I knew the video would be longer than average but not this long 😩 📝Notes: • Also I figured this went without saying, but obviously if you download something malicious and add a rule to allow it, you will be infected. You still must ALWAYS be vigilant. And you should still also use an Antivirus, it’s not a replacement for that. • To get AppLocker policies to actually work, you might have to enable the "Application Identity" service and set it to start automatically if it isn't already. This requires a special command because it is a protect process (as opposed to just opening the services menu). To do this, run the command in command prompt as admin: sc.exe config appidsvc start= auto • Turns out you CAN actually add the Group Policy settings for PowerShell core without having to install PowerShell Core. I've added instructions to the ReadMe file in the resource pack in the description, but basically you download the latest zip release from Microsoft's PowerShell GitHub, and copy the files "PowerShellCoreExecutionPolicy.admx" and "PowerShellCoreExecutionPolicy.adml" into the directories "C:\Windows\PolicyDefinitions" and "C:\Windows\PolicyDefinitions\en-US" respectively.
I don't know why everybody is emphasizing the duration of this video - for me - it was like watching a super interesting, informative and well-written documentary - the time just flew buy! Excellent work, thank you so much for your effort! Greetings from Croatia :)
is it just me or did this 52 minute tutorial feel like a 10 minute tutorial? "Good tutorials feel like they took a fraction of the actual time it took to complete it. Bad tutorials are the same, except the reason is because of leaving early due to how bad it is instead of being due to how good it is."
@@gabe_0x Everyone knows that but the human factor will ALWAYS fail. Social Engineering is too powerful because they exploit people in all ways imaginable. Hardening our systems will help as an early warning system, and if you actually put attention to the video, AppLocker is the single best tool ever for this kind of thing. Now i wish to know a HID whitelist system.
Here's what I did for my grandma's PC, very simple: - Require my own password for Administrative privileges so she can't do that - Set up a single browser so she has no access to other browsers, with downloads always dropping into the Downloads folder - Wrote a script to instantly delete any executables that enter the Downloads folder My beloved virus addict is now sober :)
I swear this video is so informative and useful it’s something you could probably charge for and make thousands off of but you were nice enough to give it to everyone for free, what a guy
I have no intention to do any of this myself but I watched it all You made it very engaging and informative, I didn't noticed the length until it was almost done I wont mind more "complex" tutorials like this on in the future
You know @ThioJoe has a gift for teaching and explaining when the whole 50 minute video felt like 10 and you remember fairly well most of the process! Totally appreciate this video.
Thank you for think of us and sharing this knowledge! You are the BEST!! I made the changes on my PC and hopefully the random file explorer windows opening will stop.
@thiojoe, this was one of the best mapped out videos covering a relatively complex topic and one with lots of settings. We are implementing this, and your video has been shared to the team as the best tutorial about it.
Top tip if you are ever applying AppLocker policy in an AD domain NEVER and i mean NEVER edit a live policy always export the rules edit them locally and then re import. If something goes wrong ( and it can ) you can corrupt the policy and brick machines. I learned that the hard way, bricked about 20 machines . The best way to fix this is to switch to editing rules via configuration manager.
With admin rights you can unbrick the machines, in the last instance you can boot from windows cd, shift f10, regedit, mount the local registry hives and remove the applocker rules :)
Oh and to prevent this happening: allow wverything for admins, like the default templats suggests. I mean admins can do whatever they want anyway, effectively delete rules, thats why there is little sense in deleting the admincandoall rule :)
Hi ThioJoe, I just wanted to say thank you, although I'll never do any of what you've shown here. Just not Tech savvy enough.I do realize how much time you have spent on video. Thanks
I'm really fascinated by this *type* of security. Antiviruses don't exite me, but this idea of reducing attack surface and plugging security holes is suuper amazing to me. I'd love to see more similar stuff
Yes, whitelisting is so muc more powerful than blacklisting, in fact antivirus solutions are not able to defeat the 100.000 of new attacks nowadays. Plus it doesnt slow the machine down anymore like AV solutions :)
Another excellent how to video!! Many thanks. Had to enable “Application Identity” service to get AppLocker to work. However to get it to auto start.. Had to regedit and set its start to 2.
