This is just a quick blogpost about a thing I forgot to write about a long time ago.
One issue with AppLocker is that when someone gets admin access on a box they can create local AppLocker rules that will be combined with the Group Policy AppLocker rules. This is explained in this tweet here: https://twitter.com/Oddvarmoe/status/996147947975962624
In order to make sure that any locally added rules are removed everytime a computer boots you can do the following:
- Create a xml file on your sysvol, or any other share where no one has write access and add the following lines into the file:
<AppLockerPolicy Version="1"> <RuleCollection Type="Exe" EnforcementMode="NotConfigured" /> <RuleCollection Type="Msi" EnforcementMode="NotConfigured" /> <RuleCollection Type="Script" EnforcementMode="NotConfigured" /> <RuleCollection Type="Dll" EnforcementMode="NotConfigured" /> <RuleCollection Type="Appx" EnforcementMode="NotConfigured" /> </AppLockerPolicy>
- Add the following lines into a script and use it as a computer startup script:
import-module AppLocker Set-AppLockerPolicy -XMLPolicy \\oddvar.moe\netlogon\ClearApplockerPolicy.xml
The next time the computers boot that gets this group policy will remove any local rules that has been created.
Oddvar Moe's Blog 
2 thoughts on “AppLocker – Making sure that local rules are removed”