10 2004 and higher running the October 30, 2022 updates.

Creating AppLocker rules

Sandy Zeng (Microsoft MVP) seems to be the first who published working scripts. However, Sandy did not go into detail about the syntax; she left us working examples, but she didn't explain how she put them together. This article fills this gap.

You will need Windows 10 Pro or Windows 11 Pro. Even though Windows 10 Home and Windows 11 Home allow applying these rules, there is no easy way to create these rules for the Window Home edition. Honestly, I don't think AppLocker is for the Home edition.

Note that all screenshots come from Windows 10 Pro. Things might look a bit different on Windows 11.

Disclaimer: If you are unaware, AppLocker is able to render the OS completely unusable when configured incorrectly. I recommend trying this on a virtual machine, which enables you to create and return to snapshots in case you lock yourself out.

First, open secpol.msc and navigate to Application control policies > AppLocker. Below that, you will see four sections containing governing rules for executables (.exe), Windows installer files (.msi and .msp), scripts (.ps1, .bat, .cmd, etc.), and packaged apps (modern apps from the Windows Store, including those preinstalled by Microsoft, such as the weather app, calculator, and Paint 3D).

If you were hoping Microsoft would let you use this built-in GUI, you would be mistaken. The GUI is for enterprise and education edition users only; using it on Pro does not enable AppLocker. Still, we will use it to create the scripts that will be used later to enable AppLocker on Windows 10 Pro and Windows 11 Pro.

We start by creating a rule for executables. To play it safe for these tests, let us first create the default rules. It is not the most secure configuration, but for this test, I recommend it. Right-click Executable Rules and select Create default rules. Three rules are created.

Now create a fourth rule that denies access to WordPad ("%ProgramFiles%\Windows NT\Accessories\wordpad.exe") for anyone.

Disallowing WordPad with AppLocker

Disallowing WordPad with AppLocker

Aren't rules 1 and 4 contradictory? Rule 4 will win since it is more specific than rule 1—that is how AppLocker works. WordPad will indeed be disallowed.

Next, we will open regedit and navigate to
HKEY_LOCAL_Machine\Software\Policies\Microsoft\Windows\SrpV2

Inside, open the Exe key. You should see something similar to this, just with different GUIDs:

Regedit showing EXE policies

Regedit showing EXE policies

There are four keys below the Exe key that correspond to our four rules; the Deny policy for WordPad is depicted. Now for the big aha: the data of the depicted registry value can be directly used in the syntax of our script. In other words, the AppLocker GUI uses the registry in a way that we don't need to convert or tamper with.

Okay, hold your horses for a moment, leave regedit open at that spot, open a text editor, and paste the following four lines:

<?xml version="1.0" encoding="utf-8" ?>
<RuleCollection Type="Exe" EnforcementMode="Enabled"> 

</RuleCollection>

Save that as C:\Applocker_on_Win10pro\exe.xml (later, we will use this path in PowerShell ISE). You will have noticed that blank line number 3. Fill it in with the contents of the Value entries of those four registry keys that complete exe.xml:

The EXE XML file

The EXE XML file

Now open powershell_ISE.exe as system account (!) using the following command on an elevated command prompt:

psexec -si powershell_ise

You can download psexec, which is a part of PsTools from Microsoft, and extract it to c:\windows.

In the ISE, paste the following code and save it as Create_Applocker_Exerule.ps1:

<#
.SYNOPSIS
    This function create new AppLocker settings using MDM WMI Bridge

.DESCRIPTION
    This script will create AppLocker settings for EXE

.NOTES
    File name: Create-AppLockerEXE.ps1
    VERSION: 2005a
    AUTHOR: Sandy Zeng
    Created:  2020-09-20
    Licensed under the MIT license.
    Please credit me if you find this script useful and do some cool things with it.

.VERSION HISTORY:
    1.0.0 - (2020-09-20) Script created
    1.0.1 - 
#>

$namespaceName = "root\cimv2\mdm\dmmap" #Do not change this
$className = "MDM_AppLocker_ApplicationLaunchRestrictions01_EXE03" #Do not change this
$GroupName = "AppLocker001" #You can use your own Groupname, don't use special characters or with space
$parentID = "./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/$GroupName"
$policyData = Get-Content C:\Applocker_on_Win10pro\exe.xml -raw
Add-Type -AssemblyName System.Web
$pdata = [System.Web.HttpUtility]::HtmlEncode($policyData);
New-CimInstance -Namespace $namespaceName -ClassName $className -Property @{ParentID=$parentID;InstanceID="EXE";EnforcementMode="Enabled";Policy=$pData}

Note that I modified Sandy's original script by sourcing out the XML policy content to an extra file, which I believe makes it easier to handle.

