derwowusste
Dec 22, 2021, updated at Jul 23, 2023 (UTC)
view21549
view3
9
Goto Top

Applocker auf Win10 oder 11 Home? So geht es!

GermanTipSecurity ToolsSecurity
article-picture
Moin.

Applocker war traditionell den Windowseditionen Enterprise und Education vorbehalten geblieben, nur diese konnten Applocker per GPO aktivieren und managen.

Doch dann sorgte Microsoft mit der neuen Dokumentation https://docs.microsoft.com/en-us/windows/security/threat-protection/wind ... für Verwirrung (zumindest bei mir):

You can use the AppLocker CSP to configure AppLocker policies on any edition of Windows 10 and Windows 11 supported by Mobile Device Management (MDM).

Gut, "wie kommt man an das MDM ran?", ist die nächste Frage. Ich hatte schon geahnt, dass es da eine Möglichkeit für lau gibt, war aber noch nicht darüber gestolpert, bislang, da ich auch kein MDM-Pilot bin.

Eine Microsoft MVP ist so freundlich, das Ganze aufzuklären und hier aufzuzeigen, dass es auch ohne MDM, rein mit Powershell funktioniert. Diese Skripte sollte Ihr Euch gut weglegen, wenn Ihr es mal benötigt: https://github.com/sandytsang/MSIntune/tree/master/Intune-PowerShell/App ...

Vergleicht man das mit dem C't-Projekt "restric'tor" https://www.heise.de/download/product/restrictor welches den Vorgänger von Applocker für alle Editionen bereitstellt, indem es ein Frontend bietet, fällt auf, dass restric'tor zwar weitaus besser aussieht, aber auch entscheidend weniger kann: es kann z.B. nicht den Zugriff auf UWP-("Store")Apps beschränken, was doch eine wichtige Sache ist.

Die verlinkten Skripte sind für .exe-Einschränkungen, nicht für UWP-Apps. Edit: Weiter unten habe ich einen Kommentar mit einem Codebeispiel zum Sperren von Modern Apps (vom MS Store) gegeben.

PS: Der MDM-Ansatz kommt ohne den Dienst "AppIDsvc" (Anwendungsidentität) aus. Somit muss dieser nicht laufen, kann aber auch nicht, um alle Maßnahmen zu deaktivieren, einfach gestoppt werden!
comment-contentCommentShareShare
Share on Facebook Share on Twitter Share on Reddit Share on Linkedin

Content-Key: 1647775851

Url: https://administrator.de/contentid/1647775851

Printed on: April 19, 2024 at 06:04 o'clock

3 Comments
Latest comment
Goto Top
Member: surreal1
surreal1 Dec 22, 2021 at 22:13:59 (UTC)
Goto Top
Danke für diesen sehr interessanten Post. Ich war selber schon ziemlich lange auf der Suche, die vollständige Funktion von Applocker auf Pro Versionen nutzen zu können. Dieser Ansatz geht schon Mal in die richtige Richtung.

Leider ist jedoch der Aufwand groß, da GPOs einem sehr viel administrativen Aufwand ersparen, die Fehleranfälligkeit steigt mit selbstangepasste Scripten.

