Author Archives: Thomas.Marcussen

About Thomas.Marcussen

Technology Architect & Evangelist, Microsoft Trainer and Everything System Center Professional with a passion for Technology

Controlling User App Access With AppLocker

Posted on by
Reply

Most organizations could probably gain some benefits from deploying application control policies. This is something that your IT guys could use to make their work easier and improve the overall management of employee devices. AppLocker is a platform that will give admins control over which apps and files users can run including packaged app installers, scripts, executable files, Windows Installer files, DLLs, and packaged apps. Because of its features, AppLocker will help organizations to reduce their admin overhead and the cost of managing computer resources. With that said, let’s go over how AppLocker helps you to control user app access.

Installation

Users that are running the enterprise-level editions of Windows will find that AppLocker is already included. Microsoft allows you to author rules for a single computer or a group of computers. For single computers, you’ll need to use the Local Security Policy Editor (secpol.msc). And for a group of computers, you can use the Group Policy Management Console to author the rules within a Group Policy Object (GPO). However, it’s important to note that you can only configure AppLocker policies on computers running the supported versions and editions of the Windows operating system.

Features of AppLocker

AppLocker offers its clients several great features to help you to manage access control. It allows you to define rules based on file attributes and persisting across app updates. These include publisher name, file name, file version, and product name. You can also assign rules to individual users or security groups as well as create exceptions to rules.

In order to understand the impact of a policy before enforcing it, AppLocker allows you to use audit-only mode to first deploy the policy. Another feature enables the creation of rules on a staging server that you can test before exporting them to your production environment and importing them into a Group Policy Object (GPO). And then by using Windows Powershell cmdlets for AppLocker, you’ll have an easier time creating and managing rules.

Enhancing security

AppLocker works well at addressing the following security scenarios:

  • Application inventory: AppLocker policies can be enforced in an audit-only mode where all application access activity is registered in event logs.
  • Protection against unwanted software: you can exclude from the list of allowed apps any app that you don’t want to run and AppLocker will prevent it from running.
  • Licensing conformance: AppLocker enables you to create rules blocking the running of unlicensed software while limiting licensed software to authorized users.
  • Software standardization: to have a more uniform application deployment, you can set up policies that will only allow supported or approved apps to run on PCs within a business group.
  • Manageability improvement: AppLocker has improved a lot of things from its predecessor Software Restrictions Policies. Among those improvements are audit-only mode deployment, automatic generation of rules from multiple files, and importing and exporting policies.

Apps to control

Each organization determines which apps they want to control based on their specific needs. If you want to control all apps, you’ll note that AppLocker has policies for controlling apps by creating allowed lists of apps by file type. When you want to control specific apps, a list of allowed apps will be created when you create AppLocker rules. Apart from the apps on the exception list, all the apps on that list will be able to run. For controlling apps by business group and user, AppLocker policies can be applied through a GPO to computer objects within an organizational unit.

Allow and deny actions

Because each AppLocker rule collection operates as an allowed list of files, the only files that are allowed to run are the ones that are listed in this collection. This is something that differs from Software Restriction Policies. Also, since AppLocker operates by default as an allowed list, if there is no explicit rule allowing or denying a file from running, AppLocker’s default deny action will block that file. Deny actions are typically less secure because a malicious user can modify a file thereby invalidating the rule. One important thing to remember is that when using the deny action on rules, you need to first create rules allowing the Windows system files to run. Otherwise, a single rule in a rule collection meant to block a malicious file from running will also deny all other files on the computer from running.

Administrator control 

The last thing most organizations would want is any standard user or worse a malicious one modifying their policies. Therefore, AppLocker only allows administrators to modify AppLocker rules to access or add an application. For PCs that are joined to a domain, the administrator can create AppLocker rules that can potentially be merged with domain-level rules as stated in the domain GPO.

Is AppLocker for you?