Now, launch the script right from ISE. It needs to be executed as a system account, and, of course, the execution policy needs to be set to at least remotesigned. Afterward, try to launch WordPad; it should be blocked.

WordPad is blocked by AppLocker

WordPad is blocked by AppLocker

Deploying AppLocker rules with Group Policy

Now, let me show you a way to deploy and maintain this with GPOs if you want to use this in your Windows 10 professional network.

The network deployment is simple:

  • Create a GPO with AppLocker settings the regular way, as you would for the Enterprise edition. That GPO will deploy the registry settings that we need to configure the rules in the second step.
  • Deploy a scheduled task that runs a PowerShell script to utilize the WMI MDM Bridge to apply these rules. The script for step 2 will be the following (save it as applocker.ps1). I will omit the credits for Sandy Zeng to save space here, but if you decide to utilize it, please give her credit by including the notes, as seen in the script above):
###The first code block deletes all existing rules so that new rules can be written.###

$namespaceName = "root\cimv2\mdm\dmmap"
$GroupName = "AppLocker001"

$className = "MDM_AppLocker_ApplicationLaunchRestrictions01_EXE03"
$parentID = "./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/$GroupName"
Get-CimInstance -Namespace $namespaceName -ClassName $className -Filter "ParentID=`'$parentID`' and InstanceID='EXE'"  | Remove-CimInstance

$className = "MDM_AppLocker_MSI03"
$parentID = "./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/$GroupName"
Get-CimInstance -Namespace $namespaceName -ClassName $className -Filter "ParentID=`'$parentID`' and InstanceID='Msi'"  | Remove-CimInstance

$className = "MDM_AppLocker_Script03"
$parentID = "./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/$GroupName"
Get-CimInstance -Namespace $namespaceName -ClassName $className -Filter "ParentID=`'$parentID`' and InstanceID='Script'"  | Remove-CimInstance

$className = "MDM_AppLocker_ApplicationLaunchRestrictions01_StoreApps03"
$parentID = "./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/$GroupName"
Get-CimInstance -Namespace $namespaceName -ClassName $className -Filter "ParentID=`'$parentID`' and InstanceID='StoreApps'"  | Remove-CimInstance

###This code block will retrieve all rules from the registry and write them to temporary XML files (one for each of the 4 Applocker sections) in c:\windows\temp###
 
echo '<RuleCollection Type="Exe" EnforcementMode="Enabled">' | out-file $env:temp\exe.xml -Encoding utf8 
$keys = (reg query hklm\Software\Policies\Microsoft\Windows\SrpV2\Exe | findstr HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\SrpV2\Exe\)
foreach ($key in $keys) {(Get-ItemProperty -Path Registry::$key).Value | Out-file $env:temp\exe.xml -Encoding utf8 -Append} 
echo '</RuleCollection>'| Out-file $env:temp\exe.xml -Encoding utf8 -Append  

echo '<RuleCollection Type="Appx" EnforcementMode="Enabled">' | out-file $env:temp\StoreApps.xml -Encoding utf8 
$keys = (reg query hklm\Software\Policies\Microsoft\Windows\SrpV2\Appx | findstr HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\SrpV2\Appx\)
foreach ($key in $keys) {(Get-ItemProperty -Path Registry::$key).Value | Out-file $env:temp\StoreApps.xml -Encoding utf8 -Append} 
echo '</RuleCollection>'| Out-file $env:temp\StoreApps.xml -Encoding utf8 -Append  

echo '<RuleCollection Type="Script" EnforcementMode="Enabled">' | out-file $env:temp\script.xml -Encoding utf8 
$keys = (reg query hklm\Software\Policies\Microsoft\Windows\SrpV2\Script | findstr HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\SrpV2\Script\)
foreach ($key in $keys) {(Get-ItemProperty -Path Registry::$key).Value | Out-file $env:temp\script.xml -Encoding utf8 -Append} 
echo '</RuleCollection>'| Out-file $env:temp\script.xml -Encoding utf8 -Append  

