Create and Deploy Applocker Policy

Modified on Thu, 8 Apr, 2021 at 12:42 PM

Caveats:

Applocker will not apply to domain admin accounts. It is possible to apply applocker to a local admin.
When you need to update an applocker policy, its all or nothing.

Overall workflow:

Plan
Create Applocker Rules and policies
Test
Deploy

Steps:

Plan! This includes finding all the applications that live in odd places that will be used.
On a test machine, open the Local Security Policies
Expand Application Control Policies, then Applocker
Under the Applocker heading you can see the four categories.
Executable Rules – executable rules also apply for installers packaged as an exe
Windows Installer Rules – MSI installers
Script Rules - scripts
Packaged App Rules – This applies to appx packages.
For each of the four categories, you will want to right-click on them and select “Create Default Rules”. This will cover all the Windows default locations for updates, scripts and standard locations for program files. If you don’t do this you usually get prompted, but its still possible to not create them and everyday apps like Paint won’t work…

See below screenshot for default rule examples – note the “builtin\administrators” rule.
Not all software will live in standard locations. If you have a piece of software you need to add a rule for, right-click the appropriate category (executable, MSI, etc) and select “Automatically Generate Rules”
The Rule Creation wizard opens up. Select the appropriate User/Security group, the root location of the software (usually the Name auto populates) and click next.
Next is the Rule Preference selection with two main options. We will mostly use “Create publisher rules for files that are digitally signed” which has two sub options.
File Hash – When the wizard scans the folder, it will make rules based on the file hash for any unsigned executables. This is awesome… In theory. If a file is somehow overwritten the software will not be allowed to run. This means that every time you update that software you will need to redo all the rules.
Path Rules – Rules are generated based on the file path. This usually means that when you apply a software update for the application it will usually “just work”. Obviously if the update includes a new executable for whatever reason it won’t work and you will need to re-do them anyway.

There is also the option to “Create file hash rules for all files”. This will create rules based on each files’ hash regardless of whether it is signed or not. Great for ultra-high security environments but… good luck with that. Select “Path Rules” and then click “Next”.
After the wizard scans the folder in question, you will be presented with a summary page where you can check the files that where analysed and a preview of the rules that are going to be created.
When you are happy with the ruleset, click “Create” and you will see your rules populate.
Complete steps 5 – 10 as needed.
Once you are happy with all the rules, right-click on “Applocker”, select “Export Policy” and choose where to save your policy in xml format.
Log into the Group Policy Controller (typically a DC) and create a new GPO under “Group Policy Objects” and copy your applocker.xml file to an easily accessible location.
Navigate to Computer Configuration -> Windows Settings -> Security Settings -> System Services, find Application Identity, right-click on and click propterties. Check “Define this policy setting” and choose “Automatic”. This setting must be enabled for Applocker!
Navigate to Computer Configuration -> Policies -> Windows Settings -> Security Systems -> Application Control Policies, right-click on Applocker and Import your Policy.
Locate your policy xml and click “open”
For Testing: On the right, select “Configure Rule Enforcement”
Check each category and change the drop down to be “audit only”. When a policy would be triggered it will create an event log entry.
Once you are happy, you can go back in and change to “Enforced”. The Applocker policy is now live and users will not be able to use anything other then allowed apps.