If you see the need to improve app or data access for your organization then AppLocker is something you should be considering. Also, if your organization has a known and manageable number of applications then you have an additional reason. Ask the question, does your organization have the resources to test policies against the organization’s requirements? Or the resources to involve Help Desk or to build a self-help process for end-user application access issues? If yes to the above, then AppLocker would be a great addition to your organization’s application control policies.

Wrap up

Software that enhances the way an organization controls access to its applications and data can play a significant role in boosting efficiency. AppLocker is one such platform. With all the great features available, it can easily become a fantastic tool for your IT team. Not only does it simplify access control management, but its various actions will also result in greater security. Without a doubt, AppLocker can be a valuable addition to your application control policies.

Benefits of Using Microsoft FastTrack

Posted on by
Reply
Benefits of Using Microsoft FastTrack

Cloud technology has grown significantly in importance in recent years. Not only has the technology brought great convenience but it’s also available to everyone. From Fortune 500 companies to small startup businesses, there are options for everyone. As is often the case, the challenge comes with making the change to using cloud resources. Lack of knowledge and a fear of the unknown can make a lot of people hesitant. Consequently, making that transition can be very challenging. And so to deal with this issue, Microsoft offers us FastTrack. It’s a solution that will help clients to deploy Microsoft cloud solutions. There are some great benefits that come with that and we shall be going over them below.   

Get expert guidance

Microsoft FastTrack is a service that helps clients onboard Microsoft Cloud solutions. It also helps to drive user adoption. So who exactly is doing the assisting? Microsoft has FastTrack specialists who are responsible for your overall onboarding experience. Because of the very different situations that clients may need to deal with, FastTrack provides you with several specialists for specific topics. Therefore, you’ll have the necessary expertise for your particular situation. Included among these specialists are Microsoft personnel, vendors, and approved partners. Specialists will help you with: recommended onboarding processes and guidance, understanding key success adoption factors, conducting technical workshops and providing specific guidance, as well as serving as subject matter experts on various technologies.

Solve compatibility issues

New products can at times come with compatibility problems. As well as the frustrations that would cause, it’s likely to affect business operations. Fortunately, with FastTrack, there are specialists on hand to provide the necessary guidance when you are facing such issues. All you need to do is complete the App Assure service request. In addition, partners can also process these requests for their clients. By enabling this feature, FastTrack offers clients even greater convenience. Remediation assistance is available for apps deployed on Windows 10, Microsoft 365 Apps, the new Microsoft Edge, and Windows Virtual Desktop.  

Plan ahead

The transition to using cloud resources is a process that involves plenty of stages. And if you don’t plan adequately, a lot can go wrong. FastTrack deals with this during the envisioning phase. Here you get to go over all the details of what needs to be done before setting the plan in motion. This is something that you can discuss with your Microsoft partner and thus work out a comprehensive plan that caters to your vision. Microsoft also provides optimization and feedback assistance to make sure that all your goals are met. Instead of just plowing ahead and potentially falling into issues later on, the envisioning phase gives you the confidence to transition without fear.

Data migration

Data migration can be a labor-intensive and tedious task to carry out. In other words, it costs a lot of time and money. With FastTrack, you will get help with migrating the mail and file data in your source environments to Office 365. Although, for Office 365 tenants with 150 to 499 licenses, you still need to perform the data migration yourself. However, FastTrack provides the necessary guidance to help you carry out the process.  As a result, clients get to benefit from a smooth data migration process that makes the transition extremely efficient.

Drive user adoption

People don’t always welcome new technology with open arms. Regardless of how brilliant certain solutions may be, it’s equally important to get people on board. So instead of just accelerating deployment, FastTrack also plays a crucial role in increasing user adoption. By increasing awareness among end-users, FastTrack can help them to appreciate the solutions on offer. In addition, the end-users can also receive training to prepare them for all the various cloud solutions they will use. That way, FastTrack can drive user adoption and thus ensure that your investment is well worth it.     