echo '<RuleCollection Type="Msi" EnforcementMode="Enabled">' | out-file $env:temp\msi.xml -Encoding utf8 
$keys = (reg query hklm\Software\Policies\Microsoft\Windows\SrpV2\Msi | findstr HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\SrpV2\Msi\)
foreach ($key in $keys) {(Get-ItemProperty -Path Registry::$key).Value | Out-file $env:temp\msi.xml -Encoding utf8 -Append} 
echo '</RuleCollection>'| Out-file $env:temp\msi.xml -Encoding utf8 -Append

###This codeblock will apply all rules###

$namespaceName = "root\cimv2\mdm\dmmap"
$className = "MDM_AppLocker_ApplicationLaunchRestrictions01_EXE03"
$GroupName = "AppLocker001"
$parentID = "./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/$GroupName"
$policyData = Get-Content $env:temp\exe.xml -Raw
Add-Type -AssemblyName System.Web
$pdata = [System.Web.HttpUtility]::HtmlEncode($policyData);
New-CimInstance -Namespace $namespaceName -ClassName $className -Property @{ParentID=$parentID;InstanceID="EXE";EnforcementMode="Enabled";Policy=$pData}

$className = "MDM_AppLocker_ApplicationLaunchRestrictions01_StoreApps03"
$parentID = "./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/$GroupName"
$policyData = Get-Content $env:temp\StoreApps.xml -Raw
Add-Type -AssemblyName System.Web
$pdata = [System.Web.HttpUtility]::HtmlEncode($policyData);
New-CimInstance -Namespace $namespaceName -ClassName $className -Property @{ParentID=$parentID;InstanceID="StoreApps";EnforcementMode="Enabled";Policy=$pData}

$className = "MDM_AppLocker_Script03"
$parentID = "./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/$GroupName"
$policyData = Get-Content $env:temp\Script.xml -Raw
Add-Type -AssemblyName System.Web
$pdata = [System.Web.HttpUtility]::HtmlEncode($policyData);
New-CimInstance -Namespace $namespaceName -ClassName $className -Property @{ParentID=$parentID;InstanceID="Script";EnforcementMode="Enabled";Policy=$pData}

$className = "MDM_AppLocker_MSI03"
$parentID = "./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/$GroupName"
$policyData = Get-Content $env:temp\msi.xml -Raw
Add-Type -AssemblyName System.Web
$pdata = [System.Web.HttpUtility]::HtmlEncode($policyData);
New-CimInstance -Namespace $namespaceName -ClassName $className -Property @{ParentID=$parentID;InstanceID="Msi";EnforcementMode="Enabled";Policy=$pData}

The scheduled task that you use for this needs system privileges, so the executing account needs to be "System." I suggest making it an immediate task ("Immediate Task (at least Windows 7") so that it applies to any GPO background refresh. This script executes very quickly, which means no significant performance overhead. If you have Win10/11 Pro, but no domain, you need to create the same task manually and use this event based task trigger ("on an event"), so that whenever you change Applocker Settings, my script runs:

Log: Microsoft-Windows-GroupPolicy/Operational, Source: GroupPolicy, Event ID: 4004

Conclusion

I provided a helper script that automates rule processing to enable deploying AppLocker on Windows 10 Professional and Windows 11 Professional.

avataravatar
52 Comments
  1. Avatar
    Abhku 1 year ago

    —————————————————————————————————————-
    New-CimInstance : The requested object could not be found.
    At line:28 char:1
    + New-CimInstance -Namespace $namespaceName -ClassName $className -Prop …
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : ObjectNotFound: (MDM_AppLocker_A…ictions01_EXE03:CimInstance) [New-CimInstance], CimException
    + FullyQualifiedErrorId : MI RESULT 6,Microsoft.Management.Infrastructure.CimCmdlets.NewCimInstanceCommand

    • Avatar Author

      Hi Abhku.

      The error message proves that you have modified my script, since line 28 is empty, normally. Please use my script and see if it works unmodified. It it does, tell me what you are trying to change or let me look at your modified script.

