locked
Applocker and Store Apps RRS feed

  • Question

  • I have a customer where we setup devices with Intune to use the Kiosk mode. In the background it uses AppLocker to prevent applications from running. In the Intune Kiosk policy we can then whitelist applications which are allowed to run.

    The issue we have is that we get a message that an application is blocked. When checking the eventlog we see the following message:

    \??\C:\Program Files\WindowsApps\AppUp.IntelGraphicsExperience_1.100.2731.0_x64__8j3eq9eme6ctt\GCP.ML.BackgroundSysTray\IGCCTray.exe was prevented from running.

    It is clear that this app comes with the Intel Graphics driver and is store based. Probably enabling options in Settings (replacement of Control Panel).

    So I have 2 options:

    - make sure the application won't start at all.
    - Whitelist the application in the Kiosk policy

    If anyone has another option, please be free to help me out.

    When I check all the know locations, like Run in the register, Startup folder in the start menu, Scheduled Tasks, Services, background tasks, etc. I cannot find the process which starts this executable so I can see how to stop it from starting at all. I don't know yet if that is a good idea but something to test.

    Has anyone an idea where to find the location which makes it start in the first place?

    Whitelist within the Intune Kiosk policy could be an option but not preferable. When checking the executable path, it  seems that the vrersion number is present, so after an update to whitelisting won't work anymore.

    Maybe AppLocker whitelisting with OMA-URI settings, but I do not have experience with that.

    Hopefully someone can help me in the right direction.

    Friday, July 17, 2020 12:03 PM

All replies

  • Hi,

    Thanks for your posting and kindly note we have limited knowledge of Intune but will try to support from AppLocker side if possible.

    1.Have you checked the rules set on AppLocker that related to the driver via Publisher or Path?

     

    2. If the client is domain joint, kindly verify if the domain has an AppLocker policy already configured.

     

    3.>>Has anyone an idea where to find the location which makes it start in the first place?

    You may utilize process monitor to capture traces or logs to investigate the details of process.

     

    4. Per searching, here is a guidance on how to use AppLocker to create custom Intune policies for Windows 10 apps

    https://techcommunity.microsoft.com/t5/intune-customer-success/support-tip-using-applocker-to-create-custom-intune-policies-for/ba-p/364981

     

    You could go through the details and check if any missing.

    This "Security" Forum will be migrating to a new home on Microsoft Q&A, please refer to this sticky post for more details.  

    Thanks,

    Jenny


    "Security" forum will be migrating to a new home on Microsoft Q&A!

    We invite you to post new questions in the "Security"  forum's new home on Microsoft Q&A!

    For more information, please refer to the sticky post.

    Monday, July 20, 2020 7:28 AM
  • Hello Yenny,

    Thank you for your reply. Here the answers to your questions:

    1.Have you checked the rules set on AppLocker that related to the driver via Publisher or Path?

    I didn't create a rule set. I just used the Intune Kiosk policy. This policy disables most applications and you can white list the once you want to start. So the options are limited. 

     

    2. If the client is domain joint, kindly verify if the domain has an AppLocker policy already configured.

    No, all devices are Azure AD joined and not on-prem domain joined. So no Group Policies are applied. The only policies it gets are from Intune. Next to the Intune Kiosk Policy, no other AppLocker related policies are set.

    I will see with process monitor if I can get some more information which options makes this policy start.
    And I will see if I can combine the Kiosk policy with the custom AppLocker policy. It would be nice If I can just create an applocker policy which whitelist everything for example from Intel.

    Thanks again for the help and if I get some results, I will let you know.

    Monday, July 20, 2020 1:23 PM
  • Hello all,

    I'm still struggling with this issue.
    In a new example I start the PC managed by Intune and Kiosk mode enabled.

    When the computer is logged in (automatically with local account setup in the Kiosk policy) I get one message now explaining an app is blocked.

    When I look in the event viewer at the AppLocker log files, I see the following message:
    %SYSTEM32%\DRIVERSTORE\FILEREPOSITORY\CUI_DCH.INF_AMD64_F3A64C75EE4DEFB7\GFXDOWNLOADWRAPPER.EXE was prevented from running.

    (%SYSTEM32% does not exist as a system variable but I assume that the application which starts this process does understand this)

    The GFXDOWNLOADWRAPPER.EXE is not a process which starts by itself so it is not in the start menu or configured as a startup app. It is part of the "Intel(R) HD Graphics Control Panel Service" which starts the executable "C:\Windows\System32\DriverStore\FileRepository\cui_dch.inf_amd64_f3a64c75ee4defb7\igfxCUIService.exe". This executable is allowed to run and it also seems to trigger the GFXDOWNLOADWRAPPER.EXE. This last one is not allowed to run.

    My end goal is that the users will not get the notification for the blocked app. I prefer that the app is allowed because at an Intel forum it was mentioned that the exe is required.

    This is an example which I could probably fix by creating a start menu shortcut, get the AppID and allow the App from the Intune Kiosk policy. But what happens when the driver gets updated, and what for other drivers or services which causes this issue? 

    Because of this I am looking for a solution which is flexible and easy to implement. For example allowing everything from a certain vendor like Intel, Realtek, Conexant, etc. This way we will not get any issue on any devices as long as the specific vendor is allowed. 
    And also that we can still use the Intune Kiosk policy without having to manually create and apply provisioning profiles.

    Hopefully someone can help me with this.

    Wednesday, August 5, 2020 10:24 AM