Deploy AppLocker in Intune- Block CMD and PowerShell

The following xml file will block CMD, powershell and powershell ise to run for domain users but still allow domain administrators to run.

The XML also contains the appdata locations as without this Microsoft Teams and OneDrive will not work. The default values which are created will allow all OSDRIVE data and ProgramFiles data but this is not enough for Teams and OneDrive to function.

NOTE: Also extract the default rules for DLL files, MSI and AppX to ensure all applications function as normal and we are only blocking the required access. Use all the default rules that have been added below in the following scripts.

Ensure the OMA-URI have the same format:

./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/12345/StoreApps/Policy

./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/12345/EXE/Policy

./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/12345/DLL/Policy

./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/12345/MSI/Policy

Use the following EXE XML file for intune:

NOTE – Each domain will have a unique SID for some of the accounts

  <RuleCollection Type="Exe" EnforcementMode="Enabled">
    <FilePathRule Id="4ca6dd73-0f64-4745-b692-68e6861842c1" Name="Powershell" Description="" UserOrGroupSid="S-1-5-21-3190633424-280908807-3187571820-513" Action="Deny">
      <Conditions>
        <FilePathCondition Path="%SYSTEM32%\WindowsPowerShell\v1.0\powershell.exe" />
      </Conditions>
    </FilePathRule>
    <FilePathRule Id="6e4900ae-c36e-4361-bfc9-c62ecda1ec28" Name="Powershell ISE" Description="" UserOrGroupSid="S-1-5-21-3190633424-280908807-3187571820-513" Action="Deny">
      <Conditions>
        <FilePathCondition Path="%SYSTEM32%\WindowsPowerShell\v1.0\powershell_ise.exe" />
      </Conditions>
    </FilePathRule>
    <FilePathRule Id="84ba55f3-4d47-41e6-960a-f0ed99534ed5" Name="CMD" Description="" UserOrGroupSid="S-1-5-21-3190633424-280908807-3187571820-513" Action="Deny">
      <Conditions>
        <FilePathCondition Path="%SYSTEM32%\cmd.exe" />
      </Conditions>
    </FilePathRule>
	    <FilePathRule Id="f9cd2dde-8b5e-4a9a-be62-7b0e813e7d1a" Name="%OSDRIVE%\Users\*\Appdata\*" Description="" UserOrGroupSid="S-1-5-21-3190633424-280908807-3187571820-513" Action="Allow">
      <Conditions>
        <FilePathCondition Path="%OSDRIVE%\Users\*\Appdata\*" />
      </Conditions>
    </FilePathRule>
	    <FilePathRule Id="ee206731-3808-4421-921a-a6a890e5ced1" Name="%OSDRIVE%\ProgramData\*" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">
      <Conditions>
        <FilePathCondition Path="%OSDRIVE%\ProgramData\*" />
      </Conditions>
    </FilePathRule>
    <FilePathRule Id="921cc481-6e17-4653-8f75-050b80acca20" Name="(Default Rule) All files located in the Program Files folder" Description="Allows members of the Everyone group to run applications that are located in the Program Files folder." UserOrGroupSid="S-1-1-0" Action="Allow">
      <Conditions>
        <FilePathCondition Path="%PROGRAMFILES%\*" />
      </Conditions>
    </FilePathRule>
	    <FilePublisherRule Id="88f57585-08a9-4964-a615-cf2869344007" Name="MICROSOFT TEAMS, from O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" Description="" UserOrGroupSid="S-1-5-21-3190633424-280908807-3187571820-513" Action="Allow">
      <Conditions>
        <FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="MICROSOFT TEAMS" BinaryName="*">
          <BinaryVersionRange LowSection="*" HighSection="*" />
        </FilePublisherCondition>
      </Conditions>
    </FilePublisherRule>
	    <FilePublisherRule Id="88f57585-08a9-4964-a615-cf2869344008" Name="MICROSOFT TEAMS, from O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" Description="" UserOrGroupSid="S-1-5-21-3190633424-280908807-3187571820-513" Action="Allow">
      <Conditions>
        <FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="MICROSOFT TEAMS UPDATE" BinaryName="*">
          <BinaryVersionRange LowSection="*" HighSection="*" />
        </FilePublisherCondition>
      </Conditions>
    </FilePublisherRule>
	    <FilePublisherRule Id="09fdbfe1-a002-437d-8086-f46b24d13c03" Name="MICROSOFT ONEDRIVE, from O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" Description="" UserOrGroupSid="S-1-5-21-3190633424-280908807-3187571820-513" Action="Allow">
      <Conditions>
        <FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="MICROSOFT ONEDRIVE" BinaryName="*">
          <BinaryVersionRange LowSection="*" HighSection="*" />
        </FilePublisherCondition>
      </Conditions>
    </FilePublisherRule>
    <FilePathRule Id="a61c8b2c-a319-4cd0-9690-d2177cad7b51" Name="(Default Rule) All files located in the Windows folder" Description="Allows members of the Everyone group to run applications that are located in the Windows folder." UserOrGroupSid="S-1-1-0" Action="Allow">
      <Conditions>
        <FilePathCondition Path="%WINDIR%\*" />
      </Conditions>
    </FilePathRule>
    <FilePathRule Id="fd686d83-a829-4351-8ff4-27c7de5755d2" Name="(Default Rule) All files" Description="Allows members of the local Administrators group to run all applications." UserOrGroupSid="S-1-5-32-544" Action="Allow">
      <Conditions>
        <FilePathCondition Path="*" />
      </Conditions>
    </FilePathRule>
	   <FilePublisherRule Id="3b55137f-a20f-4643-85ea-c929ac90926c" Name="UPDATE.EXE, in MICROSOFT TEAMS UPDATE, from O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">
      <Conditions>
        <FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="MICROSOFT TEAMS UPDATE" BinaryName="UPDATE.EXE">
          <BinaryVersionRange LowSection="*" HighSection="*" />
        </FilePublisherCondition>
      </Conditions>
    </FilePublisherRule>
    <FilePublisherRule Id="28f5af31-b74e-499c-84f0-c69b5a6f650a" Name="TEAMS.EXE, in MICROSOFT TEAMS, from O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">
      <Conditions>
        <FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="MICROSOFT TEAMS" BinaryName="TEAMS.EXE">
          <BinaryVersionRange LowSection="*" HighSection="*" />
        </FilePublisherCondition>
      </Conditions>
    </FilePublisherRule>
  </RuleCollection>