  2. Avatar
    bunglegrind 1 year ago

    Please be aware of this issue:

    https://github.com/MicrosoftDocs/windows-itpro-docs/issues/6813

    I mean, adding rules for scripts it’s a matter of trial and error…
    Do you know any workaround?

  3. Avatar Author

    @bundlegrind
    What do you need a workaround for? Please be specific.
    What you link shows that logging is not working as expected, still blocking works as expected.

  4. Avatar
    bunglegrind 1 year ago

    I mean, the audit mode is useless if I can’t see what is blocked and what not. And tuning becomes a very difficult task

    • Avatar Author

      Agreed. I will look at audit mode logging soon and share feedback.

    • Avatar Author

      @bunglegrind
      You are right, this MDM implementation has issues.
      If I take my script and change all 8 occurences of EnforcementMode=”Enabled” to EnforcementMode=”AuditOnly”, it works as expected (things run), but ONLY FOR EXE, the audit log is used, not for MSI or scripts. That is strange. Will need to investigate further.

      When I tested logging, I must admit that I did only .exe, assuming the rest would work as well (why shouldn’t it)…

  5. Avatar
    bunglegrind 1 year ago

    Thanks a lot!

    • Avatar Author

      I found out what this is about.
      Although MS claims “all editions support this”, the logging only works for exe and appx since only those use SRPv2 (=Applocker) blocking, the rest still uses SRPv1 (Software restriction policies).. But there is a way to do logging for the rest:

      Just create the following Reg_SZ entry “LogfileName”at HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers
      with a value like c:\log\mylog.txt
      That log will be populated with entries for ALL types, example entries:

      cmd.exe (PID = 6852) identified C:\Users\a\test\test.bat as Disallowed using SRPv2 rule, Guid = {c71b5435-1293-4848-b0a3-b53066c76ca2}
      msiexec.exe (PID = 1496) identified C:\Users\a\Desktop\ISORecorder31x64.msi as Disallowed using SRPv2 rule, Guid = {c71b5435-1293-4848-b0a3-b53066c76ca2}

      So this interesting log shows the GUIDs of the rules, which it correctly identifies as applocker (=SRPv2) rules, but the GUIDs… where does it find those? No idea.
      And what if we want to do audit logging and receive these “would have been blocked” messages? Nope, can’t be done for MSI or script… in auditing mode, that SRP logfile would read
      msiexec.exe (PID = 9024) identified C:\Users\a\Desktop\ISORecorder31x64.msi as Unrestricted using SRPv2 rule, Guid = {c71b5435-1293-4848-b0a3-b53066c76ca2}

      Conclusion: not 100% the same when it comes to logging, only when it comes to blocking 😐

  6. Avatar
    bunglegrind 1 year ago

    Thank you very much for your effort. I’ve enabled the log file and it works!

    cheers

  7. Avatar
    bunglegrind 1 year ago

    Concerning the DLL rules (MDM_AppLocker_DLL03) it looks like it’s working correctly (your script doesn’t provide the DLL feature, but it could be easily extended). I’m running the DLL rules in audit mode, and logs are correctly showed in events manager.

  8. Avatar
    Sabine 1 year ago

    I wanted to use Applocker on my standalone Win-10-Laptop.
    When I run the ps1-file, I get this error message:

    PS C:\Windows\system32> C:\Windows\PSTools\Create_Applocker_Exerule.ps1
    New-CimInstance : The operation cannot be performed because an object already exists.
    In C:\Windows\PSTools\Create_Applocker_Exerule.ps1:28 Characters: 1
    + New-CimInstance -Namespace $namespaceName -ClassName $className -Prop …
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : ResourceExists: (MDM_AppLocker_A…ictions01_EXE03:CimInstance) [New-CimInstance], CimExcepti
    on
    + FullyQualifiedErrorId : MI RESULT 11,Microsoft.Management.Infrastructure.CimCmdlets.NewCimInstanceCommand

  9. Avatar Author

    Sabine, please use the script “as is” for a start. It will not throw an error. If you modify it, you need to share it in order to get help.