Thank you so much for this detailed guide. I was able to follow all of your instructions easily. I understood each and every step depicted in your video. By the way, I'm a big fan of your RUclips Channel. You make great videos. It's always a great time whenever I watch any of your videos. 😁
Awesome!! Unfortunately we wouldn't get rid of those pesky refund scammers with this but atleast we'd get away from ransomware and so on. Really great video, thanks!! Since I regularly reinstall my Windows I'm gonna have to delve deeper into how to transfer the settings to another computer, didn't know it was that easy!
I’m not as familiar with WDAC, but I have dabbled with it. It is harder to set up but has some advantages over AppLocker. The biggest problem is there is no GUI for WDAC.
@@patricklechner1 You can manage WDAC through either the ConfigCI suite of PowerShell cmdlets, or you can create WDAC policies with the WDAC Wizard (which is a project maintained by Microsoft.) Edit: Despite that, managing WDAC through both of those options is still a pain, and there is not yet a full-automation solution for WDAC on the market.
WDAC can control apps that run in Kernel mode as well as User mode. (AppLocker just deals in User mode.) Also, if you create a signed WDAC policy and put it in the UEFI partition, then it becomes much harder for a hacker--even with admin privileges--to remove (unless they can get ahold of the signing certificate.) WDAC does NOT control .BAT scripts. (There's other minor differences in the file types that they maintain.) WDAC is applied to the whole device regardless of the user account, but AppLocker allows you to vary rule enforcement based on different user accounts. The logs for WDAC events are located in the Event Viewer -> in Applications and Services logs > Microsoft > Windows > CodeIntegrity > Operational. HOWEVER, logs for WDAC enforcement events involving scripts and MSI files are still located in the "AppLocker" location described in this video.
Well done, Thio! Another suggestion for a video would be about Azure Information Protection and DLP (Data Loss Prevention). What files are protected, what can be managed, tracking files on disk and in transit etc.
Thanks for the long and detailed video, will be testing this out... I'm curious how this is implemented on a domain (as far as scripts go, what has priority.. still local machine?) Keep up the great work!
Wow, awesome work! This is very technical but also very thorough. One thing I found was my Application Identity service was not running for some reason. Even though I'm logged in as admin I could not set it to run automatically. But found a PS script that was able to set it. :) This whole process seems a little "quirky" though. The audit event log doesn't seem to work for me. But when I change it to Enforce, then the events start showing. Microsoft is also so "fun" to try to figure out. :D
You are logged as root. You are a hackers perfect target man. Linux does it right only when you need root, install a program and punch password you get 15 mins of root running. This is very dangerous having it 24/.
@@Whitemike63 In Windows, it works a bit differently. As far as I can tell, most users have admin-level control of the system by default (without editing group policy settings, of course), which isn't too dangerous because admin accounts, despite the implications in the name, don't actually have full system access, like the Linux root account. In fact, it's supposed to be extremely difficult to scale a user's system-wide authority to root-level in the first place.
I wasn't so paranoid until my avast antivirus was not protecting me, and the UI was bugged so i couldnt access it but in the ui it said that it was protecting me, but in the tray icon it said i wasnt. aa restart showed that my firewall was disabled and i IMMEDIATELY activated it and did a full virus scan. Now here I am, doing this regardless of the inconvenience of it. A few menu navigation clicks as an inconvenience is nothing compared to trying to remove dangerous malware from your computer and possibly spend hundreds to get it repaired if your not good with tech, and possibly even thousands if it cannot be removed and you have to buy a new pc. "Paranoia is not an inconvenience, it is your body's natural safeguard when it senses danger"
Also when checking event viewer events in these custom views that just happened disappear even though other older events in other logs are still there.
I see that you can allow only signed executables. But can you block executables signed sha1 only? Sha1 was broken awhile ago and is practically useless.
You're excellent, Joe! I would love to share with you my motivational presentation about my life with Cerebral Palsy, and how tech has enabled me to lead a normal life online.