Ist man jedoch auf so eine Funktion angewiesen, lohnt sich der Aufwand, den man mit bestimmten Methoden einfach umgehen kann um eine Menge Geld für Drittanbieter Lösungen zu sparen und den Overhead gering zu halten.
Member: DerWoWusste
DerWoWusste Dec 23, 2021 at 06:36:50 (UTC)
Goto Top
Kann ich nicht nachvollziehen. Du testest Applockerpolicies eh, somit fallen Fehler auf.
Und deployen lässt sich ein Script per GPO. Der Aufwand ist der gleiche, es ist sogar übersichtlicher als die GUI.
Member: DerWoWusste
DerWoWusste Jun 22, 2022 updated at 11:08:14 (UTC)
Goto Top
Hier ein Codebeispiel, um bestimmte Apps zu blocken (hier die PhotoApp):
<?xml version="1.0" encoding="utf-8" ?>  
<RuleCollection Type="Appx" EnforcementMode="Enabled">   
    <FilePublisherRule Id="dad1b5df-812e-4a4e-8e81-c61eac4f5371" Name="Packaged app: 1527c705-839a-4832-9118-54d4Bd6a0c89 signed by Microsoft Corporation" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">  
      <Conditions>
        <FilePublisherCondition PublisherName="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="1527c705-839a-4832-9118-54d4Bd6a0c89" BinaryName="*">  
          <BinaryVersionRange LowSection="*" HighSection="*" />  
        </FilePublisherCondition>
      </Conditions>
    </FilePublisherRule>
    <FilePublisherRule Id="109dafa6-9453-4f5d-9b87-75769797bf3a" Name="Packaged app: c5e2524a-ea46-4f67-841f-6a9465d9d515 signed by Microsoft Corporation" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">  
      <Conditions>
        <FilePublisherCondition PublisherName="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="c5e2524a-ea46-4f67-841f-6a9465d9d515" BinaryName="*">  
          <BinaryVersionRange LowSection="*" HighSection="*" />  
        </FilePublisherCondition>
      </Conditions>
    </FilePublisherRule>
    <FilePublisherRule Id="5c43a50f-7bf6-4445-a47f-5a87e4ddc942" Name="Packaged app: E2A4F912-2574-4A75-9BB0-0D023378592B signed by Microsoft Corporation" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">  
      <Conditions>
        <FilePublisherCondition PublisherName="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="E2A4F912-2574-4A75-9BB0-0D023378592B" BinaryName="*">  
          <BinaryVersionRange LowSection="*" HighSection="*" />  
        </FilePublisherCondition>
      </Conditions>
    </FilePublisherRule>
    <FilePublisherRule Id="d2cb881b-4fe7-4092-afcf-774e1155f3ce" Name="Packaged app: F46D4000-FD22-4DB4-AC8E-4E1DDDE828FE signed by Microsoft Corporation" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">  
      <Conditions>
        <FilePublisherCondition PublisherName="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="F46D4000-FD22-4DB4-AC8E-4E1DDDE828FE" BinaryName="*">  
          <BinaryVersionRange LowSection="*" HighSection="*" />  
        </FilePublisherCondition>
      </Conditions>
    </FilePublisherRule>
    <FilePublisherRule Id="2929cb15-65f9-4f14-9a30-b7be2babdd14" Name="Packaged app: Microsoft.AAD.BrokerPlugin signed by Assigned by your organization" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">  
      <Conditions>
        <FilePublisherCondition PublisherName="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.AAD.BrokerPlugin" BinaryName="*">  
          <BinaryVersionRange LowSection="*" HighSection="*" />  
        </FilePublisherCondition>
      </Conditions>
    </FilePublisherRule>
    <FilePublisherRule Id="a99db914-e602-48f7-8027-9760fd3da522" Name="Packaged app: Microsoft.AccountsControl signed by Microsoft Corporation" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">  
      <Conditions>
        <FilePublisherCondition PublisherName="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.AccountsControl" BinaryName="*">  
          <BinaryVersionRange LowSection="*" HighSection="*" />  
        </FilePublisherCondition>
      </Conditions>
    </FilePublisherRule>
    <FilePublisherRule Id="a1cd8cce-44b0-4bfb-aaeb-2dc9f24bbe6b" Name="Packaged app: Microsoft.AsyncTextService signed by Microsoft Corporation" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">  
      <Conditions>
        <FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.AsyncTextService" BinaryName="*">  
          <BinaryVersionRange LowSection="*" HighSection="*" />  
        </FilePublisherCondition>
      </Conditions>
    </FilePublisherRule>
    <FilePublisherRule Id="8253a6c3-66e8-408e-91ee-f20b483153fb" Name="Packaged app: Microsoft.BioEnrollment signed by Microsoft Corporation" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">  
      <Conditions>
        <FilePublisherCondition PublisherName="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.BioEnrollment" BinaryName="*">  
          <BinaryVersionRange LowSection="*" HighSection="*" />  
        </FilePublisherCondition>
      </Conditions>
    </FilePublisherRule>
    <FilePublisherRule Id="8bff1855-045f-4b70-81d7-f50500766450" Name="Packaged app: Microsoft.CredDialogHost signed by Microsoft Corporation" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">  
      <Conditions>
        <FilePublisherCondition PublisherName="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.CredDialogHost" BinaryName="*">  
          <BinaryVersionRange LowSection="*" HighSection="*" />  
        </FilePublisherCondition>
      </Conditions>
    </FilePublisherRule>
    <FilePublisherRule Id="b46280ec-f984-4886-8fd7-91e1a8e0768c" Name="Packaged app: Microsoft.ECApp signed by Microsoft Corporation" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">  