  10. Avatar
    George 1 year ago

    I tried to apply this powershell code, but then same issue happens:

    PS C:\Windows\system32> C:\Applocker_on_Win10pro\Create_Applocker_Exerule.ps1
    New-CimInstance : The requested object could not be found.
    Location C:\Applocker_on_Win10pro\Create_Applocker_Exerule.ps1:24 char:1
    + New-CimInstance -Namespace $namespaceName -ClassName $className -Prop …
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : ObjectNotFound: (MDM_AppLocker_A…icationLaun…):CimInstance) [New-CimInstance], CimException
    + FullyQualifiedErrorId : MI RESULT 6,Microsoft.Management.Infrastructure.CimCmdlets.NewCimInstanceCommand

    I’d exactly done same thing presented in this article: with same file names, same directory, and same procedure. I’d appreciate it if you could take a look at what the problem is. Thank you!

    • Avatar Author

      George and others with this error: If I remember correctly, this error occurs, if you start the script as admin. You must start it as system account via psexec, as outlined.

      • Avatar
        George 1 year ago

        Thank you for answering! I’d checked it with whoami script after the script in admin powershell: psexec -si powershell_ise, and the result was:

        PS C:\Windows\system32> whoami
        nt authority\system

        So this must be a system account, I think. Is there any additional procedure I must do?

      • Avatar
        George 1 year ago

        https://youtu.be/DZo5s-yCYDo

        Thank you for answering! I’d recorded the whole procedure. I executed the script .\psexec.exe -si powershell_ise, and whoami command showed the result nt authority\system. This means that I’m in system account, isn’t it…?

  11. Avatar
    bunglegrind 1 year ago

    I guess:

    Set-ExecutionPolicy -ExecutionPolicy RemoteSigned

    • Avatar
      Sabine 1 year ago

      Hi, my problem remains. ExecutionPolicy ist RemoteSigned, I am on system account, still I get this:
      [img]https://up.picr.de/44303293tb.jpg[/img]

  12. Avatar
    Sabine 1 year ago

    I did exactly the same as George.

  13. Avatar Author

    Ok, Sabine, George: Watched the video, all looks good except for the backslash in the paths which is a chinese sign for you, George – not sure if that might bother PowerShell, but I cannot tell for sure. What OS build do you use?

  14. Avatar Author

    Saw Sabines Screenshot and that’s something different to Georges’s problem. Use the delete_all_rules part (lines 3-20) in the lowest code, then retry.

    • Avatar
      George 1 year ago

      https://imgur.com/a/FxrFVIx

      Thank you for reviewing! That backslash \ is replaced to ₩ just because this windows is korean version, which have ₩ in keyboard instead of \. All korean os builds use ₩ in representing its directory, so I think that won’t bother much.
      My window version is Window 10 pro, version 21H2(build 19044.1889). I also checked out Set-ExecutionPolicy -ExecutionPolicy RemoteSigned, and the same error occured.

    • Avatar
      George 1 year ago

      Actually I reinstalled windows 10 pro and it worked! This error might be related to some optimization and tweaks that I did in the start. I’ll remind here if I can find which tweak is related with this issue. Thank you!

  15. Avatar Author

    Fine, thanks for the feedback!

  16. Avatar
    Sabine 1 year ago

    Hi, my screenshot was cut off because the error message was at the bottom. I had copied the code for Create_Applocker_Exerule.ps1 1:1 from your script.

    Interestingly, I had tried it on my old Win10Pro-Laptop, and there it was executed one time and WordPad is now blocked. Later I tried to run it for a second time there, but then it gave the same error message as on the other laptop. The other laptop has a newly installed Windows 10 Pro.
    Here’s s the script:
    [img]https://up.picr.de/44305578qj.jpg[/img]

    • Avatar Author

      Sabine, the proof of concept is not meant for repeated runs. You have not reacted to my suggestion before, which told you what lines to execute now to overcome this.

  17. Avatar
    Walter lov 12 months ago

    I don’t know if this is a bug or if MS has changed their mind, but with Windows 10 Pro 22H2 you can manage AppLocker through gpedit.msc. I tried 21H2 but that was a no go.

    • Avatar Author
      Welf Alberts (Rank 3) 12 months ago

      Walter, this works on all Win10. Tried successfully on 21H2 Pro as well. So I am not sure how your gpedit.msc looked like, but surely that was a problem at your end.

      • Avatar
        Walter lov 12 months ago

        Hmm, I’m not saying the method in this article doesn’t work, I’m saying I don’t need it for AppLocker to work in 22H2, I can just enable and use Applocker like you can on Enterprise editions etc. Which is why I said it might be a bug in 22H2.