Love this, suggestion/question for the import files you have (thanks btw), any reason you can't replace all of the WHATEVERUSERNAME placeholders with %USERNAME%
Super helpful video! Thank you very much. One thing I noticed is that some malware use a Microsoft certificate that is used to encrypt. Is AppLocker smart enough to not fall for that? Edit: There is a right-click option to "Automatically generate" also. How well does that work and what does it do?
I can't get the system settings to launch. It's the exe rules that even when I allow path * and all signed it wont launch. It's really weird. It does mean that I can't use this though. Also event viewer is broke and can't get any AppLocker logs. This is Windows 11.
Had the same exact problem. You have to add an allow rule to packaged apps (you just need to add MS provider). Unfortunately, I had to reinstall Windows after I locked myself (I actually tested on a VM first). Try WIN+R to bring a start program windows
@@tablettablete186 That's... Broken behaviour. I had packaged apps on audit mode. Now that I added the rule (still in audit mode mind you) it works. Great to know that it's broken for some reason. Thank you!
can they hack your "digital fingerprint" or URLs that can change your incoming and outgoing data? via router or dns.? and not have the device actually hacked? I'm going crazy with what they did to me and will not stop.
Is an allow for executable installer or other installer for example make it so a uac prompt doesn't show up when it normally would if no applocker was configured
Thanks ThioJoe for this great content. For me the length of the video is very OK, considering the content. However, following this tutorial is a challenge. It's difficult to know how you arrived at certain point by the clicks of the mouse due to the speed and rate of zooming in and out. The movement of the mouse pointer on the screen is almost at the "speed of light". Maybe it's just me seeing it that way
Yea I realized afterwards I wasn’t really explaining everything I was doing so I tried to add on-screen explanations at some point. Some parts might be helped by putting the video on 0.5x speed
Im really proud lol, I have made a Powershell script which I added to the context menu which allows me to on right clicking the file, instantly whitelisting it.
I have noticed an error at Creating a Shortcut to AppLocker at 3:43. The path you listed is correct, but you forgot to list "Windows Settings" after computer configuration in the red text box path
Normally you'd be right but AppLocker path rules actually have a limited set of variables that can be used, not all normal environment variables. See here: learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/applocker/understanding-the-path-rule-condition-in-applocker
Why create 2 MMC files when Event viewer and GPO AppLocker can be added in a single Console. From there just add some windows. I've got a console with a whole bunch of tools even some custom scripts that I can launch from the MMC.
Informative However, if the OS itself has no care for your data or privacy in the first place, whatever you'd do on top of it just makes your data more exclusive to Microsoft and the third parties they send your data to
Doesn't Steam set the permissions on some folders in its install directory to be modifiable without elevation? I imagine it would be difficult to configure rules properly to allow games to run but disallow malware from copying executables into the same directories as the games...
That's what the file hash exceptions are for. That said, very few malwares are going to try the trick of copying themselves into a game's directory to attempt to use that as a staging ground, so the possibility of that happening is pretty remote. Most malware authors are not going to be writing it to tailor to your specific security policies/install setup, but hitting broader targets and going for typically unprotected areas like the Windows directory or Program Files directory etc. since most malware is just trying to find as many vulnerable victims as possible and ignore hardened systems. It's certainly possible malware could be written to do that though. Real dangerous malware, like the kind the NSA or other state sponsored hacking organizations create, and not just script kiddie stuff, are going to use previously unknown zero-day vulnerabilities to get around security policies (such as the Windows AppLocker) rendering all of this useless against them. If you're being targeted specifically by the NSA though you're kinda just screwed at that point.
only thing that is not condone to piracy are windows server edtion remember - Server log you off Windows 10 pro - only a video editor watermark with no downsides only background can`t be changed itself £100 bounds is payable but £3000 is not payable by everyone You still has to pay for it by getting a boot drive
Great guide. I'm giving it a whirl, but I expect there'll be some teething issues when I fire up my software development tools, software on other hard drives, and Mod Organizer 2. Btw, I think on my system, AppBlocker didn't start checking rules until I started the "Application Identity" service (e.g. appidsvc ) and restarted. Either that or I just wasn't hitting the refresh button on the event log. It is getting a bit late...
