Golden oldie -> Block Apps using AppLocker and PowerShell

Ever worked for a client who uses shared workplaces for frontline workers (web only) and office workers? And ofcourse the “Fully installed” Microsoft Office must be usable for the office workers when they are logged on to this workplace. Well I did 🙂.

And I saw a lot of confusion when somebody logged on to the desktop (with a M365 F3 license), opening a document and getting all kinds of warnings as he/she has no valid license. End result -> end-user panicking, contacting IT..

The script is based on the powershell script created by Sandy Zeng (Does AppLocker work in Windows 10 Pro? Yes, it does! – MSEndpointMgr) in 2020.

Note:
“A failsafe is added for members of the Local Administrators group, not setting any restrictions. Make sure the users are not member of this group (if they are, there is another issue/discussion.. ^^)”

SCRIPT 1: APPLY APPLOCKER RESTRICTIONS AT LOGON

In this post I show you a very simple way to block starting Microsoft Office application by using AppLocker (you can change office to any program you want, this is just an example). But not by using Intune CSP what is to slow (requires Windows 10+ Professional) or Group Policies what requires a domain (requires Windows 10+ Enterprise), no… by using 2 simple PowerShell Scripts. This is extremely robust!

The first script starts when the user without an Office License is doing a LOGON to the workplace, setting the AppLocker restrictions applicable to your needs. The script must be run from SYSTEM context.

Note:
There are several ways for targetting scripts for specific users at LOGON + fantastic tooling that can do this. It is up to your creativity to achieve this :). Ping me if you want some examples

PowerShell
<#
.SYNOPSIS
    AppLocker configuration for restricting Microsoft Office (or other executables)

.DESCRIPTION
    This script will create AppLocker settings for EXE and restrict Microsoft Office. Based on the script from Sandy Zeng: https://msendpointmgr.com/2020/09/20/does-applocker-work-in-windows-10-pro-yes-it-does/.
    For more info see -> https://www.42dude.com/blog/2023/07/09/block-office-apps-using-powershell-and-applocker/

    NOTE: Use a tool to run the script as SYSTEM that applies at LOGON action of the end-user without an office license.

    Dont forget to delete the configuration when logging out :).

.VERSION HISTORY
    1.0.0 - (2020-09-20) Script created by Sandy Zeng
    1.0.1 - (2023-07-09) AppLocker example script - No Office for Regular Users
#>

$namespaceName = "rootcimv2mdmdmmap" #Do not change this
$className = "MDM_AppLocker_ApplicationLaunchRestrictions01_EXE03" #Do not change this
$GroupName = "AppLocker001" #You can use your own Groupname, don't use special charaters or with space
$parentID = "./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/$GroupName"

Add-Type -AssemblyName System.Web

#This is example Rule Collection for EXE, you should change this to your own settings
$obj = [System.Net.WebUtility]::HtmlEncode(@"
<RuleCollection Type="Exe" EnforcementMode="NotConfigured">
<FilePathRule Id="fd686d83-a829-4351-8ff4-27c7de5755d2" Name="(ADMIN) All files allowed" Description="Users of the Local Administrator group still have unrestricted access." UserOrGroupSid="S-1-5-32-544" Action="Allow">
<Conditions>
<FilePathCondition Path="*" />
</Conditions>
</FilePathRule>
<FilePathRule Id="dfaef909-a8b8-4be3-baf3-a1994a9845ab" Name="All files allowed, except specific Microsoft Office apps" Description="Configured for all users." UserOrGroupSid="S-1-1-0" Action="Allow">
<Conditions>
<FilePathCondition Path="*" />
</Conditions>
<Exceptions>
<FilePathCondition Path="*excel.exe" />
<FilePathCondition Path="*outlook.exe" />
<FilePathCondition Path="*powerpnt.exe" />
<FilePathCondition Path="*winword.exe" />
<FilePathCondition Path="*ONENOTE.EXE" />
<FilePathCondition Path="*MSPUB.EXE" />
<FilePathCondition Path="*MSACCESS.EXE" />
</Exceptions>
</FilePathRule>
</RuleCollection>
"@)

New-CimInstance -Namespace $namespaceName -ClassName $className -Property @{ParentID=$parentID;InstanceID="EXE";Policy=$obj}

SCRIPT 2: DELETE APPLOCKER RESTRICTIONS AT LOGOFF

The second script starts when the user without an Office License is doing a LOGOFF off the workplace. Again the script must be run from SYSTEM context.

Note:
Personally I would add a failsafe to also run this script at logon for all other users to be sure that all applocker settings are removed 🙂

PowerShell
<#
.SYNOPSIS
    This function delete AppLocker settings using MDM WMI Bridge

.DESCRIPTION
    This script will delete AppLocker settings for EXE set using MDM WMI Bridge. Based on the script from Sandy Zeng: https://msendpointmgr.com/2020/09/20/does-applocker-work-in-windows-10-pro-yes-it-does/
    For more info see -> https://www.42dude.com/blog/2023/07/09/block-office-apps-using-powershell-and-applocker/
    
    Note: Use a tool to run the script as SYSTEM that applies at LOGOFF action of the end-user without an office license. I would suggest to run it also at logon for users with an office license to be sure all AppLocker settings are removed.

.VERSION HISTORY:
    1.0.0 - (2020-09-20) Script created by Sandy Zeng
    1.0.1 - (2023-07-09) AppLocker example script - Delete AppLocker Settings
#>

$namespaceName = "root\cimv2\mdm\dmmap" #Do not change this
$className = "MDM_AppLocker_ApplicationLaunchRestrictions01_EXE03" #Do not change this
$GroupName = "AppLocker001" #Your own groupName
$parentID = "./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/$GroupName"

Get-CimInstance -Namespace $namespaceName -ClassName $className -Filter "ParentID=`'$parentID`' and InstanceID='EXE'"  | Remove-CimInstance

The result (with proper targetting and tooling)

At logon, the first script is applied setting the AppLocker policy with immediate effect. The well known message appears when opening an Office application 🙂

Nothing more… nothing less.. Issues with licensing or confusion for the end-user when starting MS Office is…. over. Ofcourse you can do all sort of stuff for improving the experience (changing filetype association, icons and other stuff), but main goal achieved :).

When the user logs off (or if you followed my tip and configured the failsafe), the AppLocker policy is removed allowing starting of Microsoft Office.

Last but not least!:
YES you can also use WDAC (Windows Defender Application Control), and Peter van der Woude has some of the nicest how-to’s about this topic, but the powershell method is… instant (with the proper tooling!) 😎

GL & HF playing.

Add a Comment

Your email address will not be published. Required fields are marked *