Use the following AppX XML file for intune:

<RuleCollection Type="Appx" EnforcementMode="Enabled">
    <FilePublisherRule Id="a9e18c21-ff8f-43cf-b9fc-db40eed693ba" Name="(Default Rule) All signed packaged apps" Description="Allows members of the Everyone group to run packaged apps that are signed." UserOrGroupSid="S-1-1-0" Action="Allow">
      <Conditions>
        <FilePublisherCondition PublisherName="*" ProductName="*" BinaryName="*">
          <BinaryVersionRange LowSection="0.0.0.0" HighSection="*" />
        </FilePublisherCondition>
      </Conditions>
    </FilePublisherRule>
  </RuleCollection>

Use the following MSI XML file for intune:

  <RuleCollection Type="Msi" EnforcementMode="Enabled">
    <FilePathRule Id="efb5b749-755f-42c7-a16c-c27e015c7a22" Name="All Windows Installer files" Description="Allows members of the local Administrators group to run all Windows Installer files." UserOrGroupSid="S-1-5-21-3190633424-280908807-3187571820-512" Action="Allow">
      <Conditions>
        <FilePathCondition Path="*.*" />
      </Conditions>
    </FilePathRule>
    <FilePublisherRule Id="b7af7102-efde-4369-8a89-7a6a392d1473" Name="(Default Rule) All digitally signed Windows Installer files" Description="Allows members of the Everyone group to run digitally signed Windows Installer files." UserOrGroupSid="S-1-1-0" Action="Allow">
      <Conditions>
        <FilePublisherCondition PublisherName="*" ProductName="*" BinaryName="*">
          <BinaryVersionRange LowSection="0.0.0.0" HighSection="*" />
        </FilePublisherCondition>
      </Conditions>
    </FilePublisherRule>
    <FilePathRule Id="5b290184-345a-4453-b184-45305f6d9a54" Name="(Default Rule) All Windows Installer files in %systemdrive%\Windows\Installer" Description="Allows members of the Everyone group to run all Windows Installer files located in %systemdrive%\Windows\Installer." UserOrGroupSid="S-1-1-0" Action="Allow">
      <Conditions>
        <FilePathCondition Path="%WINDIR%\Installer\*" />
      </Conditions>
    </FilePathRule>
    <FilePathRule Id="64ad46ff-0d71-4fa0-a30b-3f3d30c5433d" Name="(Default Rule) All Windows Installer files" Description="Allows members of the local Administrators group to run all Windows Installer files." UserOrGroupSid="S-1-5-32-544" Action="Allow">
      <Conditions>
        <FilePathCondition Path="*.*" />
      </Conditions>
    </FilePathRule>
  </RuleCollection>

Use the following DLL XML file for intune:

  <RuleCollection Type="Dll" EnforcementMode="Enabled">
    <FilePathRule Id="bac4b0bf-6f1b-40e8-8627-8545fa89c8b6" Name="(Default Rule) Microsoft Windows DLLs" Description="Allows members of the Everyone group to load DLLs located in the Windows folder." UserOrGroupSid="S-1-1-0" Action="Allow">
      <Conditions>
        <FilePathCondition Path="%WINDIR%\*" />
      </Conditions>
    </FilePathRule>
    <FilePathRule Id="3737732c-99b7-41d4-9037-9cddfb0de0d0" Name="(Default Rule) All DLLs located in the Program Files folder" Description="Allows members of the Everyone group to load DLLs that are located in the Program Files folder." UserOrGroupSid="S-1-1-0" Action="Allow">
      <Conditions>
        <FilePathCondition Path="%PROGRAMFILES%\*" />
      </Conditions>
    </FilePathRule>
    <FilePathRule Id="fe64f59f-6fca-45e5-a731-0f6715327c38" Name="(Default Rule) All DLLs" Description="Allows members of the local Administrators group to load all DLLs." UserOrGroupSid="S-1-5-32-544" Action="Allow">
      <Conditions>
        <FilePathCondition Path="*" />
      </Conditions>
    </FilePathRule>
	    <FilePathRule Id="4484725b-c85a-4b2d-951d-1133c22aecd2" Name="%OSDRIVE%\programdata\" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">
      <Conditions>
        <FilePathCondition Path="%OSDRIVE%\ProgramData\*" />
      </Conditions>
    </FilePathRule>
	    <FilePathRule Id="7d23da77-f524-42f7-a99b-2c0dd47433fd" Name="%OSDRIVE%\ProgramData\Microsoft\Windows Defender\Platform\" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">
      <Conditions>
        <FilePathCondition Path="%OSDRIVE%\ProgramData\Microsoft\Windows Defender\Platform\*" />
      </Conditions>
    </FilePathRule>
  </RuleCollection>