AaronLocker icon indicating copy to clipboard operation
AaronLocker copied to clipboard
verified publisher icon microsoft

Request: Intune ready Applocker XML files

Open DM-Menno opened this issue 3 years ago • 1 comments

Would be nice if AaronLocker could already make the split XML files for Intune (Appx, MSI, EXE, Scripts and DLL) Anyway thanks for the tool! Really like it.

Regards Menno

DM-Menno avatar Jun 01 '22 20:06 DM-Menno

You'll need yq installed, but this script will split the policy files up by their type and upload to a single intune policy for you.

param(
    [string]$PolicyFile,
    [string[]]$Types = @("Exe","Msi","Script","Appx","Dll")
    [string]$AppLockerAuditPolicyName = "AppLocker Audit"
    [string]$AppLockerEnforcePolicyName = "AppLocker Enforce"
)

$PolicyUri = @{
    "Exe"    = "./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/EXEGroup/EXE/Policy"
    "Msi"    = "./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/MSIGroup/MSI/Policy"
    "Script" = "./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/ScriptGroup/Script/Policy"
    "Appx"   = "./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/StoreAppsGroup/StoreApps/Policy"
    "Dll"    = "./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/DLLGroup/DLL/Policy"
}

Connect-MgGraph -Scopes "DeviceManagementConfiguration.ReadWrite.All"

if (!$PolicyFile.Contains("Enforce") -and !$PolicyFile.Contains("Audit")) {
    Write-Error "File does not contain Enforce or Audit" -ErrorAction Stop
}
$PolicyName = if ($PolicyFile.Contains("Enforce")) { $AppLockerEnforcePolicyName } else { $AppLockerAuditPolicyName }
$Policy = Get-MgDeviceManagementDeviceConfiguration  | Where-Object { $_.DisplayName -eq $PolicyName }

if (-not $Policy) {
    Write-Error "No Intune policy found for ($PolicyName)" -ErrorAction Stop
}

$omaSettings = @()

foreach ($type in $Types) {
    Write-Host "Processing $type rules..."

    $env:type = $type
    $Filtered = yq '.AppLockerPolicy | .RuleCollection |= map(select(."+@Type" == env(type)))' $PolicyFile | Select-Object -Skip 1

    $TempFile = [System.IO.Path]::GetTempFileName()
    Set-Content -Path $TempFile -Value $Filtered -Encoding UTF8

    $xmlContent = Get-Content -Raw -Path $TempFile
    $xmlBytes = [System.Text.Encoding]::UTF8.GetBytes($xmlContent)
    $xmlBase64 = [System.Convert]::ToBase64String($xmlBytes)

    $omaSettings += @{
        "@odata.type" = "microsoft.graph.omaSettingStringXml";
        displayName = "AppLocker $type";
        description = "AppLocker $type";
        omaUri = $PolicyUri[$type];
        value = "$xmlBase64";
    }

    Remove-Item $TempFile
}

Write-Host "Updating Intune policy $PolicyName (id=$($Policy.Id))..."

$params = @{
    "@odata.type" = "#microsoft.graph.windows10CustomConfiguration"
    description = $PolicyName
    displayName = $PolicyName
    version = 7
    omaSettings = $omaSettings
}

Update-MgDeviceManagementDeviceConfiguration -DeviceConfigurationId $Policy.Id -BodyParameter $params

nealfennimore avatar Sep 12 '25 00:09 nealfennimore