AppLocker – Making sure that local rules are removed

This is just a quick blogpost about a thing I forgot to write about a long time ago.
One issue with AppLocker is that when someone gets admin access on a box they can create local AppLocker rules that will be combined with the Group Policy AppLocker rules. This is explained in this tweet here: https://twitter.com/Oddvarmoe/status/996147947975962624

In order to make sure that any locally added rules are removed everytime a computer boots you can do the following:

 

  1. Create a xml file on your sysvol, or any other share where no one has write access and add the following lines into the file:
    <AppLockerPolicy Version="1">
      <RuleCollection Type="Exe" EnforcementMode="NotConfigured" />
      <RuleCollection Type="Msi" EnforcementMode="NotConfigured" />
      <RuleCollection Type="Script" EnforcementMode="NotConfigured" />
      <RuleCollection Type="Dll" EnforcementMode="NotConfigured" />
      <RuleCollection Type="Appx" EnforcementMode="NotConfigured" />
    </AppLockerPolicy>
    
  2.  Add the following lines into a script and use it as a computer startup script:
    import-module AppLocker
    Set-AppLockerPolicy -XMLPolicy \\oddvar.moe\netlogon\ClearApplockerPolicy.xml
    

 

The next time the computers boot that gets this group policy will remove any local rules that has been created.

 

 

One thought on “AppLocker – Making sure that local rules are removed

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.