Cost-free assistance

FastTrack has a lot of advantages for companies and the fact that you get it for free is massive. Of course, this is for clients who have already purchased an eligible plan. These include plans under Microsoft 365, Office 365, Enterprise Mobility + Security, and OneDrive for Business among others. Because Microsoft tries to cater to everyone, the plans can cover individual products or a suite of products. So you get FastTrack services with a new or existing subscription. Clients will receive great assistance to enable them to take full advantage of their purchases.  And getting that help at no extra cost makes it even better.

Availability

As some people would say, the internet makes the world one global village. Thus services like FastTrack need to be easily available across borders. Microsoft addresses that need by availing FastTrack in all markets. It offers remote assistance in several languages namely: Chinese Simplified (Mandarin dialect), Chinese Traditional (Mandarin dialect), English, French, German, Italian, Japanese, Korean, Portuguese (Brazilian), Spanish, Thai, and Vietnamese. Furthermore, FastTrack.microsoft.com is also available in the 12 languages above plus 15 others. This availability means great things for businesses all across the globe. Not only will it improve efficiency but it increases the appeal of the product even more.

Keeping up with technology

Technology is constantly evolving and keeping up with all the developments can be challenging. Especially when it comes to transitioning to the cloud. This can be a very daunting task for most businesses. Needless to say, Microsoft FastTrack is a solution that businesses can benefit immensely from. Being able to migrate rapidly, effectively, and securely is fantastic for all parties. Any time you need assistance with deployment and enhancing adoption, you’ll have a specialist ready to assist. The expertise on offer and the simplicity of the process makes keeping up with technology a lot easier. With the use of best practices in your business, success becomes the expectation.

Benefits of Using an Azure Hybrid Model

Posted on by
Reply

Businesses nowadays are inundated with offers of all different kinds of services. There are so many companies to choose from that it can at times be overwhelming. However, Microsoft Azure is a service that has proven itself beyond any doubt. Its reliability, high-level security, and efficiency make it a favorite for many enterprises. Also, its ability to support the hybrid cloud model makes it an even more attractive option. It combines this with other Microsoft server and system center tools thereby giving you enterprise-level offerings. So it is with that in mind that we need to explore the benefits that using an Azure Hybrid Model will provide you.  

Promotes remote work

One of the challenges of remote work is data access. Businesses need their employees to have access to data wherever they may be. With the modern workspace continuing to evolve, companies can have people working for them from all across the globe. Azure allows you a secure platform to operate efficiently. It enables you to have people in different locations working together easily. By using the hybrid model, you can keep your sensitive data on the on-premises servers while availing other key applications on the cloud. Consequently, this provides a secure platform for your remote workers. Data access is no longer a problem and you retain overall control over sensitive data.

Access a fast and secure network

Microsoft Azure can lay claim to having one of the largest global networks. Its data centers are located across the globe for greater operational efficiency. And so the advantage of using their hybrid model is that you get access to this network. Using Azure ExpressRoute you can get connections of up to 100 Gbps! Furthermore, Azure Virtual WAN enables you to connect to thousands of users and endpoints. All these features combine to give you a fantastic network that optimizes your work environment. But speed and efficiency alone won’t suffice. You also get DDoS Protection and Azure Firewall to ensure that your connections are as secure as possible.  

Flexibility

Using the Azure Hybrid Model can offer your business operational flexibility. Having multiple platforms on which to operate gives you the option to employ various strategies as well as cut down on costs. Most businesses will have realized that the demands placed on their IT resources will fluctuate. And so having options available is a great thing when resources are stretched. You get to leverage your on-premises resources for your daily operations. Then when additional resources are called for, the public platform is available. Simply put, you don’t need to view the hybrid cloud model as part of the migration process to pure cloud deployment.

Cost-savings

Even with plenty of features to get you excited, a big determining factor remains cost. However, the great thing about the hybrid cloud model is that it is very much cost-effective. Especially for companies that are looking to scale according to demand as well as come up with long-term strategies. Businesses will see huge savings when demand increases. This is because they are not going to require significant capital expenditure to expand their existing infrastructure. With the Azure Hybrid Model, all you will need to do is pay for the resources you need to use. And if demand goes down, then so too will your costs.