@@bokami3445 Google "Configure the Application Identity service" and go to the link from microsoft. The page notes that "Starting with Windows 10, the Application Identity service is now a protected process. Because of this, you can no longer manually set the service Startup type to Automatic by using the Services snap-in. " They give you a command line to use in powershell. I'd give you the line, but you really shouldn't trust command lines from random youtubers! ;-)
It's a sandbox there was one I used for windows 7 called deep freeze it's a virtual environment nothing gets saved . Unless you create a folder that you can savee too.
if anyone even doest see that this GPO settings wil working the Service "Application Identity" must be running else the rule changes doest take any effect it look like that it even take effect after using gpupdate /force
is there a way to import multiple xml files to app locker b/c you have provided two xml in the google drive download and importing one xml removes the other xml policies in app locker
Unfortunately not that I know of. You might be able to try some kind of xml merger tool or something. I did find this article though I haven’t really read through it: learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/applocker/merge-applocker-policies-by-using-set-applockerpolicy
Thank you for making this video. I have a problem with my pc it's a dell optiplex 390, the monitor won't switch on. it just says no signal I don't know what to do but maybe if u can make a video that would really help thanks and have a nice day.
ever time I try to save the updated directory path for my username i get an error policy could not be saved error unspecified error violates pattern constraint
I knew the video would be longer than average but not this long 😩
📝Notes:
• Also I figured this went without saying, but obviously if you download something malicious and add a rule to allow it, you will be infected. You still must ALWAYS be vigilant. And you should still also use an Antivirus, it’s not a replacement for that.
• To get AppLocker policies to actually work, you might have to enable the "Application Identity" service and set it to start automatically if it isn't already. This requires a special command because it is a protect process (as opposed to just opening the services menu). To do this, run the command in command prompt as admin:
sc.exe config appidsvc start= auto
• Turns out you CAN actually add the Group Policy settings for PowerShell core without having to install PowerShell Core. I've added instructions to the ReadMe file in the resource pack in the description, but basically you download the latest zip release from Microsoft's PowerShell GitHub, and copy the files "PowerShellCoreExecutionPolicy.admx" and "PowerShellCoreExecutionPolicy.adml" into the directories "C:\Windows\PolicyDefinitions" and "C:\Windows\PolicyDefinitions\en-US" respectively.
it’s 52 minutes but ok-
Looooonnngggg 😊
🤣🤣
You made a Documentary....😄👏
Woah, I didn't realize how long this video is until I saw this comment.
I don't know why everybody is emphasizing the duration of this video - for me - it was like watching a super interesting, informative and well-written documentary - the time just flew buy! Excellent work, thank you so much for your effort! Greetings from Croatia :)
is it just me or did this 52 minute tutorial feel like a 10 minute tutorial?
"Good tutorials feel like they took a fraction of the actual time it took to complete it. Bad tutorials are the same, except the reason is because of leaving early due to how bad it is instead of being due to how good it is."
Same !
let's appreciate how much effort this guy spent to help us virus-proof our computers
Yes
Fully Agree
As useful as these tools are, the single best anti-virus you can have is your own common sense.
@@gabe_0xNot when a trusted program randomly downloads malware to your pc
@@gabe_0x Everyone knows that but the human factor will ALWAYS fail. Social Engineering is too powerful because they exploit people in all ways imaginable.
Hardening our systems will help as an early warning system, and if you actually put attention to the video, AppLocker is the single best tool ever for this kind of thing.
Now i wish to know a HID whitelist system.
The hero we didn't know we deserved
He used to be the villain, happy he has become the hero.
@@ziphhyMe too.
Who says we deserve him?
NGL I use to love the villain side of him back in the day
Yes
Hey ThioJoe! I appreciate you making this more detailed and longer! 🎉
Here's what I did for my grandma's PC, very simple:
- Require my own password for Administrative privileges so she can't do that
- Set up a single browser so she has no access to other browsers, with downloads always dropping into the Downloads folder
- Wrote a script to instantly delete any executables that enter the Downloads folder
My beloved virus addict is now sober :)
one of the best tutorials for applocker, even one of the most in-depth well explained tutorial in general
I know
I swear this video is so informative and useful it’s something you could probably charge for and make thousands off of but you were nice enough to give it to everyone for free, what a guy
This is amazing, thanks so much for taking the time and putting so much effort into this. You're a legend!