        • Avatar Author
          Welf Alberts (Rank 3) 12 months ago

          That would be astounding, indeed. I misunderstood at first 🙂
          So you tested this without using my script and things that you define in gpedit.msc get blocked?

  18. Avatar
    Walter lov 12 months ago

    Yep, I’ve tried it multiple times, even rebooted a bunch of times to make sure it stayed working.

    • Avatar
      David Fishwick 12 months ago

      Hi I have tried this on mine following a clean install of Windows 11 22h2 and yep applocker is being enforced on pro from gpedit! I have not run any script. I noticed something was odd as I was getting events in event viewer (had always been blank before) when I had not even touched the feature. But yes enforced on mine too (stop no longer work)

      • Avatar
        David Fishwick 12 months ago

        I meant SRP no longer work sorry

      • Avatar
        bunglegrind 11 months ago

        on my win11pro 22H2, even after applying gpupdate, it doesn’t work.It’s not a clean installation, though.
        I’m still resorting to the powershell method above.

        • Avatar
          Walter lov 11 months ago

          My Windows 10 Pro install is only from April so that would have been when 22H1 was released.

    • Avatar Author
      Welf Alberts (Rank 3) 11 months ago

      I made two attempts:

      On Win11 Pro 22H2 (clean install) AppLocker works out of the box without my script.
      On a VM with Win10 Pro 20H2 it didn’t work and after upgrading that to 22H2 (19045.2364), it still does not work.

      Will do further attempts with 11 22H2 when upgraded from 11 RTM and 10 22H2 when cleanly installed.

  19. Avatar Author
    Welf Alberts (Rank 3) 12 months ago

    Walter, David…
    Say, how funny is this… all these years, it didn’t work on pro. Here comes my scripted solution for pro, BAM, 6 months later, it works out of the box.

  20. Avatar Author
    Welf Alberts (Rank 3) 11 months ago

    Ok, enough trying to say for sure.

    With Win10 22H2 and 11 22H2, you may use GPOs to control Applocker without my script. No matter if upgraded or clean install, it works. Don’t forget that standard applocker relies on the server “appidsvc”, so your GPO needs to change the startup type of that service to automatic.

    [yes, earlier I wrote that it didn’t work on 22H2 – the service wasn’t active]

    Will edit my article accordingly.

    • Avatar
      bunglegrind 11 months ago

      Still not working…appidsvc is running, startup type is automatic (trigger start). My machine is Win11PRO22H2 (upgraded from 22H1). launched gpudpate too. In event viewer applying new rules on gpedit creates the event: “The Group Policy settings for the computer were processed successfully. New settings from 1 Group Policy objects were detected and applied.”

      • Avatar Author
        Welf Alberts (Rank 3) 11 months ago

        Enforcement mode configured to “enforce rules” within all sections (exe, script, MSI) of the GPO?

        • Avatar
          bunglegrind 11 months ago

          Now it works! And I don’t know exactly why…enforce rules were already configured. Probably the “miracle” happened after removing the rules injected by your script, and applying gpos once more…
          cheers!

  21. Avatar
    DevineZaza (Rank 1) 11 months ago

    Hi, first of all thank you very much for the article. I have researched and tested your code many times. Some people here can’t run the script for 2 reasons:
    1. Run PowerShell as System user (Using AdvancedRun – Nir Soft), and run the command:
    set-executionpolicy remotesigned
    or: Set-ExecutionPolicy -ExecutionPolicy RemoteSigned
    Then choose A – Yes to All
    2. The script does not delete the existing Policy, remaining the old Policy will cause the script to not run. So I edited your whole thing like this:

    ### Script edited by DevineZaza

    # Remove-CimInstance: Doan nay Tung them vao de fix loi ko chay duoc script nay (Vietnamese :D)
    $namespaceName = “root\cimv2\mdm\dmmap”
    $GroupName = “AppLocker001”
    $className = “MDM_AppLocker_ApplicationLaunchRestrictions01_EXE03”
    $parentID = “./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/$GroupName”
    Get-CimInstance -Namespace $namespaceName -ClassName $className -Filter “ParentID=`’$parentID`’ and InstanceID=’EXE'” | Remove-CimInstance

