Anti-DLL Module Allow List
Supported on: ADMX Migrator encountered a policy that does not have a supportedOn value.
Description
The DLL Allow List policy allows admins to exclude any DLL from the Anti-DLL protection. When the policy is: Not Configured - No DLL is part of the allow list. Includes all the DLLs during the Anti-DLL protection. Enabled - Excludes DLLs mentioned in the allow list from the Anti-DLL protection. Disabled - Clears the DLL allow list. DLLs need to be configured again when policy is enabled. The Module Allow List field allows admins to add DLL information that can be excluded from the Anti-DLL protection. Sample format to add DLL to the allow list: [ { "filePath": " C:\\Program Files (x86)\\trusted\\messagebox.dll" }, { "filePath": "%PROGRAMFILES%\\trusted\\logging.dll" } ]
Registry
Software\Policies\Citrix\AppProtection REG Builder
BETAConfigure the state and elements to generate .reg, PowerShell, Intune, and SCCM outputs.
These exports replicate the policy's registry effect. Editing the registry directly is not the same as applying the GPO through the management console (no gpupdate, no central reporting). Test before production; HKLM changes require administrator rights.
.reg file
Windows Registry Editor Version 5.00
; Exported from gporais.com
; Policy: Anti-DLL Module Allow List
; State: Enabled
; Supported on: ADMX Migrator encountered a policy that does not have a supportedOn value.
[HKEY_LOCAL_MACHINE\Software\Policies\Citrix\AppProtection]
"AntiDLLInjectionModuleAllowList"=hex(7):00,00
; REG_MULTI_SZ: one string per input line; edit in regedit if you need richer formatting. PowerShell
# Exported from gporais.com
# Policy: Anti-DLL Module Allow List
# State: Enabled
# Supported on: ADMX Migrator encountered a policy that does not have a supportedOn value.
$path = 'HKLM:\Software\Policies\Citrix\AppProtection'
New-Item -Path $path -Force | Out-Null
Set-ItemProperty -Path $path -Name 'AntiDLLInjectionModuleAllowList' -Value @() -Type MultiString
# REG_MULTI_SZ: one string per input line; edit in regedit if you need richer formatting. Intune XML
No direct Policy CSP / OMA-URI mapping for this policy. Use the Intune Remediation tab, or ingest the ADMX in Intune. Intune Remediation
# === Detection script ===
# Exported from gporais.com
# Policy: Anti-DLL Module Allow List
# State: Enabled
# Supported on: ADMX Migrator encountered a policy that does not have a supportedOn value.
function Test-RegistryValue {
param(
[Parameter(Mandatory = $true)][string]$Path,
[Parameter(Mandatory = $true)][string]$Name,
[object]$Expected,
[ValidateSet('String', 'DWord', 'MultiString')][string]$Kind = 'String',
[switch]$Absent
)
try {
$item = Get-ItemProperty -LiteralPath $Path -Name $Name -ErrorAction Stop
} catch {
return $Absent.IsPresent
}
if ($Absent.IsPresent) { return $false }
$actual = $item.$Name
if ($Kind -eq 'DWord') { return ([int64]$actual) -eq ([int64]$Expected) }
if ($Kind -eq 'MultiString') {
$actualValues = @($actual)
$expectedValues = @($Expected)
if ($actualValues.Count -ne $expectedValues.Count) { return $false }
for ($i = 0; $i -lt $expectedValues.Count; $i++) {
if ([string]$actualValues[$i] -ne [string]$expectedValues[$i]) { return $false }
}
return $true
}
return [string]$actual -eq [string]$Expected
}
$checks = @(
(Test-RegistryValue -Path 'HKLM:\Software\Policies\Citrix\AppProtection' -Name 'AntiDLLInjectionModuleAllowList' -Expected @() -Kind MultiString)
)
if ($checks -notcontains $false) {
Write-Output 'Compliant'
exit 0
}
Write-Output 'Non-compliant'
exit 1
# === Remediation script ===
# Exported from gporais.com
# Policy: Anti-DLL Module Allow List
# State: Enabled
# Supported on: ADMX Migrator encountered a policy that does not have a supportedOn value.
$path = 'HKLM:\Software\Policies\Citrix\AppProtection'
New-Item -Path $path -Force | Out-Null
Set-ItemProperty -Path $path -Name 'AntiDLLInjectionModuleAllowList' -Value @() -Type MultiString
# REG_MULTI_SZ: one string per input line; edit in regedit if you need richer formatting. SCCM CI
# Exported from gporais.com
# Policy: Anti-DLL Module Allow List
# State: Enabled
# Supported on: ADMX Migrator encountered a policy that does not have a supportedOn value.
# SCCM Configuration Item guidance:
# Create a Configuration Item of type "Setting: Script".
# Discovery script: use the Detection script below.
# Remediation script: use the Remediation script below.
# Compliance rule: the Discovery script output equals 'Compliant'.
# === Detection script ===
# Exported from gporais.com
# Policy: Anti-DLL Module Allow List
# State: Enabled
# Supported on: ADMX Migrator encountered a policy that does not have a supportedOn value.
function Test-RegistryValue {
param(
[Parameter(Mandatory = $true)][string]$Path,
[Parameter(Mandatory = $true)][string]$Name,
[object]$Expected,
[ValidateSet('String', 'DWord', 'MultiString')][string]$Kind = 'String',
[switch]$Absent
)
try {
$item = Get-ItemProperty -LiteralPath $Path -Name $Name -ErrorAction Stop
} catch {
return $Absent.IsPresent
}
if ($Absent.IsPresent) { return $false }
$actual = $item.$Name
if ($Kind -eq 'DWord') { return ([int64]$actual) -eq ([int64]$Expected) }
if ($Kind -eq 'MultiString') {
$actualValues = @($actual)
$expectedValues = @($Expected)
if ($actualValues.Count -ne $expectedValues.Count) { return $false }
for ($i = 0; $i -lt $expectedValues.Count; $i++) {
if ([string]$actualValues[$i] -ne [string]$expectedValues[$i]) { return $false }
}
return $true
}
return [string]$actual -eq [string]$Expected
}
$checks = @(
(Test-RegistryValue -Path 'HKLM:\Software\Policies\Citrix\AppProtection' -Name 'AntiDLLInjectionModuleAllowList' -Expected @() -Kind MultiString)
)
if ($checks -notcontains $false) {
Write-Output 'Compliant'
exit 0
}
Write-Output 'Non-compliant'
exit 1
# === Remediation script ===
# Exported from gporais.com
# Policy: Anti-DLL Module Allow List
# State: Enabled
# Supported on: ADMX Migrator encountered a policy that does not have a supportedOn value.
$path = 'HKLM:\Software\Policies\Citrix\AppProtection'
New-Item -Path $path -Force | Out-Null
Set-ItemProperty -Path $path -Name 'AntiDLLInjectionModuleAllowList' -Value @() -Type MultiString
# REG_MULTI_SZ: one string per input line; edit in regedit if you need richer formatting.