Products and services

Microsoft Azure offers you several products and services to help you build your ideal hybrid solution. If you are looking to extend Azure management to any infrastructure then Azure Arc is what you need. With this service, you can run Azure data services anywhere in your hybrid environment. And then there is Azure Stack. This product will help you to build, deploy, and run consistent hybrid apps. Not only that, but you can run these apps across on-premises, cloud, and the edge.  

Then we move on to developer tools and DevOps. For building, testing, and deploying your apps, you get to use the most comprehensive developer toolkit. Also, if you want to improve collaboration and ship faster, you can extend DevOps to any environment or cloud. All of this, however, counts for very little if the security is inadequate. Microsoft Azure leaves nothing to chance in that regard. With unified security management and AI-enabled threat protection across the board, you can be certain that your network is safe. Convenience is also important and for that, there is a seamless, single sign-on experience across cloud, mobile, and on-premises apps.          

Reduced risk

Companies can suffer from catastrophic events that are beyond their control. From outages to regional natural disasters, these events can potentially cripple a business. But, with Microsoft Azure, you get to have peace of mind knowing that your data is safe. As previously mentioned above, Azure has one of the largest global networks. Therefore, regional disasters will affect but not completely shut down your operations. This assures you that even in the event of unforeseen disasters, the security of your data will remain secure. In other words, your business continuity strategy could essentially be your Azure subscription.

Delete default material in Ultimaker Cura

Posted on by
Reply

Would you like to delete the default material profiles in Cura? Look no further!

For some reason Ultimaker does not support the removal of default materials, but it can simple be done by remove the files xml files associated with each profile.

On Windows go to c:\Program Files\<your version of Cura)\resources\materials
Delete all the files, this will remove all default material profiles.

If you have already created custom profiles, don’t worry, that are kept else where. (eks: c:\Users\<username>\AppData\Roaming\cura\<version>\materials\)

Anet A8 Plus upgrade to Marlin 2.0.x

Posted on by
Reply

I really wanted to upgrade my Anet A8 Plus with a bed leveling sensor, unfortunately I was not able to find the source code for the firmware stock firmware used.

UPDATED: Some is now available here: ANET 3D Firmware

  1. Download and install the latest Arduino IDE
    1. NOTE: I used 1.8.10, You can always download an older version, if needed.
  2. Download the Anet A8 board definition
  3. Extract the Anet A8 board definition
  4. From the extracted Anet A8 board definition copy the Arduino\Hardware folder to the Arduino installed location (Default: C:\Program Files (x86)\Arduino)
  5. Download the latest Marlin 2.x.x firmware
  6. Extract the Marlin firmware
  7. From the extracted Marlin firmware copy \Config\Examples\Anet\A8plus to the \Marlin\ folder (same location as Marlin.ino)
  8. Connect USB to your Anet motherboard
  9. Open the installed Arduino IDE
  10. Download and Install u8glib by oliver
    1. Click Sketch -> Include Library, Click Manage libraries
    2. Search U8glib – MAKE SURE TO SELECT TO CORRECT ONE! – U8Glib by oliver,
    3. Click Install
    4. Click Close
  11. Click Tools -> Board, Select Anet 1.0 (Optiboot)
    1. NOTE: Small and Fast Bootloader for Arduino and other Atmel AVR chips
  12. Click Port, Select the assigned COM port
    1. NOTE: If you want to check if your connected, Click Tools -> Get Board info. This will return information about the board, if your connected.
  13. Find the line in the Configuration.h: #define ANET_FULL_GRAPHICS_LCD
  14. comment it out like this: //#define ANET_FULL_GRAPHICS_LCD
  15. Find the line: //#define CR10_STOCKDISPLAY
  16. Uncomment it like this: #define CR10_STOCKDISPLAY
  17. Find the line: #define ENDSTOP_INTERRUPTS_FEATURE
  18. comment like this: //#define ENDSTOP_INTERRUPTS_FEATURE
    1. NOTE: The update and consolidation of TMC support into the TMCStepper the library has made the ENDSTOP_INTERRUPTS feature incompatible with TMC drivers, until a workaround can be found.
  19. Now you’re ready to upload the firmware, or add/remove features needed

