App locker on intune block over my expectations


Dear engineers team,


I really need your help because of I got problems with app locker on intune when I applied script to one user it has been block over my scope that I set, in my script I’m just set up to be block telegram anydesk and team-viewer only but it not do follow what I set after deploying script to user, it going to block another app as well like Microsoft team classic, Note ++ , 7Zip and …..


here is my script


RuleCollection Type=”Exe” EnforcementMode=”Enabled”>   <FilePublisherRule Id=”db94dea9-61ae-462d-a2ec-25c19c20c13e” Name=”TEST Block Telegram” Description=”” UserOrGroupSid=”S-1-1-0″ Action=”Deny”>    <Conditions>     <FilePublisherCondition PublisherName=”O=TELEGRAM FZ-LLC, L=DUBAI, S=DUBAI, C=AE” ProductName=”TELEGRAM DESKTOP” BinaryName=”*”>      <BinaryVersionRange LowSection=”*” HighSection=”*” />     </FilePublisherCondition>    </Conditions>   </FilePublisherRule>   <FilePathRule Id=”921cc481-6e17-4653-8f75-050b80acca20″ Name=”(Default Rule) All files located in the Program Files folder” Description=”Allows members of the Everyone group to run applications that are located in the Program Files folder.” UserOrGroupSid=”S-1-1-0″ Action=”Allow”>    <Conditions>     <FilePathCondition Path=”%PROGRAMFILES%*” />    </Conditions>   </FilePathRule>   <FilePathRule Id=”a61c8b2c-a319-4cd0-9690-d2177cad7b51″ Name=”(Default Rule) All files located in the Windows folder” Description=”Allows members of the Everyone group to run applications that are located in the Windows folder.” UserOrGroupSid=”S-1-1-0″ Action=”Allow”>    <Conditions>     <FilePathCondition Path=”%WINDIR%*” />    </Conditions>   </FilePathRule>   <FilePathRule Id=”fd686d83-a829-4351-8ff4-27c7de5755d2″ Name=”(Default Rule) All files” Description=”Allows members of the local Administrators group to run all applications.” UserOrGroupSid=”S-1-5-32-544″ Action=”Allow”>    <Conditions>     <FilePathCondition Path=”*” />    </Conditions>   </FilePathRule>   <FilePublisherRule Id=”0a5495da-c1c8-42d2-8218-262680023bfc” Name=”Test Block Anydesk” Description=”” UserOrGroupSid=”S-1-1-0″ Action=”Deny”>    <Conditions>     <FilePublisherCondition PublisherName=”O=PHILANDRO SOFTWARE GMBH, L=STUTTGART, S=BADEN-WÜRTTEMBERG, C=DE” ProductName=”ANYDESK” BinaryName=”*”>      <BinaryVersionRange LowSection=”*” HighSection=”*” />     </FilePublisherCondition>    </Conditions>   </FilePublisherRule>   <FilePublisherRule Id=”70db3bcd-2d61-4a9e-892d-ca46e8e2b266″ Name=”Test Block Teamviewer” Description=”” UserOrGroupSid=”S-1-1-0″ Action=”Deny”>    <Conditions>     <FilePublisherCondition PublisherName=”O=TEAMVIEWER GERMANY GMBH, L=GÖPPINGEN, S=BADEN-WÜRTTEMBERG, C=DE” ProductName=”TEAMVIEWER QS” BinaryName=”*”>      <BinaryVersionRange LowSection=”*” HighSection=”*” />     </FilePublisherCondition>    </Conditions>   </FilePublisherRule>  </RuleCollection>”

Answers ( 2 )


    As per the MS, the deny actions are processed before allowing action, and you have to be more specific with your rule. Upon checking, I found that the rules to block Telegram, AnyDesk, and TeamViewer are processed first because they are more specific. Then, the rules to allow all files in certain locations or for certain users are processed. If an application does not meet any of the Allow conditions, it will be blocked by default. You probably need to set up more specific allow rules here.

    Best answer
  1. Hi – We will ask our HTMD community active contributor and scripting expert Sujin to have a look into this!

Leave an answer

Sorry, you do not have permission to answer to this question .