michaelsendpoint.com

Appearance

App Control for Business

App Control for Business is a security feature within Microsoft Intune that helps manage allowed apps on Windows devices. By using App Control for Business policies, you can prevent undesired apps from running on managed Windows devices. These policies are part of endpoint security and leverage the Windows ApplicationControl CSP to enforce app restrictions.

Additionally, Intune’s managed installer policy, which adds the Intune Management Extension, automatically tags apps deployed through Intune as safe for use with App Control for Business.

WARNING

Be aware that this is a preview feature and not all features are available yet.

Intune Endpoint Security

  1. Open the Microsoft Intune admin center https://intune.microsoft.com/
  2. Click on 'Manage -> App Control for Busines'
drawing
  1. When you now open the tab 'Managed install' you can add Intune as a trusted Installer, so with Intune installed apps will not get blocked by this feature period.

DANGER

Be aware that when you add this feature, it also means that the security 'App Control for Business' provides, will have no effect on apps distributed through Intune.

  1. You do this by clicking on 'Add' and then 'Add' again like showen in the screenshot below.
drawing
  1. Next you switch to the tab 'App Control for Business' where you can create policies to control which apps are blocked / audited.

TIP

You should always start with auditing your policy, so to not block all your apps.

drawing
  1. After clicking 'Create' you can add the policy name and discription as always.
  2. Now you got two possibilities to add configuration settings. You can either use the build in controls or use an XML file.
drawing
  1. The build in controls gives only a few standard options at the moment.
drawing
  1. In the XML file you got all the possibilities WDAC (Windows Defender Application Control) offers.
  2. To get this XML file please follow the steps below: Windows Defender Application Control and AppLocker
  3. Next up you can insert your tags and add your assignments
  4. Then click "create" and your done

Windows Defender Application Control and AppLocker

  1. Download WDAC Wizard Download from the Microsoft website and install it.
drawing
  1. When you start the app you can create, edit or merge policies. For the start whe need to create a new policy.
drawing
  1. In the next screen you can select the type of policy you want to create. Recommended is the 'Multiple Policy Format' and for the start the 'Base Policy'.
drawing
  1. On the following screen you can select the different configuration templates. Recommended is especially the configuration 'Update Policy without Rebooting'.
drawing
  1. Next up you see the file rule list which you can just adopt in this step.
drawing
  1. When you proceed you will get an XML file at the end, which you can then use to upload into the App Control configuration policy
drawing

Copyright © 2024 Michael Frank