      <Conditions>
        <FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.ECApp" BinaryName="*">  
          <BinaryVersionRange LowSection="*" HighSection="*" />  
        </FilePublisherCondition>
      </Conditions>
    </FilePublisherRule>
    <FilePublisherRule Id="f0fabc78-27bc-449e-90da-3730a9167649" Name="Packaged app: Microsoft.LockApp signed by Microsoft Corporation" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">  
      <Conditions>
        <FilePublisherCondition PublisherName="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.LockApp" BinaryName="*">  
          <BinaryVersionRange LowSection="*" HighSection="*" />  
        </FilePublisherCondition>
      </Conditions>
    </FilePublisherRule>
    <FilePublisherRule Id="508789c8-eb6a-4ea2-bc2c-161ba2f8abf0" Name="Packaged app: Microsoft.MicrosoftEdgeDevToolsClient signed by Microsoft Corporation" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">  
      <Conditions>
        <FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.MicrosoftEdgeDevToolsClient" BinaryName="*">  
          <BinaryVersionRange LowSection="*" HighSection="*" />  
        </FilePublisherCondition>
      </Conditions>
    </FilePublisherRule>
    <FilePublisherRule Id="feaa49ea-e965-486e-99bf-dfa0da614c47" Name="Packaged app: Microsoft.MicrosoftEdge signed by Microsoft Corporation" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">  
      <Conditions>
        <FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.MicrosoftEdge" BinaryName="*">  
          <BinaryVersionRange LowSection="*" HighSection="*" />  
        </FilePublisherCondition>
      </Conditions>
    </FilePublisherRule>
    <FilePublisherRule Id="9593c50c-5408-4f36-a7ca-c604efa356fd" Name="Packaged app: Microsoft.Win32WebViewHost signed by Microsoft Corporation" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">  
      <Conditions>
        <FilePublisherCondition PublisherName="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.Win32WebViewHost" BinaryName="*">  
          <BinaryVersionRange LowSection="*" HighSection="*" />  
        </FilePublisherCondition>
      </Conditions>
    </FilePublisherRule>
    <FilePublisherRule Id="89bf1374-64f1-41d1-8e3a-f1e2d747a649" Name="Packaged app: Microsoft.Windows.Apprep.ChxApp signed by Microsoft Corporation" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">  
      <Conditions>
        <FilePublisherCondition PublisherName="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.Windows.Apprep.ChxApp" BinaryName="*">  
          <BinaryVersionRange LowSection="*" HighSection="*" />  
        </FilePublisherCondition>
      </Conditions>
    </FilePublisherRule>
    <FilePublisherRule Id="07919804-b37d-4e5b-b871-631bf80c98c0" Name="Packaged app: Microsoft.Windows.AssignedAccessLockApp signed by Microsoft Corporation" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">  
      <Conditions>
        <FilePublisherCondition PublisherName="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.Windows.AssignedAccessLockApp" BinaryName="*">  
          <BinaryVersionRange LowSection="*" HighSection="*" />  
        </FilePublisherCondition>
      </Conditions>
    </FilePublisherRule>
    <FilePublisherRule Id="f3cd2086-9009-48a4-9210-640b1978e935" Name="Packaged app: Microsoft.Windows.CallingShellApp signed by Microsoft Corporation" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">  
      <Conditions>
        <FilePublisherCondition PublisherName="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.Windows.CallingShellApp" BinaryName="*">  
          <BinaryVersionRange LowSection="*" HighSection="*" />  
        </FilePublisherCondition>
      </Conditions>
    </FilePublisherRule>
    <FilePublisherRule Id="59234b0e-1005-4966-8f1d-bf3a56daf4d2" Name="Packaged app: Microsoft.Windows.CapturePicker signed by Microsoft Corporation" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">  
      <Conditions>
        <FilePublisherCondition PublisherName="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.Windows.CapturePicker" BinaryName="*">  
          <BinaryVersionRange LowSection="*" HighSection="*" />  
        </FilePublisherCondition>
      </Conditions>
    </FilePublisherRule>
    <FilePublisherRule Id="c9d295b8-f558-4a10-a696-2c596eca081a" Name="Packaged app: Microsoft.Windows.CloudExperienceHost signed by Email, phone, or Skype" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">  
      <Conditions>
        <FilePublisherCondition PublisherName="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.Windows.CloudExperienceHost" BinaryName="*">  
          <BinaryVersionRange LowSection="*" HighSection="*" />  
        </FilePublisherCondition>
      </Conditions>
    </FilePublisherRule>
    <FilePublisherRule Id="147b65b4-b17b-4cff-a4d4-7355ce20acdb" Name="Packaged app: Microsoft.Windows.ContentDeliveryManager signed by Microsoft Corporation" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">  
      <Conditions>
        <FilePublisherCondition PublisherName="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.Windows.ContentDeliveryManager" BinaryName="*">  
          <BinaryVersionRange LowSection="*" HighSection="*" />  
        </FilePublisherCondition>
      </Conditions>
    </FilePublisherRule>
    <FilePublisherRule Id="f72f0da1-f95e-4cf4-b933-9644b89be508" Name="Packaged app: Microsoft.Windows.NarratorQuickStart signed by Microsoft" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">  
