Config - Applocker Method - Audit AppX,EXE,MSI,Script - Windows
Log In or Register to download the BES file, and more.

0 Votes

Description

This policy sets the enforcement method for the different Applocker file types. Specifically it configures:

AppX - Audit

Executables - Audit

Installers - Audit

Scripts - Audit

This will only take effect if the current enforcement mode is undefined. Once an enforcement mode is defined it's not advisable to try to change it without first reseting the Applocker configuration. 

Information on using this content is available here: https://github.com/strawgate/C3-Protect/wiki/Applocker 

For general information or to report issues with C3 Protect content please visit GitHub here: https://github.com/strawgate/C3-Protect


Property Details

ID20595
TitleConfig - Applocker Method - Audit AppX,EXE,MSI,Script - Windows
DomainBESC
CategoryApplication Whitelisting
SourceInternal
Source Release Date5/10/2016 12:00:00 AM
Added by on 5/11/2016 11:04:02 AM
Last Modified by on 5/11/2016 11:04:02 AM
Counters 465 Views / 6 Downloads
User Rating 1 star 2 star 3 star 4 star 5 star * Average over 0 ratings. ** Log In or Register to add your rating.

Relevance

isWindows (Relevance 1172)
Used in 1118 fixlets and 526 analyses   * Results in a true/false
Show indented relevance
windows of operating system
Used in 1 fixlet   * Results in a true/false
Show indented relevance
(not exists (key "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\SrpV2" of native registry)) or ((value "EnforcementMode" of key "Appx" of it as integer != 0) | true or (value "EnforcementMode" of key "Appx" of it as integer != 0) | true or (value "EnforcementMode" of key "Msi" of it as integer != 0) | true or (value "EnforcementMode" of key "Script" of it as integer != 0) | true) of (key "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\SrpV2" of native registry)

Actions

Action 1 (default)

Action Link Click here to deploy this action.
Script Type BigFix Action Script
// Enter your action script here

parameter "PowerShellExe"="{ pathname of file ((it as string) of value "Path" of key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell" of native registry) }"

delete __createfile
delete applocker.xml

createfile until _end_
="1">
    ="Appx" EnforcementMode="AuditOnly">
    
    ="Exe" EnforcementMode="AuditOnly">
    
    ="Msi" EnforcementMode="AuditOnly">
    
    ="Script" EnforcementMode="AuditOnly">
    

_end_
move __createfile Applocker.xml

waithidden "{parameter "PowershellExe"}" -ExecutionPolicy Bypass -command "Set-ApplockerPolicy -Merge -XMLPolicy ""{pathname of file "Applocker.xml" of client folder of current site}"""
Success Criteria

This action will be considered successful when all lines of the action script have completed successfully.


Sharing

Social Media:
Share this page on Yammer

Comments

Log In or Register to leave comments!