The Anet V.1.7 board comes with a limited flash ROM (128k – 131,072 and thats including the bootloader). This will not all you to pick all features and add them.

Should you by accident (like me) put a too large firmware or corrupt the bootloader, you will need a USBasp and a 10-to-6 poled adapter.

NOTE:
If You see the following error, flash the bootloader using USBAsp, your sketch is properly too big.
avrdude: stk500_recv(): programmer is not responding
avrdude: stk500_getsync() attempt 1 of 10: not in sync: resp=0x60

I recommend you to review and edit you own configuration files, but for sample purposes here are mine: [download id=”931″]


MSiX Insider Preview Build 1.2019.522.0

Posted on by
Reply

First insider preview release for the upcoming public release in July.

New Features:

  • Support for desktop installers that require restart – read more
    • Auto-login option for restart
  • New options in app settings
    • Specify a default cert to sign packages with
    • Specify exit codes for installers that require restart


Known “bugs/features”

  • Negative reboot exit codes are currently not supported
  • If Default cert is specified, you still need to select to sign your package
  • During remote or VM restarts, there might be an extra login prompt
  • Restore defaults button doesn’t remove certificate password or installer exit codes
  • There are some UI incongruencies

You can find the full history of MSIX Packaging Tool release notes here.


List Packages that run in user context (Run with user’s rights)

Posted on by
Reply

Introduction

After last weeks post with the script sample to list Packages that run in user context, there where some good feedback from people still using packages, and requiring a list of packages that install within the user context (Run with user’s rights / Execution mode as user)

It seemed that many was still using Packages, either as a result of legacy migration or to avoid some application re-packaging.

So here is the followup post, with a new script to list all packages and package with programs that run in user context.

From my point of view, its still the same; Using PSADT pretty much any package can be converted to be installed as system, and the needed stuff (registry keys, files etc) in the user context can be added in a structured and controlled way.

I do still come across some applications that i would prefer to have in MSI with all settings etc added, at least for simplicity, for those packages I still prefer to use Advanced Installer.
When talking Advanced Installer, they also have a great support for MSIX, that makes to process so much easier and cost efficient.

This script will list all packages with programs, that is configured to install as user (within the user context)

All you need to do is configure the path to your import module and set the site code.

A file will be created in “C:\TEMP\Packages_and_Programs_Run_Mode_List.csv” with the following format:

“Package Name”,”Package ID”,”Program Name”,”Run with USER’s right”
“My Application”,”BB10001D”,”execute”,”TRUE

With the example above we have a package ‘My Application’ that has a run mode configured: Run with user’s rights

Properties on the program, where the program run enviroment is configured to Run with Users’s rights


Download the script from TechNet Galleryhttps://gallery.technet.microsoft.com/Generate-a-list-of-d8778d4c?redir=0



List Applications that run in user context (Install for User)

Posted on by
Reply

Introduction

When deploying applications sometimes they are created to install within the active users context.
This means that the actual installation requires the users to have the needed permissions to the filesystem, registry and etc.
In some cases local administrative rights are needed to perform the application installation, this is not a good practice.

As applications mature for the modern design of the Windows Operating System or we choose to remove the users administrative rights due to security reasons, we may need to list and change the behavior of existing Applications.

This script was created to list applications that is configured to run with Installation behavior: Install for User

The actual output will end up in the export csv file

Script Download [download id=”893″]



Today with the modern management tools and applications, the users should not have local administrative rights on a permanent basis.
Most, if not all applications can be repackaged to deploy without the need for administrative rights.



