Hi everyone, today we have another article from Intune Support Engineer Mohammed Abudayyeh where he shows us how we can leverage AppLocker to create custom Intune Device Configuration policies to control Windows 10 modern apps. His example demonstrates just how easy it is to create a quick Intune policy that can be used in lots of different ways to control Windows apps in your environment.Windows AppLocker is a technology first introduced in Windows 7 that allow you to restrict which programs users can execute based on the program's attributes. In enterprise environments it is typically configured via Group Policy, however we can leverage the XML it creates to easily build our own custom policies that perform many of the same tasks with Microsoft Intune.The process flow goes like this: We first model the policy we want to implement using AppLocker in Group Policy Editor. We then export the XML for that policy and use it to create a new, custom Windows 10 Device Configuration policy in Intune.
Feb 13, 2019 Free Downloadfor Windows. Security Status. In Softonic we scan all the files hosted on our platform to assess and avoid any potential harm for your device. Our team performs checks each time a new file is uploaded and periodically reviews files to confirm or update their status. This comprehensive process allows us to set a status for any.
Once the custom policy is deployed, the same policy behavior we modeled with AppLocker in Group Policy Editor is then applied to our targeted Windows 10 devices.You can find all of our documentation on Windows AppLocker, and in this post I’ll walk you through an example using this process to block the built-in Mail app on Windows 10 computers.Generating the XMLThe first step is to generate the XML we need for Intune by modelling the policy on a Windows 10 computer.1. On a computer running Windows 10 Enterprise, start Group Policy Editor (GPEdit).2. Genius hs-g500v review.
Under Computer ConfigurationWindows SettingsSecurity SettingsApplication Control PoliciesAppLocker, right-click and select Properties, then enable Packaged app Rules and select Enforce rules. This turns on our AppLocker rules. Once done, click OK.3. Next we need to create two Packaged app Rules: one default rule to allow all apps to run, and another rule to block our particular app. First, right-click Packaged app Rules and select Create default Rules. This will create a rule that allows all signed apps to be executed.
Note that this setting only applies to Modern Apps and not Win32 applications.4. Now create another new Package app Rule by right-clicking Packaged app Rules and selecting Create New Rule. Omnisphere vst crack zip.
This will start the Create Packaged app Rules wizard. Click Next to continue.5. In this example we want to deny everyone access to the Mail app, so on the next screen select Deny and specify Everyone, then click Next.6.
Select Use an installed packaged app as a reference and click Select.7. Here is where we select the app we want to block. In our example we’ll choose the one with Package Name = microsoft.windowscommunicationsapp which is the Windows Mail app. Once selected, click OK and Create.8. Now we have a local policy created that blocks the built-in mail app. This will be our template.9. Next we need to export that policy so we can use it in Intune.
Right-click AppLocker and select Export policy. Save the file on a share so you can access it from the computer you will be using to create the policy in Intune.10. When exporting the policy, an XML file will be generated that looks something like this:It’s important to note that if we use all of the XML in our Intune policy then the policy will fail because it includes other NotConfigured rules for things like MSI, Script, DLL and APPX. What we need to do is take only the configured RuleCollection element of our XML for use in our policy, like this:Creating the PolicyOnce we have our XML, the next step is to create our policy in Intune and deploy it to users.1. In the Intune admin portal, select Device configuration- Profiles- Create profile.2. Enter the following settings:.
Name: Enter a name for the profile, such as Block Mail App. Description: Enter a description for the profile. Platform: Choose Windows 10 and Later. Profile type: Choose Custom.3. On the Custom OMA-URI Settings screen, select Add then enter the following settings:. Name: Give it a unique name so you can easily identify it.
Description: Enter a brief description that describes the setting. OMA-URI: Enter the OMA-URI you want to use as a setting. In this case it is./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/Native/StoreApps/Policy. This comes from the AppLocker CSP and you an find our documentation on that. Data type: Choose String.
Value: Enter the XML from your exported policy. In our example this is the green text above.4. Select OK to save your changes, then OK and Create to create the policy. Your profile will be shown in the Device configuration - Profiles list:5. Lastly, assign your new profile to the groups of your choice. Once applied, when a targeted user attempts to launch the Mail app they will receive the following message:IMPORTANT On the Windows 10 PCs that will be assigned the Intune policy, the Application Identity service must be running.
This is the default, however if you’ve disabled this service for any reason, or if you have an issue where the policy is not being applied as expected, check the service and make sure it’s configured correctly. To do this, run services.msc and find the Application Identity service, then make sure Startup Type is set to Automatic and the Status is Running.SummaryIn this post I showed how you can easily leverage the XML generated by AppLocker to create custom Windows 10 Device Configuration policies in Intune. While the example I used demonstrated how to block the native Mail app on Windows 10, this same process can be used to control application execution for a variety of apps in many different ways. Be sure to check our complete to learn more about the types of rules you can create for Windows 10 devices in your environment.Mohammed AbudayyehIntune Support Engineer.
Windows 10 Education ProI've not had an opportunity to test Pro Education edition yet but I am running normal Education on a Hyper-V virtual machine and on dual boot with Pro on a laptop. Basically Education is exactly as Enterprise, meant for domain or Azure AD use. Windows 10 Pro EducationWindows 10 Pro Education builds on the commercial version of Windows 10 Pro and provides important management controls needed in schools. Windows 10 Pro Education is effectively a variant of Windows 10 Pro that provides education-specific default settings, including the removal of Cortana1. These default settings disable tips, tricks and suggestions & Windows Store suggestions.
How can I convert Windows 10 Pro Education to Pro OEM?Hi,To assist you better, kindly provide us more details by answering the following questions:. Is Windows 10 Pro Education Pre-installed on your computer?. Have you upgraded your computer from Windows 10 Pro to Windows 10 Pro Education?
If so, do you still have the product key for Windows 10 Pro?Meanwhile, you may refer to the steps under Roll back Windows 10 Pro Education to Windows 10 Pro section of this.Should you need further assistance, feel free to get back to us.