      <Conditions>
        <FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.Windows.NarratorQuickStart" BinaryName="*">  
          <BinaryVersionRange LowSection="*" HighSection="*" />  
        </FilePublisherCondition>
      </Conditions>
    </FilePublisherRule>
    <FilePublisherRule Id="ab33f812-7ca7-45b7-a681-c02ee35e0c49" Name="Packaged app: Microsoft.Windows.OOBENetworkCaptivePortal signed by Microsoft Corporation" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">  
      <Conditions>
        <FilePublisherCondition PublisherName="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.Windows.OOBENetworkCaptivePortal" BinaryName="*">  
          <BinaryVersionRange LowSection="*" HighSection="*" />  
        </FilePublisherCondition>
      </Conditions>
    </FilePublisherRule>
    <FilePublisherRule Id="a54dc955-c1d7-4919-8b73-f03eb5ddd4d4" Name="Packaged app: Microsoft.Windows.OOBENetworkConnectionFlow signed by Microsoft Corporation" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">  
      <Conditions>
        <FilePublisherCondition PublisherName="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.Windows.OOBENetworkConnectionFlow" BinaryName="*">  
          <BinaryVersionRange LowSection="*" HighSection="*" />  
        </FilePublisherCondition>
      </Conditions>
    </FilePublisherRule>
    <FilePublisherRule Id="18bc0a70-97e8-4d30-9f2d-08e99d30e0fe" Name="Packaged app: Microsoft.Windows.ParentalControls signed by Microsoft Corporation" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">  
      <Conditions>
        <FilePublisherCondition PublisherName="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.Windows.ParentalControls" BinaryName="*">  
          <BinaryVersionRange LowSection="*" HighSection="*" />  
        </FilePublisherCondition>
      </Conditions>
    </FilePublisherRule>
    <FilePublisherRule Id="50caf7d3-319b-4a4e-af0e-1708ce5687b2" Name="Packaged app: Microsoft.Windows.PeopleExperienceHost signed by Microsoft Corporation" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">  
      <Conditions>
        <FilePublisherCondition PublisherName="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.Windows.PeopleExperienceHost" BinaryName="*">  
          <BinaryVersionRange LowSection="*" HighSection="*" />  
        </FilePublisherCondition>
      </Conditions>
    </FilePublisherRule>
    <FilePublisherRule Id="1b38492b-1490-44f3-808e-8392942b7947" Name="Packaged app: Microsoft.Windows.PinningConfirmationDialog signed by Microsoft Corporation" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">  
      <Conditions>
        <FilePublisherCondition PublisherName="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.Windows.PinningConfirmationDialog" BinaryName="*">  
          <BinaryVersionRange LowSection="*" HighSection="*" />  
        </FilePublisherCondition>
      </Conditions>
    </FilePublisherRule>
    <FilePublisherRule Id="75261be7-3fae-43c9-9add-ad47db2ef61f" Name="Packaged app: Microsoft.Windows.Search signed by Microsoft Corporation" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">  
      <Conditions>
        <FilePublisherCondition PublisherName="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.Windows.Search" BinaryName="*">  
          <BinaryVersionRange LowSection="*" HighSection="*" />  
        </FilePublisherCondition>
      </Conditions>
    </FilePublisherRule>
    <FilePublisherRule Id="1a63cba4-3f86-450c-9254-1664455d639f" Name="Packaged app: Microsoft.Windows.SecHealthUI signed by Microsoft Corporation" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">  
      <Conditions>
        <FilePublisherCondition PublisherName="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.Windows.SecHealthUI" BinaryName="*">  
          <BinaryVersionRange LowSection="*" HighSection="*" />  
        </FilePublisherCondition>
      </Conditions>
    </FilePublisherRule>
    <FilePublisherRule Id="2ab6498b-f40a-4109-a90f-0fc0ec310dca" Name="Packaged app: Microsoft.Windows.SecureAssessmentBrowser signed by Microsoft Corporation" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">  
      <Conditions>
        <FilePublisherCondition PublisherName="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.Windows.SecureAssessmentBrowser" BinaryName="*">  
          <BinaryVersionRange LowSection="*" HighSection="*" />  
        </FilePublisherCondition>
      </Conditions>
    </FilePublisherRule>
    <FilePublisherRule Id="f7cf2a75-6e26-4ffa-a322-ee14ce756a04" Name="Packaged app: Microsoft.Windows.ShellExperienceHost signed by Microsoft Corporation" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">  
      <Conditions>
        <FilePublisherCondition PublisherName="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.Windows.ShellExperienceHost" BinaryName="*">  
          <BinaryVersionRange LowSection="*" HighSection="*" />  
        </FilePublisherCondition>
      </Conditions>
    </FilePublisherRule>
    <FilePublisherRule Id="7961e7e4-2cb8-4d42-8fc3-85f67c68c953" Name="Packaged app: Microsoft.Windows.StartMenuExperienceHost signed by ms-resource:StartMenuExperienceHost/PublisherDisplayName" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">  
      <Conditions>
        <FilePublisherCondition PublisherName="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.Windows.StartMenuExperienceHost" BinaryName="*">  
