none
Windows Information Protection create a list of protected apps using the AppLocker tool RRS feed

  • Question

  • Hi all, I am new to Intune and I am still learning myself.

    I have read through some document  to create an Executable rule and xml file for unsigned apps on a window 10 machine and later to be import into protected apps. (Home > Microsoft Intune > Client apps - App protection policies > Intune App Protection - Protected apps)
    but I don't get what it is doing on this part that I am doing. on the window 10 machine I have created an Executable Rules and on Permission I have allow everyone and for Path I have select program files and on the path is generated %PROGRAMFILES%\* and I have also select Windows Next and it generated %WINDIR%\* for me. then I export out the file and import into Intune . Here is my Question.

    1. can you explain to me what it is trying to achieve here? is it trying to protect all the in program files and windows? or encrypt all the file? or allow me to access all the file here?

    2. is it necessary to create this 2 string and import into protect apps? what if I didn't create it and what will it impact if I just select all the default apps list that is provided on protected apps without creating this file that contain the 2 string %PROGRAMFILES%\* and  %WINDIR%\*.

    3. What the different between creating Executable Rules and Packaged app Rules? 

    4. what will it impact if User unenroll their device if I already apply this polices that contain the 2 string and all the protected apps (e.g Notepad, one Note , Word Mobile)

    Thank a lot.


    • Edited by Chang Hian Tuesday, January 22, 2019 3:01 AM Edit some wording
    Tuesday, January 22, 2019 2:56 AM

All replies

  • Intune App Protection policies and AppLocker are two completely different things meant for two completely different purposes. Most of what you are asking about has nothing to do with App Protection policies or Intune really, this is all just AppLocker (simply deploying a policy from Intune doesn't make this related to Intune). #4 is CSP specific and is really the only piece here that involves Intune although there are other ways to deploy a CSP.

    App Protection policies are about protecting data: https://docs.microsoft.com/en-us/intune/app-protection-policy

    AppLocker is about preventing the execution of items on a system: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview

    1. AppLocker defines what executable code can execute on a system for a given set of users. The rule you created says allow anything to run from %ProgramFiles% and %WinDir% for all Everyone.

    2. Can you be more specific about where you are importing this in as it seems you are mixing things up here? Are you following something like this: https://blogs.technet.microsoft.com/matt_hinsons_manageability_blog/2018/08/21/blocking-apps-with-intune-and-applocker-csp/?

    If you don't allow execution from %WinDir% then none of the Windows code will be allowed to run. If you don't allow execution from %ProgramFiles% then none of your applications installed there will be allowed to run.

    3. An executable rule is for Win32 .exes and a packaged app is a modern/Windows store app.

    4. To my knowledge, all CSP policies will be removed so this policy will be removed as well. See https://docs.microsoft.com/en-us/windows/client-management/mdm/disconnecting-from-mdm-unenrollment. CSPs are somewhat strange beasts though so I would test this to be 100% sure.


    Jason | https://home.configmgrftw.com | @jasonsandys

    Tuesday, January 22, 2019 3:28 PM
  • Hi Jason, Thank a lot for your help.

    because I am following this link "https://www.experts-exchange.com/articles/33219/Microsoft-Intune-Windows-Information-Protection-WIP-for-Windows-10-Part-I.html" to configure the %ProgramFile% and %WinDir%. I don't understand why is he adding this 2 into  (Home > Microsoft Intune > Client apps - App protection policies > Intune App Protection - Protected apps) . if you don't mind can you kindly help me to look through and example to me. the document start from "Addition of custom apps through applocker Policy".
    Wednesday, January 23, 2019 6:17 AM
  • That walk-through is just a method to create App Protection rules for the same rules already configured in AppLocker -- it's not a direct reference, just a shortcut.

    The walk-through is adding %ProgramFile% and %WinDir% because without those, as noted, AppLocker will prevent Windows from running completely. In App Protection, this will apply the configured App Protection Policies to all Windows executables and also those in Program Files. For the example, this makes things like Notepad.exe a protected app and conform to WIP enforcement and separation/protection of data.


    Jason | https://home.configmgrftw.com | @jasonsandys

    Wednesday, January 23, 2019 3:02 PM