Congrats on 3M subscribers! Well deserved!
I think this is your second longest video. Nothing beats that 2 hour one
I have no intention to do any of this myself but I watched it all
You made it very engaging and informative, I didn't noticed the length until it was almost done
I wont mind more "complex" tutorials like this on in the future
that's why you blush the whole time
You know @ThioJoe has a gift for teaching and explaining when the whole 50 minute video felt like 10 and you remember fairly well most of the process!
Totally appreciate this video.
Wow, this has played fully through! 😳 Was fixing a speaker bar while this played in the background 😅
Thank you for think of us and sharing this knowledge! You are the BEST!! I made the changes on my PC and hopefully the random file explorer windows opening will stop.
Best 50 minute of my time, thanks a lot TJ, definitely learned a lot.
@thiojoe, this was one of the best mapped out videos covering a relatively complex topic and one with lots of settings. We are implementing this, and your video has been shared to the team as the best tutorial about it.
52 minute ThioJoe video?
Yes please! 🙂
yes
@doubleWmemesYes, a few hours ago
wait what it’s published since 3 minutes but it says you posted this comment 12 hours ago
@@_SJ how did you even watch it before it was posted
paid member @@CanDoesGames
We've been waiting! Thank you Thio!! 🎉🎉🎉
This is one of those videos that I've saved up to watch, as you were asking in a recent poll. Thanks for the detailed explanation!
"Comprehensive tutorial" is an understatement!
Top tip if you are ever applying AppLocker policy in an AD domain NEVER and i mean NEVER edit a live policy always export the rules edit them locally and then re import. If something goes wrong ( and it can ) you can corrupt the policy and brick machines. I learned that the hard way, bricked about 20 machines . The best way to fix this is to switch to editing rules via configuration manager.
With admin rights you can unbrick the machines, in the last instance you can boot from windows cd, shift f10, regedit, mount the local registry hives and remove the applocker rules :)
Oh and to prevent this happening: allow wverything for admins, like the default templats suggests. I mean admins can do whatever they want anyway, effectively delete rules, thats why there is little sense in deleting the admincandoall rule :)
Hi ThioJoe, I just wanted to say thank you, although I'll never do any of what you've shown here. Just not Tech savvy enough.I do realize how much time you have spent on video. Thanks
I'm really fascinated by this *type* of security. Antiviruses don't exite me, but this idea of reducing attack surface and plugging security holes is suuper amazing to me. I'd love to see more similar stuff
Yes, whitelisting is so muc more powerful than blacklisting, in fact antivirus solutions are not able to defeat the 100.000 of new attacks nowadays. Plus it doesnt slow the machine down anymore like AV solutions :)
This might be the best video on your channel! I wanted to thank you for your effort doing this!
THANK YOU SO MUCH! I've been waiting for a tutorial on how to set this up.
Great video as always!
Exactly what I was waiting for 🎉 Many, many thanks Thio ✌️
Holy moly this guy is insane! Take so much time and effort to make us safer
Awesome video ThioJoe! Structured well like a course. 👍
Thank you for this very comprehensive tutorial, ThioJoe. It is much appreciated.
Another excellent how to video!! Many thanks. Had to enable “Application Identity” service to get AppLocker to work. However to get it to auto start.. Had to regedit and set its start to 2.
Thank you so much for this detailed guide. I was able to follow all of your instructions easily. I understood each and every step depicted in your video.
By the way, I'm a big fan of your RUclips Channel. You make great videos. It's always a great time whenever I watch any of your videos. 😁
This video seems excalty what I was looking for. You saved me a lot of reading and studying time! Thank you very much!!!
Thank you for putting so much time into this
This video structure is great and you explain it very well.
Thanks for taking the time
Awesome!! Unfortunately we wouldn't get rid of those pesky refund scammers with this but atleast we'd get away from ransomware and so on. Really great video, thanks!! Since I regularly reinstall my Windows I'm gonna have to delve deeper into how to transfer the settings to another computer, didn't know it was that easy!
