Application Control for Business - mattnovitsch/M365 GitHub Wiki
Summary
I have some customer asking about blocking specific applications and how to manage them. I have done some digging and found that the software engineer that is responsible for the code created a really nice wizard to make it easier to deploy.
Prerequisites
Setup
Get a list of files, folder locations, or drivers you want to block from running in the environment.
- Example: Notepad.exe, Java version from running, or blocking executables from running in a certain folder.
Assuming you have list of at least a couple or one item you want blocked we can move to opening the App Control Policy Wizard.
For this example, we are going to assuming you are creating this from scratch. We are going to create a Base Policy with Multiple Policy Format support.
The base template is created of your current requirements and what you plan on locking down. I'm going to assume you want to start off with either All Microsoft Mode or Signed and Reputable Mode. This would depend a lot on what your current list that you have found in your environment. Either way we can do this in Audit mode so it's not going to hurt anything in your environment and limit the deployment to a test device or two. Let's select Signed and Reputable Mode. Provide the Policy with a name. WDAC default policy might be a good start.
Policy Rules are pre-set based on the templates you have chosen. You can hover of each and they will tell you a short description of what they do. There is also a reference for a detailed list here: Understand App Control for Business policy rules and file rules. From the screenshot below, you can see I am turning off Audit Mode, but I would highly encourage you keeping it in audit mode you plan on deploying this enterprise wide. If you are deploying to a single device then turning off Audit Mode would be recommended as we need to test it.
Files Rules is where we can create allow or deny rules for files based on published, path, file attributes or hash values. I had a customer ask about blocking Java JRE version from running. We can do that multiple ways, either block the installation or block the exe from running. The option will depend on what your current situation is. In most cases, I would imagine that Java would already be installed so we would need to block both the installation location and install file.
Clicking the +Add Custom link in the top right will allow you add these rules. Let's change the Rule Action to Deny and the Rule Type to File Attributes. Browse for the file you want to block. In this case, I am blocking Java JRE version 8.431. You will see if fills in the file attributes for the file. Check off all the boxes that apply. This will block the file from being able to run and prevent the installation of it.
Let's block a folder that could have executables next. In this example, I have a folder on the root of my C drive called Block. Click +Add Custom again and change the Rule Action to Deny and the Rule Type to Path. Browse to the location and select the folder.
Keep adding all the rules for files or folder you want to block.
The policy should create in a minute or so and give you the output location.
To test this on your device, copy the .cip file and copy it to C:\Windows\System32\CodeIntegrity\CiPolicies\Active on your test device, restart the device for the changes to take effect.
Now we need to test this out. Place an executable in C:\Block and try to open it. You should get the following.
You should see something very similar when you try to run the Java JRE version.
Things to watch out for, if you want to block Notepad.exe for example, then you need to make sure you grab the correct one. There are currently two version on systems if they are pulling the latest from Windows Store.
New location: C:\Program Files\WindowsApps\Microsoft.WindowsNotepad_11.2409.9.0_x64__8wekyb3d8bbwe\Notepad\
Old location: C:\Windows\Notepad.exe
With the rule I have below it will block the old location but not the new location.
When you are ready to push to more than one device you can send the policy out via Intune. Navigate to Endpoint Security > App Control for Business. Create a new policy, when you get to the configuration settings import the xml file you created.
Deploy the policy to your target group.
Good luck with your Application Control Policy and testing.