(104) Microsoft Intune - Blocking PowerShell 7 for Standard Users

In addition to blocking the 'administrative apps' from being blocked as mentioned https://soeintunedevice.wixsite.com/home/post/103-microsoft-intune-blocking-powershell-for-standard-users, I was advised to block 'PowerShell 7' BUT allow Administrators to run it.

Ideally you would think you could update the XML with blocking C:\Program Files\PowerShell\7\pwsh.exe but unfortunately that does not work using the same method. It would be best to create the AppLocker from scratch which I will cover below.

Download the denyEXE-Intune.xml from https://github.com/mrbernardmah/intune-applocker-block-administrative-apps if you wish to upload it to Intune.

What I did here was with the following:

1. Navigate to secpol.msc (via search), then navigate to Application Control Policies then right click on AppLocker then right click on Executable Rules then select Create Default Rules

2. It will appear like this

3. Next right click on "(Default Rule) All files located in the Program Files folder" then select Exceptions. Select Add exception as Path then Browse to the location where PATH is %PROGRAMFILES%\PowerShell\7\pwsh.exe

4. Next right click on "(Default Rule) All files located in the Windows folder" then select Exceptions. Select Add exception as Path then Browse to the location where PATH is:

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe

And, for 64-bit Machines:

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe

5. Once all done, right click and Export Policy.

6. Save the changes, and export the policy to another location.

Update the changes by removing both:

<AppLockerPolicy Version="1"> [TOP]

</AppLockerPolicy> [BOTTOM]

7. Next navigate to Microsoft Intune profile, and upload the .XML file.

To re-create the profile, use a 'custom' profile then using the following OMA-URI:

Name: denyEXE

Description: Block selected Administrative Apps: Cmd, PS, Regedit, or Registry Console Tool.

OMA-URI: ./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/IntuneEdu/EXE/Policy

Data Type: String (XML)

Custom XML: Upload the denyEXE-Intune.xml from https://github.com/mrbernardmah/intune-applocker-block-administrative-apps 

8. Next go to Company Portal and sync the policy, then test running PowerShell 7 a standard user and you will get this prompt.

In summary, all standard users trying to these paths, will receive the same prompt as above.

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe

And, for 64-bit Machines:

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe

By running as an Administrator, with entering your admin credentials, this will load PowerShell with administrator rights.