Love the content you have been putting out, really made me understand this underused feature!
An hour video... thanks man!
I heard if you say your favorite youtuber 3 times you will get a hearted comment
ThioJoe
ThioJoe
ThioJoe
👌
Just did it ! Enjoyed the entire video.
Can you do a comparison between Applocker and Windows Application Control? And how to set up WDAC?
I’m not as familiar with WDAC, but I have dabbled with it. It is harder to set up but has some advantages over AppLocker. The biggest problem is there is no GUI for WDAC.
@@ThioJoe isn't it set through a program where you can create a customized script that enforces what it runs?
@@patricklechner1 You can manage WDAC through either the ConfigCI suite of PowerShell cmdlets, or you can create WDAC policies with the WDAC Wizard (which is a project maintained by Microsoft.)
Edit: Despite that, managing WDAC through both of those options is still a pain, and there is not yet a full-automation solution for WDAC on the market.
WDAC can control apps that run in Kernel mode as well as User mode. (AppLocker just deals in User mode.) Also, if you create a signed WDAC policy and put it in the UEFI partition, then it becomes much harder for a hacker--even with admin privileges--to remove (unless they can get ahold of the signing certificate.)
WDAC does NOT control .BAT scripts. (There's other minor differences in the file types that they maintain.)
WDAC is applied to the whole device regardless of the user account, but AppLocker allows you to vary rule enforcement based on different user accounts.
The logs for WDAC events are located in the Event Viewer -> in Applications and Services logs > Microsoft > Windows > CodeIntegrity > Operational. HOWEVER, logs for WDAC enforcement events involving scripts and MSI files are still located in the "AppLocker" location described in this video.
@kennethhusayn9354 thank you so much
best time spent on windows security, thank you for sharing!
Awsome Video😀
Thanks for the super paranoid virus guide, will be installing in my pc
Well done, Thio! Another suggestion for a video would be about Azure Information Protection and DLP (Data Loss Prevention). What files are protected, what can be managed, tracking files on disk and in transit etc.
Great section on allow and deny rules also 👍
Just what I was looking for! Great vid
Ok, I watched every second and did that all. Now Im affraid to restart pc :D
Thanks for the long and detailed video, will be testing this out... I'm curious how this is implemented on a domain (as far as scripts go, what has priority.. still local machine?) Keep up the great work!
I appreciate the effort for this. Thank you Joe.
One of my favorite youtubers
Wow, awesome work! This is very technical but also very thorough. One thing I found was my Application Identity service was not running for some reason. Even though I'm logged in as admin I could not set it to run automatically. But found a PS script that was able to set it. :) This whole process seems a little "quirky" though. The audit event log doesn't seem to work for me. But when I change it to Enforce, then the events start showing. Microsoft is also so "fun" to try to figure out. :D
Do you mind sharing that PS script? I'm having the same issue. I can get it to run on Windows 11 Pro, but not Windows 10 Pro. Very strange...
You are logged as root. You are a hackers perfect target man. Linux does it right only when you need root, install a program and punch password
you get 15 mins of root running. This is very dangerous having it 24/.
@@Whitemike63 In Windows, it works a bit differently. As far as I can tell, most users have admin-level control of the system by default (without editing group policy settings, of course), which isn't too dangerous because admin accounts, despite the implications in the name, don't actually have full system access, like the Linux root account. In fact, it's supposed to be extremely difficult to scale a user's system-wide authority to root-level in the first place.
May god bless you thio. Have a great day
I wasn't so paranoid until my avast antivirus was not protecting me, and the UI was bugged so i couldnt access it but in the ui it said that it was protecting me, but in the tray icon it said i wasnt. aa restart showed that my firewall was disabled and i IMMEDIATELY activated it and did a full virus scan. Now here I am, doing this regardless of the inconvenience of it. A few menu navigation clicks as an inconvenience is nothing compared to trying to remove dangerous malware from your computer and possibly spend hundreds to get it repaired if your not good with tech, and possibly even thousands if it cannot be removed and you have to buy a new pc.
"Paranoia is not an inconvenience, it is your body's natural safeguard when it senses danger"
I finished. Thank you for the great video and the detailed guide.