Useful links:

PowerShell Application Deployment Toolkit: https://psappdeploytoolkit.com
Advanced Installer: https://www.advancedinstaller.com/
Access Director Enterprise: https://ctglobalservices.com/access-director-enterprise/



MSiX Insider Preview Build 1.2019.402.0

Posted on by
Reply

Yet another release of the MSIX Packaging tool (1904) is nearing general public release.

Here is the list of features and fixes

  1. Ability to convert on a remote machine.
    1. We talked about that earlier here
  2. Improved management experience in package editor.
    1. Auto versioning recommendations when saving in package editor.
    2. Now supports existing folder addition to package in VFS.
  3. User can specify known valid exit codes for CLI conversions.
  4. Added the ability to time stamp your signed package in all of the workflows where signing is currently available.
    1. You can specify your default time stamp URL and type of time stamp server in the tool Settings page.
  5. Updated AppID generation logic, and added additional validation fro package name and app.
  6. Bug fixes and performance improvements

The detailed history for the app release can be found here


Cleaning up shortcuts

Posted on by
Reply

So the issue at hand;
I was replacing a Office application on Windows systems, where i noticed that shortcuts created by the users, was not upgraded/removed when the new office version was installed.

The issue seems to be related to users creating custom shortcuts, directly to exe files.
I some cases the shortcut name was clear, but in other cases the users had chosen something they found fit.

The following PowerShell script was created to remove shortcuts (lnk files) based on the executable. This means you can specific the exe or use a wildcard if there is multiple executable files releated to an application.

$ShortcutLocations = Get-ChildItem -Recurse (“C:\Users”,”C:\ProgramData\Microsoft\Windows\Start Menu”) -Include *.lnk -Force -ErrorAction SilentlyContinue

########
# This script searches for all *.lnk files to "C:\Program files (x86)\App\My Application.exe" or "C:\Program Files\App\My Application.exe"
# It searches in C:\users\* profiles paths, including Users Desktops, %AppData%\Microsoft\Internet Explorer\Quick Launch and in ProgramData...StartMenu
# The name of the link file can have many different names, therefore we must find each shortcut based on path to target exectuable and not on lnk name.
# Then the lnk file must be deleted.
#
# The script should be run with admin rights, otherwise shortcuts will only be deleted for the user running the script.
########

### Specify shortcut's target executable here.
$AppExecutable = "C:\Program files*\Microsoft Office\Office15\*.exe"
# * Due to mask it contains "Program files" and "Program files (x86)" paths both.
###

### Paths to browse and search for shortcuts.
$ShortcutLocations = Get-ChildItem -Recurse ("C:\Users","C:\ProgramData\Microsoft\Windows\Start Menu") -Include *.lnk -Force -ErrorAction SilentlyContinue
# * -Recurse = Includes all subdirectories.
###


### Get properties for shortcuts in the locations

Function Get-ShortcutsProperties {
$Shell = New-Object -ComObject WScript.Shell 
Foreach ($Shortcut in $ShortcutLocations)
{
$Properties = @{
ShortcutName = $Shortcut.Name;
ShortcutFullName = $Shortcut.FullName;
ShortcutLocation = $shortcut.DirectoryName
ShortcutTarget = $Shell.CreateShortcut($Shortcut).targetpath
}
New-Object PSObject -Property $Properties
}
[Runtime.InteropServices.Marshal]::ReleaseComObject($Shell) | Out-Null
}
###

$ShortcutsList = Get-ShortcutsProperties

### Compare shortcut's target path with $AppExecutable and delete it in case of corresponding one
Foreach ($item in $ShortcutsList) {

if ($item.ShortcutTarget -like $AppExecutable) {

Remove-Item -Path $item.ShortcutFullName -Force -ErrorAction SilentlyContinue
 }
}
######## End of the script

Download the PowersShell Script here: [download id=”877″]