Information Security

We've always struggled with installers that create temporary exe files in various locations alongside Applocker. Sometimes we're able to grab a copy of the temporary file and whitelist it so the installation can continue but other times the installer bombs out too quickly and we just can't get the file. One solution is to whitelist the %OSDRIVE%\USERS\TEMP\APPDATA\LOCAL\TEMP directory but for security that's a terrible idea. I created a process which I'd like to share that uses Microsoft Power Automation (Flow), Azure Automation, and the Microsoft Graph API to achieve the following: Admin clicks a Flow button on their phone The Flow button takes user input in the form of Active Directory username (ex. rellington) and passes it to a webhook to an Azure Automation job Azure Automation job starts which removes the user from the Applocker enforced Active Directory Security Group (Applocker policy is enforced using Intune) Azure Automation job forces an Intune s...

Lately I've been trying to migrate a lot of GPOs to Intune so that our endpoints don't have to depend on a VPN for updating policy. Applocker was an important one for us since VPNs are flaky and it's important that users be able to run updated software while away from the office network. Chrome once updated its signing certificate and because it auto-updates itself we had users who couldn't launch Chrome until they were able to get connected to the VPN and run a gpupdate. I already had the plumbing in place which allows Admins to upload files to a file share and have them automatically added as whitelisted to the Applocker GPO . Now I just had to move the enforcement of the GPO into Intune. I decided to keep the dependency on our Domain Controllers merging the changes into the Applocker policy since there are some pretty good Powershell commands that take care of that. The GPO for Applocker is still being updated but is only used for Intune to pull from and turn int...

I'm fortunate enough to have application whitelisting in use on our domain using Windows Applocker policies. It does add quite a lot of administrative overhead to manage but I've done a few things to make it easier. The first is an automated whitelisting process using a Powershell script and the Windows Task Scheduler. Task Scheduler runs the Powershell script below every 5 minutes on a domain server and checks a file share in Azure for .exe files. Only Administrators have access to this directory so to add an app to the whitelist we just dump the .exe we want to whitelist into the directory, wait for it to disappear, and then run gpupdate to sync the new policy containing the whitelisted app. This is the Powershell code which the Task Scheduler runs every 5 minutes to monitor the fileshare for new files to whitelist: ======================================================================= # This script will auto-add stuff to the AppLocker Enforce GPO # Parse a direct...