The original CCMExec.exe file path in the first rule collection can also be deleted at this point.
The exported policy XML will look similar to the example below.
Right-click Applocker in the navigation pane and select Export Policy… highlighted below. Once the rule has been created it will appear in the console.For this example, a File Path condition has been selected (this is the least secure option but it should allow readers to copy the policy used here for basic testing). Right click Executable Rules and create a new rule that allows “Everyone” to run CCMExec.exe based on a condition of your choice.Once the console opens, navigate to Application Control Policies > AppLocker > Executable Rules.
From the Windows Start menu, type “secpol.msc” and then press enter to launch the MMC snap-in.
This can be done with similar workflows on any recent version of Windows, but in this example a Windows 10 client is used.
The remainder of this blog will provide detailed instructions on how clients can leverage this new functionality.įor additional reading about Device Guard and AppLocker, please consult the following resources:īlog: Managing Device Guard Configurable Code Integrity with existing ConfigMgr functionality Creating the Custom AppLocker PolicyĬreating an AppLocker Policy that contains a Managed Installer is most easily done in the Local Security Policy snap-in in Microsoft Management Console (MMC), then moving to the XML editor of your choice. As noted, Managed Installer functionality currently only applies to AppLocker, but the Windows engineering team intends to integrate the functionality with Device Guard’s configurable code integrity feature in a later release. The Windows version and ConfigMgr client version are the only two prerequisites for this functionality. However, thanks to collaboration between the ConfigMgr and Windows engineering teams it can be set up today and tested in any environment on machines with the ConfigMgr 1606 Technical Preview client that are running Windows 10 Enterprise with Windows Insider Program build 14367 or later with some caveats explained below. Managed Installer functionality is still in a prototype phase at the moment and does not yet have any associated user interface screens within Windows.
This will drastically reduce the overhead required to maintain whitelisting policy when deploying applications and software to systems protected by Windows AppLocker. Applications and software that are installed using any other mechanism will not pass the Managed Installer rule and will only run if explicitly allowed by another AppLocker rule. dll’s) that are installed by that specified installation authority will be automatically trusted by AppLocker and allowed to run without needing to create any other rules. Any applications or other software (executables and.
Enter the concept of the Managed Installer.Īs of Windows 10 Enterprise Anniversary Edition, administrators can configure a new type of AppLocker rule that identifies a specific trusted installation authority, or Managed Installer. Like all whitelisting solutions, configurable code integrity and AppLocker policies can be complex to set up and difficult to maintain, particularly for enterprises whose software catalogs are large, ever-changing, and include applications from a variety of internal and 3 rd-party software developers. Key amongst these is a new application and software whitelisting technology known as configurable code integrity that, together with AppLocker, enables enterprises to strongly control what is allowed to run in their environment. Windows 10 introduced a new set of features called Device Guard that helps enterprises protect their business critical machines against malware and other unwanted software. Une très bonne nouvelle, qui tombe à pic dans mon projet actuel…SCCM pour piloter Applocker et Device Guard…je simplifie un peu mais pour ceux qui ont déja joué avec ces fonctionnalités vous allez vite comprendre l’intérêt en lisant cet article…EXCELLENT! Introduction Toujours dans le Blog CM…Un post de Dune Desormeaux, le PM de Configuration Manager!