Also when checking event viewer events in these custom views that just happened disappear even though other older events in other logs are still there.
Excellent!
I see that you can allow only signed executables. But can you block executables signed sha1 only? Sha1 was broken awhile ago and is practically useless.
You're excellent, Joe! I would love to share with you my motivational presentation about my life with Cerebral Palsy, and how tech has enabled me to lead a normal life online.
Love this, suggestion/question for the import files you have (thanks btw), any reason you can't replace all of the WHATEVERUSERNAME placeholders with %USERNAME%
Very informative. Great job! Much appreciated.
Super helpful video! Thank you very much.
One thing I noticed is that some malware use a Microsoft certificate that is used to encrypt. Is AppLocker smart enough to not fall for that?
Edit: There is a right-click option to "Automatically generate" also. How well does that work and what does it do?
thank you for this been wanting to know how this is set up
I can't get the system settings to launch. It's the exe rules that even when I allow path * and all signed it wont launch. It's really weird. It does mean that I can't use this though. Also event viewer is broke and can't get any AppLocker logs. This is Windows 11.
Had the same exact problem.
You have to add an allow rule to packaged apps (you just need to add MS provider).
Unfortunately, I had to reinstall Windows after I locked myself (I actually tested on a VM first). Try WIN+R to bring a start program windows
@@tablettablete186 That's... Broken behaviour. I had packaged apps on audit mode. Now that I added the rule (still in audit mode mind you) it works. Great to know that it's broken for some reason. Thank you!
Thanks so much! Glad I was patient :)
can they hack your "digital fingerprint" or URLs that can change your incoming and outgoing data? via router or dns.? and not have the device actually hacked? I'm going crazy with what they did to me and will not stop.
Is an allow for executable installer or other installer for example make it so a uac prompt doesn't show up when it normally would if no applocker was configured
Who else remembers when ThioJoe used to just troll people with his videos?
Super helpful. The only problem is my Event Viewer isn't showing the audit logs at all. It's as if nothing is run.
1 thing before you begin create a retore point in case you mess something up I did and had to re install windows
Thanks ThioJoe for this great content. For me the length of the video is very OK, considering the content. However, following this tutorial is a challenge. It's difficult to know how you arrived at certain point by the clicks of the mouse due to the speed and rate of zooming in and out. The movement of the mouse pointer on the screen is almost at the "speed of light". Maybe it's just me seeing it that way
Yea I realized afterwards I wasn’t really explaining everything I was doing so I tried to add on-screen explanations at some point. Some parts might be helped by putting the video on 0.5x speed
If someone got trouble running a program, just take a look into event viewer to see which sub-program for example is getting blocked
Im really proud lol, I have made a Powershell script which I added to the context menu which allows me to on right clicking the file, instantly whitelisting it.
perfect video thanks a lot
i didn't even know what this tool do even after using windows for 15 years already 🤣
Thank you for your hard work. Much appreciated.
I have noticed an error at Creating a Shortcut to AppLocker at 3:43. The path you listed is correct, but you forgot to list "Windows Settings" after computer configuration in the red text box path
Only tech creator as an indian i see from us❤❤❤ . Love you bro from India.
"28 second" old, never been this early for a TJ video before, and a very interesting and informative video too! =D
Did you watch it
ago*
@@yashprogamer647I have now, it was very interesting and informative
Hi! I think the toggle rule can change the path to %temp% instead of putting full path (C:\Users\Joe\Appdata\Local\Temp) on your rules.
Normally you'd be right but AppLocker path rules actually have a limited set of variables that can be used, not all normal environment variables. See here:
learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/applocker/understanding-the-path-rule-condition-in-applocker
Why create 2 MMC files when Event viewer and GPO AppLocker can be added in a single Console. From there just add some windows. I've got a console with a whole bunch of tools even some custom scripts that I can launch from the MMC.
Informative
However, if the OS itself has no care for your data or privacy in the first place, whatever you'd do on top of it just makes your data more exclusive to Microsoft and the third parties they send your data to
Gotta commend you on the effort!
did 7-zip or bandzip have same Vulnerability with cve-2023-40477
being the winrar Vulnerability was find
Doesn't Steam set the permissions on some folders in its install directory to be modifiable without elevation? I imagine it would be difficult to configure rules properly to allow games to run but disallow malware from copying executables into the same directories as the games...
