{"id":6647,"date":"2023-02-09T06:14:31","date_gmt":"2023-02-09T06:14:31","guid":{"rendered":"https:\/\/pariswells.com\/blog\/?p=6647"},"modified":"2023-03-29T23:07:45","modified_gmt":"2023-03-29T23:07:45","slug":"diagnosing-issue-with-applocker","status":"publish","type":"post","link":"https:\/\/pariswells.com\/blog\/research\/diagnosing-issue-with-applocker","title":{"rendered":"Diagnosing Issue with AppLocker"},"content":{"rendered":"\n

Recently testing out a Whitelisting Policy in App Locker , that denied an App Listed from a Allowed Publisher<\/p>\n\n\n\n

If you have deployed Applocker rules using Intune, you can find the Policy rules at\u00a0C:\\Windows\\System32\\AppLocker\\MDM<\/strong><\/p>\n\n\n\n

You can also look at Get-ApplockerPolicy -Xml -Effective <\/strong><\/p>\n\n\n\n

Looking at the event Log we can see the RuleID is all 0’s<\/p>\n\n\n\n

\"\"<\/a><\/figure>\n\n\n\n

 A DeniedbyDefault RUN decision from Applocker has a RuleId set to {00000000-0000-0000-0000-000000000000}.<\/p>\n\n\n\n

When we run the powershell as the user we get “DeniedbyDefault”<\/p>\n\n\n\n

Test-AppLockerPolicy -XmlPolicy .\\SamplePolicy.xml -Path c:\\windows\\system32\\calc.exe<\/p>\n\n\n\n

*Policy.xml needs to be the full Policy not just rule collection ( <AppLockerPolicy><\/AppLockerPolicy><\/p>\n\n\n\n

<\/p>\n\n\n\n

We were tagetting Domain Users Group in the policy , however the Machese were Azure AD Joined<\/p>\n\n\n\n

AppLocker<\/em> doesn’t support AzureAD groups<\/em>, only local groups<\/em>“<\/p>\n\n\n\n

We changed this to UserOrGroupSid=”S-1-1-0″ ( everyone and it fixed the issue) <\/p>\n","protected":false},"excerpt":{"rendered":"

Recently testing out a Whitelisting Policy in App Locker , that denied an App Listed from a Allowed Publisher If you have deployed Applocker rules using Intune, […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[4092,2216,1948,1181],"class_list":["post-6647","post","type-post","status-publish","format-standard","hentry","category-research","tag-applocker","tag-test","tag-whitelist","tag-xml"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/posts\/6647","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/comments?post=6647"}],"version-history":[{"count":2,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/posts\/6647\/revisions"}],"predecessor-version":[{"id":6818,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/posts\/6647\/revisions\/6818"}],"wp:attachment":[{"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/media?parent=6647"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/categories?post=6647"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/tags?post=6647"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}