8/26/2023 0 Comments Applocker![]() When you want to disable Applocker, the only thing working is removing the Applocker Exe policy itself or configuring it to AuditOnly. When you remove the existing rules from the CSP and the EnforcementMode is set to “ NotConfigured” it is still Enabled! So, let’s read it up aloud: “if rules are present in the corresponding rule collection, they are enforced” So looking back at Microsoft their own policy, there are rules defined so they will be enforced even while the enforcementmode is set to “ NotConfigured“.īut what about when you remove all the rules and only define the enforcement mode back to “notconfigured” They are pushing a Policy with the EnforcementMode to NotConfigured? Shall we take a look at what Microsoft has to say about the Applocker Enforcement settings? Shall we take a good look at how Microsoft is configuring this Applocker policy? When you read my older blog about blocking administrative tools from the Intune education portal, you will know you can enable Applocker within a few seconds from within the Intune Education Portal.īlock Access to Administrative Apps like the Command Prompt In Intune. Strange but okay, I can live with that when I know how to fix it. No problem at all, the problem occurs only on existing devices that are manually enrolled in Intune. I installed a new Windows 10 device to be enrolled into a test tenant. Why doesn’t it work?īut I still wanted to test some more, because I found it a little odd that existing devices had no problems at all. It finally worked! All DLL’s were allowed again! 4. So I made a few changes to the XML and added the default rules back into it.Īfter some time, some coffee and manually syncing the device…. After they realized it hadn’t anything to do with AppLocker they forgot to change the AppLocker CSP to the old XML… After talking with the customer, they told me they had removed all rules earlier and put the enforcementmode to “ notconfigured” because they were experiencing performance impact and thought it had something to do with DLL AppLocker rules being configured. The weird thing is that all existing Windows 10 Azure AD joined devices were working correctly.Īfter taking a look at the CSP again I realized, the CSP only told me that the “ enforcementmode” was configured. But that’s not exactly the case as it was blocking all DLL’s at that moment. Īt first glance, it looked to me as if the DLL policy wasn’t configured. So, I opened Intune to take a look at the DLL AppLocker policy. That just says it all… All errors 8004: DLL’s are blocked! 3. Get-WinEvent “Microsoft-Windows-AppLocker/EXE and DLL” After some digging with of course limited time and looking into some event logs with PowerShell I wanted to take a look at the AppLocker event log: One of them was the Solarwinds RMM agent, together with the included Remote Background tool.Īccess to the RMM tool gave me access to Remote PowerShell! So, I had some background information about processes, running services, and some other insights. So how do you start troubleshooting, when nothing works? Luckily the devices succeeded to enrol in Intune, so some required apps were automatically installed. When trying to open the task manager, nothing happened. When enrolling existing devices into Intune manually (devices were already Azure Ad Joined) all Windows 10 devices instantly got a black screen with a white cursor. Last week I was called by a co-worker about a weird problem. That 1% will apply when you are changing the existing XML CSP manually. Once you have automated the process you can be 99% sure it will not fail you. ![]() If you want to know more about how to implement AppLocker a la minute: Implementing Applocker could take you some time. When you have implemented AppLocker correctly you’re able to cross off some of the categories:Ī.9.4.4 Use of Privileged Utility ProgramsĪ.12.5.1 Installation of Software on Operational SystemsĪ.12.6.2 Restrictions on Software Installation In one of my last blogs, I pointed out that implementing Microsoft 365 will help you with your ISO 27001 certification journey. Implementing AppLocker is always a wise thing to do even when there is a possibility it “breaks” your Windows 10 installation. I will divide this blog into multiple parts I have updated this blog after responding to a question on Reddit. This blog will be about how a “NotConfigured“ AppLocker policy can come back to haunt you.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |