Truth in IT
    • Sign In
    • Register
        • Videos
        • Channels
        • Pages
        • Galleries
        • News
        • Events
        • All
Truth in IT Truth in IT
  • Data Management ▼
    • Converged Infrastructure
    • DevOps
    • Networking
    • Storage
    • Virtualization
  • Cybersecurity ▼
    • Application Security
    • Backup & Recovery
    • Data Security
    • Identity & Access Management (IAM)
    • Zero Trust
    • Compliance & GRC
    • Endpoint Security
  • Cloud ▼
    • Hybrid Cloud
    • Private Cloud
    • Public Cloud
  • Webinar Library
  • TiPs
  • DRAW

Blocking Applications with AppLocker and Intune

PDQ
06/25/2026
0 (0%)
Share
  • Comments
  • Download
  • Transcript
Report Like Favorite
  • Share/Embed
  • Email
Link
Embed

Transcript


in your environment and you really mean it, this is the way. I'm not kidding, man. Yeah, okay. All right, first thing you're gonna do is you're gonna go and you're gonna hit run and then you're gonna type in just what you see here. SecPol MSC. SecPol MSC. But you're basically just gonna open up the local security policy, which is right here. Let's minimize this guy. Okay. Cool. So this looks familiar, right? If you're a group policy shop, you're gonna go, hey, I've seen this before. This won't be expanded, so you're gonna come here, application control policies, open that up, expand out AppLocker, okay? All right. Really important, I'm gonna come here. Sorry, not there. I'm gonna go to executable rules and the first thing you need to do is create default rules and it's gonna create all of these. Why? You have to do that because you notice the rules are allow everyone to access these files. The reason why is we're gonna export all these rules soon. Okay. Very important that you do that first initial step. Because if you don't do that, then that's how you end up in the nothing run. Yeah. Yeah, that makes sense. Okay. That's kind of important. Yeah, why have them there in the first place? That makes no sense. Okay. So then after you've done that first step, you're gonna come here and you're gonna hit create new rule on executable rules, okay? Create new rule. Wizard. Yay, we love wizards. You're gonna hit next and then we're gonna hit deny. Now, this is where I'm gonna tell everyone, careful, because you see what it says right here. Remember, we're local. We're on a local machine right here, but when I was testing this. So it's local group, everyone. Local group, everyone, not domain group, everyone. Correct. But if you're logged in as an administrator, just careful. Yeah. Okay. So try this on a VM. You don't wanna try this on your local workstation and block a whole bunch of stuff. Not like what you're doing right now. Right, exactly. Yeah, okay. So then you're gonna hit next and then we're gonna leave it as publisher right here. But it is very powerful because you notice what I could do. Look at all my options right here. We'll go into that a little bit more later. But when I say it's powerful, I really mean it's powerful. Now, reference file. We're gonna browse to the file that we want. So let's do. Oh, okay. We wanna punish putty. So now we need to search for the executable. So I'm gonna pick this guy right here. It's really important that you drill down to the executable. You wanna stop it in its tracks before it opens. So this is the part that takes a little bit of fine tuning. Okay, and then we're gonna hit open and then we're gonna just dial it up just to the file name. Oh, I do like that. Oh, that's really cool. So you can nail it down to the publisher. So you can nail it. It's like if it was signed with this code signing cert. Yes. You don't run it. Attempted to test this and block everything signed by Microsoft. Just be careful. You can. I will after this. I spent Monday breaking a bunch of stuff. So just be careful. That sounds so much fun. Yeah, I'm gonna do that later. Okay, so this is how we want it to look and then we're gonna hit next and then we're gonna leave all this alone. Although you can add exceptions for no reason. Okay. And then we're gonna hit next and you can change this name. So we're not going to, but you can. Yeah, that's just coming out of the code signing cert. Exactly, but we can say. No silly putty for you. No putty for Jake. Okay. And then we're gonna hit create and then it's gonna have it be up here. Okay. And by the way, you change this just like you would change any other policy. I could allow it. I can actually change the group right here if I wanted to make a local group. I can only apply it to certain users. You would do it just like you do any other group policy. Nifty. Okay. So now. So now no putty will run on this machine. That's right. It does seem like a lot of work, but remember what I said. This is super powerful if you're gonna use it for your entire enterprise because this is just part of it. Okay, this is the local policy. Now, what are we gonna do? We're gonna tie it to Intune. Now what we have to do is we come back over here to AppLocker. And first thing, configure rule enforcement. We have to make sure this is configured and it's going to enforce. So, okay. We're good to go there. We're gonna right click on AppLocker and we're gonna export this policy. Now it's gonna export an XML. Okay. So let's just put it on our desktop. We're gonna call it something. It doesn't really matter what we call it, but let's say save. Okay, perfect. Got all of our six rules. That's right. And I think I have this. Now remember you said all six rules. So it's important that we save that first part so we don't lock ourselves out of the whole thing. That's right. Okay. Let's minimize that. I already had it open here in VS Code. Thank you. Okay. My brain stopped for a second there, but let's come here. So you're gonna go back and find the parts that you want to block in Intune. So I started at rule collection down to this rule collection. And there's tons of documentation to do this. So I'm gonna include that if you want. But you're just grabbing the one, right? You exported the entire thing as XML. Exactly. But for Intune, you're just gonna grab the one little bit. That applies to Putty. Okay. That's correct. Got it. So I'm gonna hit copy right here. Okay. Now, I know this seems like a lot of work, but remember, pretend you're doing this for five applications. Do you want to stop gaming in your environment? Imagine this scenario on a larger scale. Rude. I know, but I'm giving you a use case for this. Why would I go to all this work to stop something? Something as assiduous as gaming. I'm in an educational environment. I don't want you to game. I want it to stop and it tracks. Okay, the fun way. Exactly. Okay, so I'm gonna copy this. I need to copy the XML. Now, let's hop over to Intune. Okay, so I'm gonna go to Intune. Now, I'm gonna go to devices, and then I'm gonna scroll down. I'm gonna go to configuration. Okay, we're gonna create new policy. I'm gonna come over here, Windows 10 and later. And then I'm going to hit template. We want templates for this. I'm gonna make a custom template. Okay, stop the putty. All right. Okay, leave that just like that. Picking on poor putty today. I know, I mean, I just had to pick one. Doesn't matter. Okay, this I have open because you do have to research this. But again, we will include this. So you have it, has to be named a certain way. And I know what you're thinking. You're like, why would I go to all this hassle? Gosh, this seems like a lot of work, Tara. I know, I know it really does. But we're gonna call this string. It totally works. I spent the better part of Monday locked out on a bunch of stuff. Oops, wrong one. Sorry, sorry, sorry. And there's a string value for notepad. That whole stuff that we copied. We're gonna come back over here. If I can remember how to work it. Yep, save it. Okay, so now we saved it. Now what are we gonna do next? We're gonna scope it. Now, interestingly, we're gonna scope it to users, not devices. Yeah. So any computer that you log into, it's gonna stop putty for you. That's actually like a really cool and really powerful. Very powerful. It's like local policy or like AV policies typically block an app from running on an entire machine. Yes. Right, so with this, we can target and we can say, this app should be installed, not run for standard users, but will run for administrators or this type of user, but not that. Correct. That's really cool. So I made a user group, has two users in it, myself and Austin. I think user group that won't break anything and then select it. I'm gonna scope it, hit next. I didn't fill in any applicability rules. You could, you could say when this computer's at home, this is, you know, it's so- This is where you can get crazy with this type of thing, right? You could, yes. I know it really feels like a ton of work, but oh my God. That's not that much work. I think that's fine. Well, and they're complaining, so I'm trying to say calm down. Like, yeah, if it only did a block of the machine level itself, yeah, there's easier ways to do it, but it's the granularity that you can target a user. You can target a user at a network location. You can target a user if it's, something's out of date. You can target a user for this, that, and the other. That's where this gets powerful. And one thing that you can do in just standalone Intune is you can block certain applications. You just don't have as much granularity. You can block EXEs. You can block file types. You can block scripts. You can just do that with configuration policies inside of Intune. It's just a little bit more powerful with AppLocker, but yeah. It took a while to figure it out all perfectly. Yeah. I'm not gonna lie. The cool thing is like being able to block something by like a code signing cert. Like that's a pretty powerful tool, right? Because it is like the exact example you gave of blocking gaming in education. Like how hard is that actually? Like, I think you started yesterday. I threw something random out. I was like, just block Minecraft. Ugh! Blocking Minecraft is actually really hard because it gets delivered in so many different ways through multiple launchers and all kinds of stuff. But if I can just say, well, I think it's actually signed with a Microsoft code signing cert now, so that probably wouldn't be great. But something else that is signed with like that company's code signing cert, you can just say, no, nothing from that company. Well, and I actually was poking around in Intune today, and I think that they do, they have one for gaming. It was under endpoint detection, or sorry, endpoint protection. Intune has already made one for that. So I would probably go that route. Because it's made specifically for gaming. There's one to block Microsoft store apps. Anyway, AppLocker, Microsoft is supposedly moving AppLocker to Intune now, but I don't know. I've looked at it a little bit. Have you? Yeah, I haven't done too much with it. It seems like one of those things, like how you mentioned, like it's just not feature parity yet with Vue. Yeah, so. Yeah. Yeah, it was, as always, Intune, I love it slash hate it. There was moments where I was just like, what are you doing? Why are you doing it that way? And you never know, too. You gotta wait, you know, like an hour. If it doesn't work, does it not work? Or did it not apply yet? Or did it not apply? Why are you not working? Yeah, I reboot the computer like four or five times and I can't tell if it's a me problem or a time problem. Thanks for watching this segment from PDQ Live. If you like this, you'll love the full show. Check it out every Thursday at 10 a.m. Mountain. Oh, and like and subscribe, please.

