locked
[Windows 10 Pro - Release] Unable to add Application restrictions using AppLocker CSP RRS feed

  • Question

  • Here is the syncml MDM service sends to device for Application restriction using AppLocker CSP.

    <SyncML xmlns="SYNCML:SYNCML1.2">
       <SyncHdr>
          <VerDTD>1.2</VerDTD>
          <VerProto>DM/1.2</VerProto>
          <SessionID>28</SessionID>
          <MsgID>13</MsgID>
          <Target>
             <LocURI>1b8c3495-96eb-4163-afef-7948bf441c73</LocURI>
          </Target>
          <Source>
             <LocURI>https://mdmserver/microsoft/mdm</LocURI>
          </Source>
       </SyncHdr>
       <SyncBody>
          <Status>
             <CmdID>d903a747-6f21-4636-a23e-24def8d52f62</CmdID>
             <MsgRef>13</MsgRef>
             <CmdRef>0</CmdRef>
             <Cmd>SyncHdr</Cmd>
             <Data>200</Data>
          </Status>
          <Add>
             <CmdID>0275f228-da95-4b03-85c2-615bb3d7fc1d</CmdID>
             <Item>
                <Target>
                   <LocURI>./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/bc302e0f-ccf7-4ee8-a60c-a17f816a19fa/EXE/Policy</LocURI>
                </Target>
                <Meta>
                   <Format xmlns="syncml:metinf">xml</Format>
                   <Type xmlns="syncml:metinf">text/plain</Type>
                </Meta>
                <Data>
                   <AppLockerPolicy Version="1">
                      <RuleCollection Type="Exe" EnforcementMode="Enabled">
                         <FilePathRule Id="921cc481-6e17-4653-8f75-050b80acca20" Name="(Default Rule) All files located in the Program Files folder" Description="Allows members of the Everyone group to run applications that are located in the Program Files folder." UserOrGroupSid="S-1-1-0" Action="Allow">
                            <Conditions>
                               <FilePathCondition Path="%PROGRAMFILES%\*" />
                            </Conditions>
                         </FilePathRule>
                         <FilePathRule Id="a61c8b2c-a319-4cd0-9690-d2177cad7b51" Name="(Default Rule) All files located in the Windows folder" Description="Allows members of the Everyone group to run applications that are located in the Windows folder." UserOrGroupSid="S-1-1-0" Action="Allow">
                            <Conditions>
                               <FilePathCondition Path="%WINDIR%\*" />
                            </Conditions>
                         </FilePathRule>
                         <FilePathRule Id="fd686d83-a829-4351-8ff4-27c7de5755d2" Name="(Default Rule) All files" Description="Allows members of the local Administrators group to run all applications." UserOrGroupSid="S-1-5-32-544" Action="Allow">
                            <Conditions>
                               <FilePathCondition Path="*" />
                            </Conditions>
                         </FilePathRule>
                         <FilePublisherRule Id="b57d210e-8683-4de6-ab8c-1ecbe37a1c27" Name="CHROME.EXE, version 44.0.0.0 and above, in GOOGLE CHROME, from O=GOOGLE INC, L=MOUNTAIN VIEW, S=CALIFORNIA, C=US" Description="" UserOrGroupSid="S-1-1-0" Action="Deny">
                            <Conditions>
                               <FilePublisherCondition PublisherName="O=GOOGLE INC, L=MOUNTAIN VIEW, S=CALIFORNIA, C=US" ProductName="GOOGLE CHROME" BinaryName="CHROME.EXE">
                                  <BinaryVersionRange LowSection="44.0.0.0" HighSection="*" />
                               </FilePublisherCondition>
                            </Conditions>
                         </FilePublisherRule>
                      </RuleCollection>
                   </AppLockerPolicy>
                </Data>
             </Item>
          </Add>
          <Final />
       </SyncBody>
    </SyncML>

    But I am getting 516 error code as response. Could someone help me where I am wrong ?