          <BinaryVersionRange LowSection="*" HighSection="*" />  
        </FilePublisherCondition>
      </Conditions>
    </FilePublisherRule>
    <FilePublisherRule Id="31c410a8-f14f-46dc-ad36-7b89439db085" Name="Packaged app: Microsoft.Windows.XGpuEjectDialog signed by Microsoft Corporation" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">  
      <Conditions>
        <FilePublisherCondition PublisherName="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.Windows.XGpuEjectDialog" BinaryName="*">  
          <BinaryVersionRange LowSection="*" HighSection="*" />  
        </FilePublisherCondition>
      </Conditions>
    </FilePublisherRule>
    <FilePublisherRule Id="be8fab0c-2c43-4426-affc-7bcc64962d13" Name="Packaged app: MicrosoftWindows.Client.CBS signed by Microsoft Windows" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">  
      <Conditions>
        <FilePublisherCondition PublisherName="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="MicrosoftWindows.Client.CBS" BinaryName="*">  
          <BinaryVersionRange LowSection="*" HighSection="*" />  
        </FilePublisherCondition>
      </Conditions>
    </FilePublisherRule>
    <FilePublisherRule Id="7a7ba1ef-2392-414d-b0ed-67c74a40405d" Name="Packaged app: MicrosoftWindows.UndockedDevKit signed by Microsoft Corporation" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">  
      <Conditions>
        <FilePublisherCondition PublisherName="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="MicrosoftWindows.UndockedDevKit" BinaryName="*">  
          <BinaryVersionRange LowSection="*" HighSection="*" />  
        </FilePublisherCondition>
      </Conditions>
    </FilePublisherRule>
    <FilePublisherRule Id="f78f6168-395e-44d6-9ff2-a159e330767e" Name="Packaged app: NcsiUwpApp signed by Microsoft" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">  
      <Conditions>
        <FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="NcsiUwpApp" BinaryName="*">  
          <BinaryVersionRange LowSection="*" HighSection="*" />  
        </FilePublisherCondition>
      </Conditions>
    </FilePublisherRule>
    <FilePublisherRule Id="faee9c01-53d1-49f1-ae82-7c1628248ce7" Name="Packaged app: Windows.CBSPreview signed by Microsoft Corporation" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">  
      <Conditions>
        <FilePublisherCondition PublisherName="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Windows.CBSPreview" BinaryName="*">  
          <BinaryVersionRange LowSection="*" HighSection="*" />  
        </FilePublisherCondition>
      </Conditions>
    </FilePublisherRule>
    <FilePublisherRule Id="3d4f0fc6-bbd7-4be7-8bfc-49df63a4b019" Name="Packaged app: windows.immersivecontrolpanel signed by Microsoft Corporation" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">  
      <Conditions>
        <FilePublisherCondition PublisherName="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="windows.immersivecontrolpanel" BinaryName="*">  
          <BinaryVersionRange LowSection="*" HighSection="*" />  
        </FilePublisherCondition>
      </Conditions>
    </FilePublisherRule>
    <FilePublisherRule Id="2e1bd860-c657-4e30-a9a0-4153c1580768" Name="Packaged app: Windows.PrintDialog signed by Microsoft Corporation" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">  
      <Conditions>
        <FilePublisherCondition PublisherName="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Windows.PrintDialog" BinaryName="*">  
          <BinaryVersionRange LowSection="*" HighSection="*" />  
        </FilePublisherCondition>
      </Conditions>
    </FilePublisherRule>
    <FilePublisherRule Id="7abb7b6b-9c05-433f-9269-9da5b42abbb8" Name="Packaged app: Microsoft.549981C3F5F10 signed by Microsoft Corporation" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">  
      <Conditions>
        <FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.549981C3F5F10" BinaryName="*">  
          <BinaryVersionRange LowSection="*" HighSection="*" />  
        </FilePublisherCondition>
      </Conditions>
    </FilePublisherRule>
    <FilePublisherRule Id="417d5201-b26b-4f59-bb19-3e0350afdb29" Name="Packaged app: Microsoft.DesktopAppInstaller signed by Microsoft Corporation" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">  
      <Conditions>
        <FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.DesktopAppInstaller" BinaryName="*">  
          <BinaryVersionRange LowSection="*" HighSection="*" />  
        </FilePublisherCondition>
      </Conditions>
    </FilePublisherRule>
    <FilePublisherRule Id="d1e47991-07a3-4a2e-baea-b41054daddff" Name="Packaged app: Microsoft.GetHelp signed by Microsoft Corporation" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">  
      <Conditions>
        <FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.GetHelp" BinaryName="*">  
          <BinaryVersionRange LowSection="*" HighSection="*" />  
        </FilePublisherCondition>
      </Conditions>
    </FilePublisherRule>
    <FilePublisherRule Id="f63a6b71-2b92-4bf9-8019-5d17e54d5ff6" Name="Packaged app: Microsoft.Getstarted signed by Microsoft Corporation" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">  
      <Conditions>
        <FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.Getstarted" BinaryName="*">  
          <BinaryVersionRange LowSection="*" HighSection="*" />  
        </FilePublisherCondition>
      </Conditions>
    </FilePublisherRule>