TL;DR

  • AppLocker combined with Intune enables user-based application blocking that follows users across devices, offering more granular control than device-level restrictions
  • Creating default allow rules in AppLocker before adding deny rules is critical to prevent system lockout, as the policy must explicitly permit essential Windows executables
  • Publisher-based rules allow blocking applications by code signing certificate, enabling administrators to block entire software vendors or specific product versions with a single rule
  • The integration requires exporting AppLocker policies as XML and importing specific rule collections into Intune custom configuration profiles with properly formatted OMA-URI settings

AppLocker Configuration and Rule Creation

The demonstration walks through the complete process of configuring AppLocker policies locally before deploying them enterprise-wide through Intune. Starting with the local security policy editor (SecPol.msc), the presenters emphasize the critical first step of creating default rules to prevent system lockout. These default allow rules ensure that essential Windows executables remain accessible while custom deny rules are applied. The process involves creating executable rules with publisher-based conditions, which offers granular control ranging from specific file versions down to just the file name. Using PuTTY as the example application, the video demonstrates how to reference the executable file and configure the rule scope, with particular attention to the distinction between local groups and domain groups to avoid unintended consequences.

Intune Integration and User-Based Targeting

The second phase involves exporting the AppLocker policy as XML and integrating it with Microsoft Intune through custom configuration profiles. This approach enables user-based application blocking rather than device-based restrictions, meaning the policy follows users across any machine they log into. The presenters extract the specific rule collection from the exported XML and create a custom Windows 10+ template in Intune with properly formatted OMA-URI settings. The configuration is scoped to user groups rather than device groups, demonstrating a key advantage over traditional machine-level blocking methods. This granularity allows administrators to apply different restrictions based on user roles, network locations, or other conditional factors, providing significantly more flexibility than standalone Intune application blocking or traditional antivirus-based approaches.

Chapters

0:00 - Introduction to AppLocker
0:08 - Opening Local Security Policy
0:34 - Creating Default Rules
1:09 - Creating Custom Deny Rules
3:56 - Exporting AppLocker Policy
4:32 - Extracting XML for Intune
5:31 - Creating Intune Configuration Profile
6:37 - User-Based Scoping in Intune
8:00 - AppLocker vs Intune Native Blocking
9:36 - Future of AppLocker in Intune

Key Quotes

0:55 "Really important that you do that first initial step. Because if you don't do that, then that's how you end up in the nothing run."
1:57 "But it is very powerful because you notice what I could do. Look at all my options right here. We'll go into that a little bit more later. But when I say it's powerful, I really mean it's powerful."
6:44 "Interestingly, we're gonna scope it to users, not devices. So any computer that you log into, it's gonna stop putty for you."
7:51 "That's not that much work. I think that's fine. Well, and they're complaining, so I'm trying to say calm down. Like, yeah, if it only did a block of the machine level itself, yeah, there's easier ways to do it, but it's the granularity that you can target a user."
8:31 "The cool thing is like being able to block something by like a code signing cert. Like that's a pretty powerful tool, right? ..."

FAQ

Why create default allow rules before adding deny rules in AppLocker?

Default allow rules ensure that essential Windows system executables remain accessible. Without these baseline permissions, deny rules could prevent critical system components from running, potentially locking you out of the system entirely. The default rules allow everyone to access necessary files in Program Files, Windows, and other system directories.