    Friday, August 7, 2015 7:30 AM

Answers

  • got this to work using SyncML shown below. The <Data> element contents were produced by first creating the policy as Local Administrator using AppLocker (secpol.msc) and escaping the '<' and '>' characters. The policy is obtained as xml by the command "get-applockerpolicy -xml -local". Presumably similar SyncML works for StoreApps (AppX policy), etc.

    <SyncBody><Replace><CmdID>$CmdID$</CmdID><Item><Target><LocURI>./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/Default-and-Deny-Chrome/Exe/Policy</LocURI>

    </Target>

    <Meta>

    <Format xmlns="syncml:metinf">chr</Format>

    </Meta>

    <Data>

    &lt;RuleCollection Type="Exe" EnforcementMode="Enabled"&gt;&lt;FilePublisherRule Id="5bb0f949-ad9c-4138-8dde-3b8fcd938a0a" Name="GOOGLEUPDATESETUP.EXE, version 1.3.0.0 and above, in GOOGLE UPDATE, from O=GOOGLE INC, L=MOUNTAIN VIEW, S=CALIFORNIA, C=US" Description="" UserOrGroupSid="S-1-1-0" Action="Deny"&gt;&lt;Conditions&gt;&lt;FilePublisherCondition PublisherName="O=GOOGLE INC, L=MOUNTAIN VIEW, S=CALIFORNIA, C=US" ProductName="GOOGLE UPDATE" BinaryName="GOOGLEUPDATESETUP.EXE"&gt;&lt;BinaryVersionRange LowSection="1.3.0.0" HighSection="*" /&gt;&lt;/FilePublisherCondition&gt;&lt;/Conditions&gt;&lt;/FilePublisherRule&gt;&lt;FilePathRule Id="921cc481-6e17-4653-8f75-050b80acca20" Name="(Default Rule) All files located in the Program Files folder" Description="Allows members of the Everyone group to run applications that are located in the Program Files folder." UserOrGroupSid="S-1-1-0" Action="Allow"&gt;&lt;Conditions&gt;&lt;FilePathCondition Path="%PROGRAMFILES%\*" /&gt;&lt;/Conditions&gt;&lt;/FilePathRule&gt;&lt;FilePathRule Id="a61c8b2c-a319-4cd0-9690-d2177cad7b51" Name="(Default Rule) All files located in the Windows folder" Description="Allows members of the Everyone group to run applications that are located in the Windows folder." UserOrGroupSid="S-1-1-0" Action="Allow"&gt;&lt;Conditions&gt;&lt;FilePathCondition Path="%WINDIR%\*" /&gt;&lt;/Conditions&gt;&lt;/FilePathRule&gt;&lt;FilePathRule Id="fd686d83-a829-4351-8ff4-27c7de5755d2" Name="(Default Rule) All files" Description="Allows members of the local Administrators group to run all applications." UserOrGroupSid="S-1-5-32-544" Action="Allow"&gt;&lt;Conditions&gt;&lt;FilePathCondition Path="*" /&gt;&lt;/Conditions&gt;&lt;/FilePathRule&gt;&lt;/RuleCollection&gt;

    </Data>

    </Item>

    </Replace>

    <Final/>

    </SyncBody>

    </SyncML>


    Michael Edwards

    • Proposed as answer by Michael Edwards Thursday, January 28, 2016 4:07 AM
    • Marked as answer by Biz_M Thursday, January 28, 2016 5:16 AM
    Thursday, January 28, 2016 4:07 AM

All replies

  • I have been able to get a 200 response code in the AppLocker CSP on a Windows 10 desktop by escaping the <Data> value (changing all '<' to $lt;, etc.). However, when I then get policy on that desktop (e.g. get-applockerpolicy) there are no rule collections present and no enforcement - I am trying to block the Chrome browser setup app. I created the <Data> element using get-applockerpolicy that was created using Local Security Policy editor.

