I have a support case open to try and get to the bottom of this, but it is looking like it will take some time before it is escalated to the necessary level to get a definitive answer. In fact, this article seems to suggest that all types of policies should be fully functional on Win 10 Pro if using Intune to manage, whereas the reality seems to be that there is potentially only limited support with a number of caveats. However, I cannot find anything within the official documentation that mentions this. This would makes sense based on the behaviour we are all seeing. These posts are suggesting that the AppLocker CSP in Win 10 is actually using a mixture of AppLocker and Software Restriction Policies (SRP) to apply the configuration you have defined in Intune. I have done some investigation online to see if anyone else has experienced similar issues and have come across a handful of interesting posts that describe similar behaviour to mine (they seem to have more luck with MSI, but still very similar): Microsoft support were also unable to find any issues with the configuration. The fact that my EXE policies are working without issue suggests I have done this correctly. As far as I am aware, I have correctly configured the Intune side using the documented process to produce and export the AppLocker XML from an existing machine and then import it into a custom OMA-URI policy within Intune. All users are licensed for Intune (M365 BP). The endpoint I am testing on is fully up to date with the latest feature and security updates. I cannot get MSI blocks to work at all and no events are present in the event log for this. In enforced mode, the event log still remains empty, but some types of scripts are blocked. In audit mode, the relevant AppLocker event log remains empty. Script and MSI checks do not work at all in audit mode and only partially in enforced mode.The relevant events can also be found in the AppLocker event log on the endpoint EXE checks work absolutely fine in either audit or enforced mode.However, when I have attempt to configure it, it seems to only partially work. Based on this and other articles (including the documentation for the AppLocker CSP) I determined that my scenario where all machines are fully Azure AD joined (not hybrid joined) and enrolled in Intune should be fine. However, this article states that AppLocker running on Win 10 Pro can be managed centrally if you are using an MDM solution to manage it (e.g. In the past, when using Group Policy, centralised management was only possible when using Win 10 Enterprise edition. However, the SRP Basic User feature is not supported on the above operating systems.I have a requirement to configure AppLocker EXE, script and MSI policies on a fleet of Windows 10 Pro machines. Software Restriction Policies can be used with those versions. Windows Server 2008 R2 for Itanium-Based SystemsĪppLocker is not supported on versions of the Windows operating system not listed above. Windows Server 2019 Windows Server 2016 Windows Server 2012 R2 Windows Server 2012 You can only manage AppLocker with Group Policy on devices running Windows 10 and Windows 11 Enterprise, Windows 10 and Windows 11 Education, and Windows Server 2016. You can use the AppLocker CSP to configure AppLocker policies on any edition of Windows 10 and Windows 11 supported by Mobile Device Management (MDM). Packaged apps Executable Windows Installer Script DLL The following table shows the on which operating systems AppLocker features are supported. For more info, see Use AppLocker and Software Restriction Policies in the same domain. Note: You can use Software Restriction Policies with AppLocker, but with some limitations.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |