(103) Microsoft Intune - Blocking PowerShell for Standard Users

As part of a recent project, a customer reached out with wanting to block PowerShell from being run by standard users BUT allowing administrators. Bare in mind, ACSC Windows Hardening policies are in place, so Command Prompt was already blocked a part of that.

I found a trick that did the job, which was simply by going to https://intuneeducation.portal.azure.com/ then select Groups then select All Devices.

Then select under Settings > Windows device settings > Apps > select 'Block access to administrative apps' to Configure. Remove the unrequired ones likes cmd.exe then click Save.

Then navigating back to https://intune.microsoft.com/ > Device Configurations you will see this will be created using a 'Custom' profile.

Rename the device configuration profile, for me in this case was Windows - Block Access to Administrative Apps.

Where OMA-URI:

Name: denyExe

Description: Block selected Administrative Apps: Cmd, PS, Regedit, or Registry Console Tool.

OMA-URI: ./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/IntuneEdu/EXE/Policy

Where the Custom XML contains the following:

<RuleCollection Type="Exe" EnforcementMode="NotConfigured"> <FilePathRule Id="fd686d83-a829-4351-8ff4-27c7de5755d2" Name="(Default Rule) All files" Description="Allows members of the local Administrators group to run all applications." UserOrGroupSid="S-1-5-32-544" Action="Allow"> <Conditions> <FilePathCondition Path="*" /> </Conditions> </FilePathRule> <FilePathRule Id="ce9d9fd5-d765-48df-b87b-e1bafd5653ed" Name="All files" Description="Allows members of the Everyone group to run applications that are located in any folder." UserOrGroupSid="S-1-1-0" Action="Allow"> <Conditions> <FilePathCondition Path="*" /> </Conditions> <Exceptions><FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="MICROSOFT® WINDOWS® OPERATING SYSTEM" BinaryName="powershell.exe"> <BinaryVersionRange LowSection="*" HighSection="*" /> </FilePublisherCondition><FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="MICROSOFT® WINDOWS® OPERATING SYSTEM" BinaryName="powershell_ise.exe"> <BinaryVersionRange LowSection="*" HighSection="*" /> </FilePublisherCondition><FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="MICROSOFT® WINDOWS® OPERATING SYSTEM" BinaryName="reg.exe"> <BinaryVersionRange LowSection="*" HighSection="*" /> </FilePublisherCondition><FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="MICROSOFT® WINDOWS® OPERATING SYSTEM" BinaryName="regedit.exe"> <BinaryVersionRange LowSection="*" HighSection="*" /> </FilePublisherCondition> </Exceptions> </FilePathRule> </RuleCollection>