    # Doan nay la doan goc (Vietnamese :D)
    $namespaceName = “root\cimv2\mdm\dmmap” #Do not change this
    $className = “MDM_AppLocker_ApplicationLaunchRestrictions01_EXE03” #Do not change this
    $GroupName = “AppLocker001” #You can use your own Groupname, don’t use special characters or with space
    $parentID = “./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/$GroupName”
    $policyData = Get-Content C:\ProgramData\Microsoft\Dll.xml -raw
    Add-Type -AssemblyName System.Web
    $pdata = [System.Web.HttpUtility]::HtmlEncode($policyData);
    New-CimInstance -Namespace $namespaceName -ClassName $className -Property @{ParentID=$parentID;InstanceID=”EXE”;EnforcementMode=”Enabled”;Policy=$pData}

    • Avatar Author
      Welf Alberts (Rank 3) 11 months ago

      Is it necessary to point out that the script itself needs to be whitelisted? You will have whitelisted a lot of scripts (like those in sysvol) and it should be obvious that this script needs to be among them. Best would be to digitally sign it with a whitelisted signature.

      Can you tell me why you think the script is (sometimes?) unable to delete the old configuration? Have never seen it failing to do that. Can you offer reproducible steps to make it fail?

      About 1) – what’s the problem here? Again I don’t understand what could possibly go wrong at your side

  22. Avatar
    kay 10 months ago

    i used the example given above… launched secpol and added the wordpad rule after adding the default exe rules.
    exported the SRPV2 part of the registry so i could use copy paste to populate the xml and not risk fat fingering.. built the xml file..
    used the ps1 script, also copied/pasted .. and once it runs, wordpad is not blocked when i try to launch it.

    is there somewhere i can check to see if the rules are being applied. I can not install psexec so i launch the script using a scheduled task set to run as System.. i included lines to dump whoami when the script is launched to make sure that it is bring run by the correct user.
    when i try to run the ps1 just as myself to see if there are any errors i do get an error with regard to the last line ‘New-CimInstance…’

    ObjectNotFound: (MDM_AppLocker_A…ictions01_EX03:CimInstance) [New-CimInstance]. CimException
    i don’t know if that error pops because there is actually a problem with MDM_AppLocker on my system OR if because when running it manually, i am just an admin not a system account.
    is there a way i can check and see if MDM_AppLocker exists?

    I am running Windows 10 Pro 20H2

    • Avatar Author
      Welf Alberts (Rank 3) 10 months ago

      Hi.

      Psexec does not need to be installed. Extract it from pstools, follow the given steps, report what you see.

      • Avatar
        Kay 10 months ago

        exact same error message:
        New-CimInstance : The requested object could not be found.
        At C:\\Create_Applocker_Execrule.ps1:32 char:1
        + New-CimInstance -Namespace $namespaceName -Classname $classname -Prop …
        + ~~~~~~~~~~~~~
        + CategoryInfo : ObjectNotFound: (MDM_Applocker_A…icationLau…):CimInstance) [New-CimInstance], CimException
        + FullyQualifiedErrorId : MI Result 6.Microsoft.Management.Infrastructure.CimCmdlets.NewCimInstanceCommand

        • Avatar
          Kay 10 months ago

          ok. for due diligence, and because i had tried troubleshooting on my own and had possibly changed things before resorting to posting the request for help here, I came back here and recreated all of the files from scratch to make sure no human error was causing the issue. And apparently it WAS human error because now it is functioning as expected.

          thank you!!!

          • Avatar
            kay 10 months ago

            one other question. i need to expand the code to account for other applocker groups. i got most of them working but am having issues with appx. i thought that they would use “MDM_AppLocker_ApplicationLaunchRestrictions01_StoreApps03” but i haven’t managed to make it work. have you done anything with this group that you can make any suggestions?
            thank you

            • Avatar
              Kay 10 months ago

              Never mind got it. i had APPX in one place where it should have been StoreApps. was able to figure it out by looking at the script where you delete everything and then recreate it.

  23. Avatar
    Water Lover 10 months ago
    • Avatar Author
      Welf Alberts (Rank 3) 9 months ago

      @Water Lover
      Yes, isn’t that nice… they committed the change back in October and document it now, almost 4 months later. Found the same today, just came here to add it 🙂

Leave a reply

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2023

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account