    <FilePublisherRule Id="061d022d-d5bc-4abb-a571-7bbafd1ea825" Name="Packaged app: Microsoft.HEIFImageExtension signed by Microsoft Corporation" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">  
      <Conditions>
        <FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.HEIFImageExtension" BinaryName="*">  
          <BinaryVersionRange LowSection="*" HighSection="*" />  
        </FilePublisherCondition>
      </Conditions>
    </FilePublisherRule>
    <FilePublisherRule Id="24e088fd-67c6-4297-bc04-8fc1457f329f" Name="Packaged app: Microsoft.Microsoft3DViewer signed by Microsoft Corporation" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">  
      <Conditions>
        <FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.Microsoft3DViewer" BinaryName="*">  
          <BinaryVersionRange LowSection="*" HighSection="*" />  
        </FilePublisherCondition>
      </Conditions>
    </FilePublisherRule>
    <FilePublisherRule Id="03329953-855f-4ba2-af8d-f238a2fcfbc7" Name="Packaged app: Microsoft.MicrosoftOfficeHub signed by Microsoft Corporation" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">  
      <Conditions>
        <FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.MicrosoftOfficeHub" BinaryName="*">  
          <BinaryVersionRange LowSection="*" HighSection="*" />  
        </FilePublisherCondition>
      </Conditions>
    </FilePublisherRule>
    <FilePublisherRule Id="07ac64b3-cb20-4429-8cbd-1f0f4cd9244c" Name="Packaged app: Microsoft.MicrosoftStickyNotes signed by Microsoft Corporation" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">  
      <Conditions>
        <FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.MicrosoftStickyNotes" BinaryName="*">  
          <BinaryVersionRange LowSection="*" HighSection="*" />  
        </FilePublisherCondition>
      </Conditions>
    </FilePublisherRule>
    <FilePublisherRule Id="83135006-63fe-4bdb-81d3-ee57b6214ae4" Name="Packaged app: Microsoft.MixedReality.Portal signed by Microsoft Corporation" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">  
      <Conditions>
        <FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.MixedReality.Portal" BinaryName="*">  
          <BinaryVersionRange LowSection="*" HighSection="*" />  
        </FilePublisherCondition>
      </Conditions>
    </FilePublisherRule>
    <FilePublisherRule Id="737bb07d-083c-41f7-8b49-1fc9e29cf4a0" Name="Packaged app: Microsoft.MSPaint signed by Microsoft Corporation" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">  
      <Conditions>
        <FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.MSPaint" BinaryName="*">  
          <BinaryVersionRange LowSection="*" HighSection="*" />  
        </FilePublisherCondition>
      </Conditions>
    </FilePublisherRule>
    <FilePublisherRule Id="14fe8c5d-f945-42f2-b0d6-7b4bd59301e6" Name="Packaged app: Microsoft.Office.OneNote signed by Microsoft Corporation" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">  
      <Conditions>
        <FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.Office.OneNote" BinaryName="*">  
          <BinaryVersionRange LowSection="*" HighSection="*" />  
        </FilePublisherCondition>
      </Conditions>
    </FilePublisherRule>
    <FilePublisherRule Id="2df3fb94-a57d-4631-b110-dce35a5b4b6c" Name="Packaged app: Microsoft.People signed by Microsoft Corporation" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">  
      <Conditions>
        <FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.People" BinaryName="*">  
          <BinaryVersionRange LowSection="*" HighSection="*" />  
        </FilePublisherCondition>
      </Conditions>
    </FilePublisherRule>
    <FilePublisherRule Id="c638fc48-8aed-4ab6-915c-9378919f81af" Name="Packaged app: Microsoft.ScreenSketch signed by Microsoft Corporation" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">  
      <Conditions>
        <FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.ScreenSketch" BinaryName="*">  
          <BinaryVersionRange LowSection="*" HighSection="*" />  
        </FilePublisherCondition>
      </Conditions>
    </FilePublisherRule>
    <FilePublisherRule Id="2a1a5f94-4895-432c-9e70-04e03bce6778" Name="Packaged app: Microsoft.StorePurchaseApp signed by Microsoft Corporation" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">  
      <Conditions>
        <FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.StorePurchaseApp" BinaryName="*">  
          <BinaryVersionRange LowSection="*" HighSection="*" />  
        </FilePublisherCondition>
      </Conditions>
    </FilePublisherRule>
    <FilePublisherRule Id="219e4d25-a7b5-47f6-8d45-c37e13fbc9cd" Name="Packaged app: Microsoft.VP9VideoExtensions signed by Microsoft Corporation" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">  
      <Conditions>
        <FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.VP9VideoExtensions" BinaryName="*">  
          <BinaryVersionRange LowSection="*" HighSection="*" />  
        </FilePublisherCondition>
      </Conditions>
    </FilePublisherRule>
    <FilePublisherRule Id="e85bc61c-e2e7-4753-b905-ba34796f715c" Name="Packaged app: Microsoft.WebMediaExtensions signed by Microsoft Corporation" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">  
      <Conditions>
        <FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.WebMediaExtensions" BinaryName="*">  
          <BinaryVersionRange LowSection="*" HighSection="*" />  
        </FilePublisherCondition>
      </Conditions>