That's what the file hash exceptions are for. That said, very few malwares are going to try the trick of copying themselves into a game's directory to attempt to use that as a staging ground, so the possibility of that happening is pretty remote. Most malware authors are not going to be writing it to tailor to your specific security policies/install setup, but hitting broader targets and going for typically unprotected areas like the Windows directory or Program Files directory etc. since most malware is just trying to find as many vulnerable victims as possible and ignore hardened systems. It's certainly possible malware could be written to do that though. Real dangerous malware, like the kind the NSA or other state sponsored hacking organizations create, and not just script kiddie stuff, are going to use previously unknown zero-day vulnerabilities to get around security policies (such as the Windows AppLocker) rendering all of this useless against them. If you're being targeted specifically by the NSA though you're kinda just screwed at that point.
Kinda sad that it didn’t get a lot views, despite the effort behind it. Third time rewatching. Cuz I have memory loss
It’s a video I knew wouldn’t be for everyone, but I hope will be extra valuable to those who are interested 🧐
@@ThioJoe For me personally, yes it helped a lot. Thanks for putting in the works
Thank you for once again scratching my cybersecurity paranoia itch
YO ALMOST ONE HOUR OF CONTENT???? I CANT WAIT
only thing that is not condone to piracy are windows server edtion
remember - Server log you off
Windows 10 pro - only a video editor watermark with no downsides only background can`t be changed itself
£100 bounds is payable
but £3000 is not payable by everyone
You still has to pay for it by getting a boot drive
Great job, thanks!
Adding more application those can be use pro-actively: Simplewall or Portmaster
Excellent firewall application
Great guide. I'm giving it a whirl, but I expect there'll be some teething issues when I fire up my software development tools, software on other hard drives, and Mod Organizer 2.
Btw, I think on my system, AppBlocker didn't start checking rules until I started the "Application Identity" service (e.g. appidsvc ) and restarted. Either that or I just wasn't hitting the refresh button on the event log. It is getting a bit late...
I'm having a problem, the Application ID Service won't let me set to automatic? How did you accomplish it? Thanks
@@bokami3445 Google "Configure the Application Identity service" and go to the link from microsoft. The page notes that "Starting with Windows 10, the Application Identity service is now a protected process. Because of this, you can no longer manually set the service Startup type to Automatic by using the Services snap-in. " They give you a command line to use in powershell. I'd give you the line, but you really shouldn't trust command lines from random youtubers! ;-)
It's a sandbox there was one I used for windows 7 called deep freeze it's a virtual environment nothing gets saved . Unless you create a folder that you can savee too.
Can u please provide link for wallpaper that u have puting it in background monitor...
Yes of course, it is my own creation 🧐. You can get it here: thiojoe.art
If you are bothered by the length just watch in 1.5x+
if anyone even doest see that this GPO settings wil working the Service "Application Identity" must be running else the rule changes doest take any effect
it look like that it even take effect after using gpupdate /force
is there a way to import multiple xml files to app locker b/c you have provided two xml in the google drive download and importing one xml removes the other xml policies in app locker
Unfortunately not that I know of. You might be able to try some kind of xml merger tool or something. I did find this article though I haven’t really read through it: learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/applocker/merge-applocker-policies-by-using-set-applockerpolicy
@@ThioJoe thanks I'll look into it
Thank you for making this video. I have a problem with my pc it's a dell optiplex 390, the monitor won't switch on. it just says no signal I don't know what to do but maybe if u can make a video that would really help thanks and have a nice day.
It gives me an error when I use a "*" as version any fix?
it wasn't relly a security feature back in windows 7
for whatever reason it didn't fit the security criteria.
thanks google. i didn't know that.
analyze with windows defender new prompt for a 3rd option in the allow/deny list would be nice.
or other software anti malware/ anti virus softwares.
ever time I try to save the updated directory path for my username i get an error policy could not be saved error unspecified error violates pattern constraint