What's the advantage of user-based blocking in Intune versus device-based blocking?

User-based blocking follows the user across any device they log into, whereas device-based blocking only affects specific machines. This allows for role-based restrictions where administrators might have access to certain applications while standard users are blocked, regardless of which computer they're using. It also enables conditional policies based on network location or other user-specific factors.

Categories:
  • » Cybersecurity » Endpoint Security
  • » Data Protection
Channels:
News:
Events:
Tags:
  • Endpoint Management
  • Technical Deep Dive
  • How-To
  • Identity & Access
  • Security Operations
  • AppLocker configuration
  • Microsoft Intune integration
  • Application blocking policies
  • User-based access control
  • Publisher-based rules
  • Group Policy management
Show more Show less

Browse videos

  • Related
  • Featured
  • By date
  • Most viewed
  • Top rated
  •  

              Video's comments: Blocking Applications with AppLocker and Intune

              XStreaminars (watch here)

              • Jul
                28

                Illumio + Netskope: Zero Trust in the Age of AI Autonomy

                07/28/202601:00 PM ET
                • Jul
                  29

                  Ask Your Cloud Anything: Unlocking Governance Silos in your Environments

                  07/29/202601:00 PM ET
                  More events

                  Industry Events (watch there)

                  • Jul
                    22

                    Insights from Attackers During the FIFA World Cup: A HUMAN Dialogue

                    07/22/202601:00 PM ET
                    • Aug
                      19

                      Becoming Agent Ready: Insights from Cyera's Expertise

                      08/19/202612:00 PM ET
                      More events

                      Upcoming Webinar Calendar

                      • 07/21/2026
                        04:00 AM
                        07/21/2026
                        Strategies for Managing AI Governance and Securing App-to-LLM API Traffic
                        https://www.truthinit.com/index.php/channel/1967/strategies-for-managing-ai-governance-and-securing-app-to-llm-api-traffic/
                      • 07/22/2026
                        06:30 AM
                        07/22/2026
                        Insights and Strategies for Effective Data Privacy and Protection
                        https://www.truthinit.com/index.php/channel/2000/insights-and-strategies-for-effective-data-privacy-and-protection/
                      • 07/22/2026
                        01:00 PM
                        07/22/2026
                        Insights from Attackers During the FIFA World Cup: A HUMAN Dialogue
                        https://www.truthinit.com/index.php/channel/2029/insights-from-attackers-during-the-fifa-world-cup-a-human-dialogue/
                      • 07/28/2026
                        01:00 PM
                        07/28/2026
                        Illumio + Netskope: Zero Trust in the Age of AI Autonomy
                        https://www.truthinit.com/index.php/channel/2031/illumio-netskope-zero-trust-in-the-age-of-ai-autonomy/
                      • 07/29/2026
                        04:00 AM
                        07/29/2026
                        Real-Time Strategies for Safeguarding Against Prompt Injections
                        https://www.truthinit.com/index.php/channel/1968/real-time-strategies-for-safeguarding-against-prompt-injections/
                      • 07/29/2026
                        01:00 PM
                        07/29/2026
                        Ask Your Cloud Anything: Unlocking Governance Silos in your Environments
                        https://www.truthinit.com/index.php/channel/2048/ask-your-cloud-anything-unlocking-governance-silos-in-your-environments/
                      • 08/19/2026
                        12:00 PM
                        08/19/2026
                        Becoming Agent Ready: Insights from Cyera's Expertise
                        https://www.truthinit.com/index.php/channel/2036/becoming-agent-ready-insights-from-cyeras-expertise/
                      • 09/02/2026
                        12:00 PM
                        09/02/2026
                        Unified Data Security in Action: Uncover, Analyze, and Resolve Threats
                        https://www.truthinit.com/index.php/channel/2045/unified-data-security-in-action-uncover-analyze-and-resolve-threats/
                      • 09/30/2026
                        04:00 AM
                        09/30/2026
                        AI Command Center: Optimizing Visibility and Control in Your Operations
                        https://www.truthinit.com/index.php/channel/2024/ai-command-center-optimizing-visibility-and-control-in-your-operations/
                      Truth in IT
                      • Sponsor
                      • About Us
                      • Terms of Service
                      • Privacy Policy
                      • Contact Us
                      • Preference Management
                      Desktop version
                      Standard version