    </FilePublisherRule>
    <FilePublisherRule Id="448a26b9-e180-49d6-bd3b-b935f5d389ad" Name="Packaged app: Microsoft.WebpImageExtension signed by Microsoft Corporation" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">  
      <Conditions>
        <FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.WebpImageExtension" BinaryName="*">  
          <BinaryVersionRange LowSection="*" HighSection="*" />  
        </FilePublisherCondition>
      </Conditions>
    </FilePublisherRule>
    <FilePublisherRule Id="4fb9fab5-7edc-4816-aa5f-5cc2c606339d" Name="Packaged app: Microsoft.Windows.Photos signed by Microsoft Corporation" Description="" UserOrGroupSid="S-1-1-0" Action="Deny">  
      <Conditions>
        <FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.Windows.Photos" BinaryName="*">  
          <BinaryVersionRange LowSection="*" HighSection="*" />  
        </FilePublisherCondition>
      </Conditions>
    </FilePublisherRule>
    <FilePublisherRule Id="c3266a6c-6a98-4105-86cf-e9bb0dcf265c" Name="Packaged app: Microsoft.WindowsAlarms signed by Microsoft Corporation" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">  
      <Conditions>
        <FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.WindowsAlarms" BinaryName="*">  
          <BinaryVersionRange LowSection="*" HighSection="*" />  
        </FilePublisherCondition>
      </Conditions>
    </FilePublisherRule>
    <FilePublisherRule Id="342ed5e3-dc7f-4976-bdf8-0202c4965464" Name="Packaged app: Microsoft.WindowsCalculator signed by Microsoft Corporation" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">  
      <Conditions>
        <FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.WindowsCalculator" BinaryName="*">  
          <BinaryVersionRange LowSection="*" HighSection="*" />  
        </FilePublisherCondition>
      </Conditions>
    </FilePublisherRule>
    <FilePublisherRule Id="10f6bc87-14c0-4aaa-99e0-9fd39b28cc21" Name="Packaged app: Microsoft.WindowsCamera signed by Microsoft Corporation" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">  
      <Conditions>
        <FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.WindowsCamera" BinaryName="*">  
          <BinaryVersionRange LowSection="*" HighSection="*" />  
        </FilePublisherCondition>
      </Conditions>
    </FilePublisherRule>
    <FilePublisherRule Id="6dbadb53-ae37-40cc-abeb-4ebf92efd20e" Name="Packaged app: microsoft.windowscommunicationsapps signed by Microsoft Corporation" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">  
      <Conditions>
        <FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="microsoft.windowscommunicationsapps" BinaryName="*">  
          <BinaryVersionRange LowSection="*" HighSection="*" />  
        </FilePublisherCondition>
      </Conditions>
    </FilePublisherRule>
    <FilePublisherRule Id="c47e90d4-bb17-4cc2-8634-7ead019adb37" Name="Packaged app: Microsoft.WindowsFeedbackHub signed by Microsoft Corporation" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">  
      <Conditions>
        <FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.WindowsFeedbackHub" BinaryName="*">  
          <BinaryVersionRange LowSection="*" HighSection="*" />  
        </FilePublisherCondition>
      </Conditions>
    </FilePublisherRule>
    <FilePublisherRule Id="c37ae60b-92bc-4b96-8029-03d13c225112" Name="Packaged app: Microsoft.WindowsSoundRecorder signed by Microsoft Corporation" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">  
      <Conditions>
        <FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.WindowsSoundRecorder" BinaryName="*">  
          <BinaryVersionRange LowSection="*" HighSection="*" />  
        </FilePublisherCondition>
      </Conditions>
    </FilePublisherRule>
    <FilePublisherRule Id="9472849d-3e2b-4ce4-9c45-4549a151b658" Name="Packaged app: Microsoft.WindowsStore signed by Microsoft Corporation" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">  
      <Conditions>
        <FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.WindowsStore" BinaryName="*">  
          <BinaryVersionRange LowSection="*" HighSection="*" />  
        </FilePublisherCondition>
      </Conditions>
    </FilePublisherRule>
    <FilePublisherRule Id="3ebc0e91-5951-4469-bb6d-cf81956c7965" Name="All signed packaged apps" Description="Allows members of the Everyone group to run packaged apps that are signed." UserOrGroupSid="S-1-1-0" Action="Allow">  
      <Conditions>
        <FilePublisherCondition PublisherName="*" ProductName="*" BinaryName="*">  
          <BinaryVersionRange LowSection="*" HighSection="*" />  
        </FilePublisherCondition>
      </Conditions>
    </FilePublisherRule>
</RuleCollection>
->Dies speichern als c:\applocker\applocker_internal.xml
Als eigentliches Powershell-Skript dann per Systemkonto ausführen:
$namespaceName = "root\cimv2\mdm\dmmap"  
$className = "MDM_AppLocker_ApplicationLaunchRestrictions01_StoreApps03"  
$GroupName = "AppLocker001"  
$parentID = "./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/$GroupName"  
$policyData = Get-Content c:\applocker\applocker_internal.xml -Raw
Add-Type -AssemblyName System.Web
$pdata = [System.Web.HttpUtility]::HtmlEncode($policyData);
New-CimInstance -Namespace $namespaceName -ClassName $className -Property @{ParentID=$parentID;InstanceID="StoreApps";EnforcementMode="Enabled";Policy=$pData}
Resultat: alle möglichern Apps sind freigegeben, nur die Windows Photo App ist gesperrt.