    It is also not clear if the AppLocker CSP is actually supported on desktop (as opposed to phone). For example this page seems clear that it should work on desktop: https://msdn.microsoft.com/en-us/library/dn920025(v=vs.85).aspx#newCSPs. Most of the MSDN/TechNet pages seem to indicate desktop support, but some pages say it is only for phone. Ugh.


    Michael Edwards

    Wednesday, January 27, 2016 11:34 PM
  • got this to work using SyncML shown below. The <Data> element contents were produced by first creating the policy as Local Administrator using AppLocker (secpol.msc) and escaping the '<' and '>' characters. The policy is obtained as xml by the command "get-applockerpolicy -xml -local". Presumably similar SyncML works for StoreApps (AppX policy), etc.

    <SyncBody><Replace><CmdID>$CmdID$</CmdID><Item><Target><LocURI>./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/Default-and-Deny-Chrome/Exe/Policy</LocURI>

    </Target>

    <Meta>

    <Format xmlns="syncml:metinf">chr</Format>

    </Meta>

    <Data>

    &lt;RuleCollection Type="Exe" EnforcementMode="Enabled"&gt;&lt;FilePublisherRule Id="5bb0f949-ad9c-4138-8dde-3b8fcd938a0a" Name="GOOGLEUPDATESETUP.EXE, version 1.3.0.0 and above, in GOOGLE UPDATE, from O=GOOGLE INC, L=MOUNTAIN VIEW, S=CALIFORNIA, C=US" Description="" UserOrGroupSid="S-1-1-0" Action="Deny"&gt;&lt;Conditions&gt;&lt;FilePublisherCondition PublisherName="O=GOOGLE INC, L=MOUNTAIN VIEW, S=CALIFORNIA, C=US" ProductName="GOOGLE UPDATE" BinaryName="GOOGLEUPDATESETUP.EXE"&gt;&lt;BinaryVersionRange LowSection="1.3.0.0" HighSection="*" /&gt;&lt;/FilePublisherCondition&gt;&lt;/Conditions&gt;&lt;/FilePublisherRule&gt;&lt;FilePathRule Id="921cc481-6e17-4653-8f75-050b80acca20" Name="(Default Rule) All files located in the Program Files folder" Description="Allows members of the Everyone group to run applications that are located in the Program Files folder." UserOrGroupSid="S-1-1-0" Action="Allow"&gt;&lt;Conditions&gt;&lt;FilePathCondition Path="%PROGRAMFILES%\*" /&gt;&lt;/Conditions&gt;&lt;/FilePathRule&gt;&lt;FilePathRule Id="a61c8b2c-a319-4cd0-9690-d2177cad7b51" Name="(Default Rule) All files located in the Windows folder" Description="Allows members of the Everyone group to run applications that are located in the Windows folder." UserOrGroupSid="S-1-1-0" Action="Allow"&gt;&lt;Conditions&gt;&lt;FilePathCondition Path="%WINDIR%\*" /&gt;&lt;/Conditions&gt;&lt;/FilePathRule&gt;&lt;FilePathRule Id="fd686d83-a829-4351-8ff4-27c7de5755d2" Name="(Default Rule) All files" Description="Allows members of the local Administrators group to run all applications." UserOrGroupSid="S-1-5-32-544" Action="Allow"&gt;&lt;Conditions&gt;&lt;FilePathCondition Path="*" /&gt;&lt;/Conditions&gt;&lt;/FilePathRule&gt;&lt;/RuleCollection&gt;

    </Data>

    </Item>

    </Replace>

    <Final/>

    </SyncBody>

    </SyncML>


    Michael Edwards

    • Proposed as answer by Michael Edwards Thursday, January 28, 2016 4:07 AM
    • Marked as answer by Biz_M Thursday, January 28, 2016 5:16 AM
    Thursday, January 28, 2016 4:07 AM
  • Thank you Michael.
    Thursday, January 28, 2016 5:16 AM