Moving Applocker control from Group Policy to Intune

Lately I've been trying to migrate a lot of GPOs to Intune so that our endpoints don't have to depend on a VPN for updating policy. Applocker was an important one for us since VPNs are flaky and it's important that users be able to run updated software while away from the office network. Chrome once updated its signing certificate and because it auto-updates itself we had users who couldn't launch Chrome until they were able to get connected to the VPN and run a gpupdate.

I already had the plumbing in place which allows Admins to upload files to a file share and have them automatically added as whitelisted to the Applocker GPO. Now I just had to move the enforcement of the GPO into Intune.

I decided to keep the dependency on our Domain Controllers merging the changes into the Applocker policy since there are some pretty good Powershell commands that take care of that. The GPO for Applocker is still being updated but is only used for Intune to pull from and turn into a Device Configuration Policy.

The pieces used in this process consist of the following:
Azure Storage Account file share (for uploading the .exe needing to be whitelisted)
Azure Automation Account (for Runbooks)
Azure Automation Hybrid Worker (for executing the necessary code needing to run on the Domain Controller)
Microsoft Graph API (for connecting to Intune from the Runbook)
Intune Device Configuration Profile (this takes the place of the Group Policy Object for enforcing the Applocker policy)
Azure Active Directory App Registration (this provides the permissions to the Runbook for Microsoft Graph)

A diagram showing how the pieces connect together:


Step 1 is pretty self explanatory. We just use an Azure File Share only accessible by us Admins for uploading the .exe file which we want to add to the whitelist.

Step 2 is covered here

Step 3 is simply an addition to the scheduled task referenced in step 2 to execute the Azure Automation Runbook once the GPO merges are complete. So the Scheduled Task script ends up looking like this:



Step 4 uses an Azure Automation Runbook along with a Hybrid Worker to run code on a Domain Controller to get the updated GPO containing the newly whitelisted software and push it into an Intune Device Configuration Profile using the Microsoft Graph API.

This Runbook is what took the most work to figure out because of all the slicing and dicing of the XML required to get it to work with Microsoft Graph. There may be a better way to do this but this is what worked for me and only modifies the EXE portion of the Applocker GPO. The runbook code is below:





Comments

Post a Comment

Popular posts from this blog

Auto-installing extensions on Firefox using Intune

Disable DNS over HTTPS in Firefox using Intune