Implement App Control For Business

Question

Good afternoon,

To protect our organisation from possible improper installations, we implemented Microsoft's new App Control for Business tool.

We've had some challenges, but we've managed to overcome them all by applying supplementary policies with a few necessary exceptions to keep the organisation running smoothly. However, there is one problem that we're not getting to grips with.

After analysing the events generated by the policy in ‘Audit’ mode, many of the blocked .DLLs are within the user's own profile. This is a problem because we need to make some exceptions but we can't find an alternative for the exception to be applied to all users.

When we create the rule, it doesn't convert the user's profile name into something generic like %USERPROFILE%.

It creates the rule with the direct path as shown in the image.

Does anyone have any ideas on this subject or have you experienced it?

Thank you in advance for your help.

Best regards,

Ruben Faustinita

Answer 1

@Ruben Faustinita, Thanks for posting in Q&A. In fact, App Control For Business uses path variables for well-known directories in Windows. Path variables aren't environment variables. For %USERPROFILE%., I don't find it in the path variable. You can use wildcards in App Control filepath rules to see if it works.

https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/design/select-types-of-rules-to-create#more-information-about-filepath-rules

Hope the above information can help.

---

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.