Wie kommt man nun an die Pfade/Namen? Nehmt Euch einen Rechner mit Win10 Enterprise (falls man auch testen möchte, sonst reicht auch Win10 Pro), öffnet die Applockerkonfig unterhalb von secpol.msc und erstellt Regeln nach Eurem Geschmack. Dann findet ihr die Pfade unter HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\SrpV2 in der Registry.

PS: die genutzten Klassennamen findet man unter https://docs.microsoft.com/en-us/windows/win32/dmwmibridgeprov/mdm-bridg ... (im Suchfeld "Applocker" eingeben).
die 4 wichtigen sind:

MDM_AppLocker_MSI03
MDM_AppLocker_Script03
MDM_AppLocker_ApplicationLaunchRestrictions01_EXE03
MDM_AppLocker_ApplicationLaunchRestrictions01_StoreApps03
heart1
GermanTipSecurity ToolsSecurity
Hotly discussed
AlexWishaHow to set up and configure a Linux GRE tunnelAlexWisha - 3 CommentsjstrickerWIREGUARD VPN ON UDM PRO BEHIND FRITZBOX - HANDSHAKE DID NOT COMPLETEjstricker - 2 CommentsDaniEnd of Support dates for Office 2016, 2019 Apps und Productivity ServersDani - 1 Comment