Just wanted to say thanks for the upload. Had to come back here to refresh and realise that AppLocker does not work on Win10 Pro whilst testing, only works through Endpoint Manager. Your efforts are much appreciated and it was nice and concise. Thanks. 👍
Fantastic video. Thank you for making this information public and providing a resource for anyone with interest in this feature of windows. Also, I totally realize it has been stated before, but just adding another data point. Seems windows 10 pro 22H2 and 11 pro 22H2.
@@jayshah1992 Yes. But it needs to be running on a volume license key (a MAK or a KMS server). Then it will unlook AppLocker functionality even on Pro. This didn't work with 21H2.
Seems like app locker is also now available in Pro versions of Windows 11 and Windows 10 can someone confirm? the video say enterprise version are need.
I have one question, what happens if other files (including malicious executables) are copied to windows or "program files" directory, are they still allowed to run?
It depends how u set this up. here it is by directory but you could go by file if you wished. WDAC is a better approach because it uses certificates typically. See my video on that for more info. The benefit of AppLocker is that it can be done by user.
I noticed that the windows service - 'Identity Application' is set by default as 'Manual' start type, I´m able to 'start' it but I cannot set it as 'automatic' - should we create (before) some policy to change his startup to automatic or even use some policy to force it to start in order to the rules to be applied?
Windows was changed recently for security reasons. The service can no longer be played with even as admin. You'll have to use Endpoint Manager to deploy the settings. i.e. via PowerShell to devices only. sc.exe config appidsvc start= auto Hope this helps you.. and note... test first.. on our Hybrid and aged systems, this turned into a real porker on start-up and shutdown.. with Azure Joined Devices we have seen a considerable improvement in performance. Test thoroughly before users start harassing the life out of you.
@@directorcia Yes sir, but i install an application on that download folder and try to apply that app locker through executable rule and create it but still it doesn't work why and yeah also i saw that when you do that task there is a packaged app rule option in your computer but in my computer it does not have. why and also tell me that why that app locker rule is not implement on that file it should be blocked that executions but it does not so please help me to solve that problem sir...
@@VibingG077 as outlined in the video, if you have a stand alone pc you need Windows Enterprise. Home or Pro versions of Windows are not supported if stand alone.
My script testing on local security policy is working fine but after deploy from intune it block all 😢 such as Microsoft team, note ++ and another app could you please help me check 😢
Just wanted to say thanks for the upload. Had to come back here to refresh and realise that AppLocker does not work on Win10 Pro whilst testing, only works through Endpoint Manager. Your efforts are much appreciated and it was nice and concise. Thanks. 👍
Yes, i do mention that in the video
Fantastic video. Thank you for making this information public and providing a resource for anyone with interest in this feature of windows.
Also, I totally realize it has been stated before, but just adding another data point.
Seems windows 10 pro 22H2 and 11 pro 22H2.
Excellent Explanation. Thank You.
4:31 4:36 4:37 4:37 4:37 4:37 4:39
start menu not work after sign out and sign in for user
Great explanation and demo
22H2 for both Windows 10 as well as Windows 11 adds AppLocker to all editions without MDM, Intune, PS scripts or any other tricks :)
So for 22h2 applocker will work on windows 10 pro? Or does it still need to be enterprise?
@@jayshah1992 Yes. But it needs to be running on a volume license key (a MAK or a KMS server). Then it will unlook AppLocker functionality even on Pro. This didn't work with 21H2.
Good work Robert
Thanks for the tutorial.
Thank you thank you so much
How to exempt local admin?
Policies apply per user.
thanks man
Can I black list certain apps from automatically downloading and installing through Microsoft Store with AppLocker?
@@Skewel yes
Why user1 is not allowed to execute files in Downloads folder, as it should be allowed, because it is part of Windows Directory, right??
No. rule applied to all
Does this work for portable applications?
What exactly do you mean by 'portable' applications?? If you can define a run location and executable, then yes you can use this.
Thank u
not apply the rule on Win 11 Pro.... (it's a stand alone pc).. may i have your help?
As the video notes, for stand alone you'll need Win 11 Enterprise. It will not work on a Win 11 Pro stand alone machine
Seems like app locker is also now available in Pro versions of Windows 11 and Windows 10
can someone confirm? the video say enterprise version are need.
Enterprise is required if you use standalone Windows. Connected to Intune works with Pro
And to remove this would be to simply remove the GPU from that OU, correct?
Sorry??
@directorcia sorry I meant GPO didnt notice the typo. Sorry, but to remove app locker would be to unlink it?
@@defkon99 if you apply via a policy you remove that policy essentially or manually remove via settings.
I have one question, what happens if other files (including malicious executables) are copied to windows or "program files" directory, are they still allowed to run?
It depends how u set this up. here it is by directory but you could go by file if you wished. WDAC is a better approach because it uses certificates typically. See my video on that for more info. The benefit of AppLocker is that it can be done by user.
This directory can be written only by administrators. Normal users without elevated right's are not able to copy any files to protected directories.
is there a way to make it work in home edition?
No
I noticed that the windows service - 'Identity Application' is set by default as 'Manual' start type, I´m able to 'start' it but I cannot set it as 'automatic' - should we create (before) some policy to change his startup to automatic or even use some policy to force it to start in order to the rules to be applied?
Service needs to be running. Endpoint deploy with auto enable service, otherwise you need to enable it.
Windows was changed recently for security reasons. The service can no longer be played with even as admin. You'll have to use Endpoint Manager to deploy the settings. i.e. via PowerShell to devices only.
sc.exe config appidsvc start= auto
Hope this helps you.. and note... test first.. on our Hybrid and aged systems, this turned into a real porker on start-up and shutdown.. with Azure Joined Devices we have seen a considerable improvement in performance.
Test thoroughly before users start harassing the life out of you.
@@Schnitzer325ci WDAC is a far better option than AppLocker
What is WDAC?@@directorcia
@@endersand5211 Windows Defender Application Control
Thanks
Sir how can i apply this app locker on my downloads and documents files i got an assignment of this so please help me how can i do that...
App locker works on file executions not downloads. As always the MS documentation as well as probably ChatGPT can assist
@@directorcia Yes sir, but i install an application on that download folder and try to apply that app locker through executable rule and create it but still it doesn't work why and yeah also i saw that when you do that task there is a packaged app rule option in your computer but in my computer it does not have. why and also tell me that why that app locker rule is not implement on that file it should be blocked that executions but it does not so please help me to solve that problem sir...
@@VibingG077 as outlined in the video, if you have a stand alone pc you need Windows Enterprise. Home or Pro versions of Windows are not supported if stand alone.
@@directorcia I got it, Thanks a lot kudos to you sir...🥰
WORKS WITH WIN 10 N 64 BIT
It blocks all my apps and I can't get to it anymore
Simply stop the service or login as another user to the device. Any blocking technology needs to used with caution.
Me the same I’m plan to block telegram only but after deploying a script it block all my app
My script testing on local security policy is working fine but after deploy from intune it block all 😢 such as Microsoft team, note ++ and another app could you please help me check 😢
@@hengsokdarom7239Remove the policy and only apply to limited group for testing
@@directorcia yo i can't even open the services section