How AppLocker Improves Security and Compliance

The security of your organization is not something that you can afford to leave to chance. The wave of cybercrime over the last few years has been unrelenting. This is why you need to take advantage of platforms such as AppLocker. By leveraging its application whitelisting feature, you’ll get a very powerful way of stopping a multitude of attacks. And if you configure it correctly, you can massively increase the amount of time it would require for a cyberattacker to get around the system. This is the kind of technology that can enhance the security of your organization. Hence why we need to discuss just how AppLocker will help you with security and compliance measures.

Securing your organization

Arguably the biggest security risk for most organizations comes from employees simply running applications. As long as users can run executables or have access to files that can potentially contain malicious code, your organization is at risk. Such incidents could compromise the entire network and not just a single device. So by helping you to determine which files and applications users can run, AppLocker immediately improves your security. These files can include DLLs, scripts, Windows Installer files, and packaged app installers. Giving system admins greater control in these particular areas will shore up your business’ defenses.

Control allowed software

To maintain high-level security for corporate data and your business as a whole, system admins need to be strict about which softwares and applications are allowed to run. Otherwise, you risk giving access to software that can create vulnerabilities in your network. AppLocker is fully capable of denying applications from running when you exclude them from the list of allowed apps. And in the production environment, when AppLocker rules are enforced any apps that are not in the allowed rules are blocked from running. Therefore, users can’t intentionally or accidentally run software that is explicitly excluded from the allowed list.

AppLocker rules

AppLocker has several different types of files that it can block. This makes it extremely efficient in its whitelisting capabilities because it’s highly unlikely that anything that you want to block will make it through. The types of files that AppLocker can block include the following:

  • Executable files such as .exe, and .com
  • Windows installer files such as .mst, .msi and .msp
  • Executable files such as .bat, .ps1, .cmd, .js and .vbs
  • DLL executables
  • Packaged app installers such as .appx

The organization of the above into rule collections is something that will help you to easily differentiate the rules for different types of apps.

Default rules

In addition to the above, AppLocker also gives you default rules for each rule collection. These rules are allowed in an AppLocker rule collection and they are necessary if Windows is to function correctly. To start, you’ll have to go and open the AppLocker console. Having done that, right-click the appropriate rule type for which you want to generate default rules automatically. You can automatically create executable rules, Windows Installer rules, script rules, and packaged application rules. Lastly, click on Create Default Rules.

Monitoring app usage

After you set your rules and deploy the AppLocker policies, monitoring app usage can help you assess whether policy implementation is per your expectations. To understand what application controls are currently enforced through AppLocker rules, you can:

  • Analyze the AppLocker logs in Event Viewer.
  • Enable the Audit-only AppLocker enforcement setting to ensure that the AppLocker rules are properly configured for your organization.
  • Review AppLocker events with Get-AppLocker File Information.
  • Review AppLocker events with Test-AppLocker Policy Windows PowerShell cmdlet to see whether any of the rules in your rule collections will be blocked on your reference device or the device on which you maintain policies.

Main advantages

Several benefits come with AppLocker that help to make it a more attractive option for any business looking to enhance security and compliance. The first thing is the cost. How much you ask? Well, if you already have the enterprise edition of Windows Server, then there is no extra cost to talk about. Moreover, AppLocker comes as an integrated part of Group Policy, which most Windows Admins are already familiar with. Because of that, this can simplify the AppLocker user experience and make it a seamless one. Also, any AppLocker policy can be imported into Intune as an XML file giving you a similar level of control of apps for MDM-enrolled devices as you would for on-premises, domain-joined devices. And to further save you productive time, Windows internal apps are automatically whitelisted.

Why consider AppLocker?

Even with all the security benefits available, as an organization, you still have to determine whether or not you actually need AppLocker. And for most, the answer will probably be a resounding yes. If your organization needs the ability to verify which apps are allowed to run on your corporate network, then you need AppLocker. Furthermore, if you want to check which users are allowed to use the licensed program, then you probably also need it. To these, you can also add organizations that need to provide audit logs containing the type of apps that clients have been running. And of course, wherever there is a need to prevent overzealous users from running random software, AppLocker can play a significant role.

Wrap up

Only the best technology will do for any organization that seeks to keep cybercriminals away. Attacks are being orchestrated from all around and the degree of sophistication is constantly changing. Therefore, organizations need to take proactive measures to stay ahead of hackers. And platforms such as AppLocker can enable you to do that. By setting up blocks for different types of files and software, you instantly reduce your surface area of attack. It’s time to leverage all available technology to fight back against cybercrime.

7 Microsoft 365 Tools for IT Professional and Admin Training

A lot of people are familiar with Microsoft software and have been using it for years. However, new products as well as updates are constantly being rolled out. As such, it’s important to educate yourself on all the new features that are available in order to optimize the user experience. Microsoft 365 (M365) has plenty of amazing features that can vastly improve how you operate. And there are several training tools available to help fully equip you with the necessary skills to run M365. It’s these tools that we’ll go over below to see just how they can help you.

Video Hub

Poring over countless pages of documents can be a painstaking task for most people. It’s something that can very easily put one off from learning something. Fortunately, Microsoft 365 gives its clients a great alternative. With Video Hub you’ll get to do you learning through watching videos that will provide you with all the expertise you need. This platform contains over 150 technical videos about Microsoft technologies. Also, if you happen to have any questions, there are subject matter experts available to answer those for you. By using Video Hub, you will undoubtedly enhance your learning experience and gain new skills.

Instructor-led courses

To further sharpen your skills, Microsoft also has courses available that are taught by experts. Depending on your preference, you have the choice of taking the course online or in person. Moreover, the courses are taught by Microsoft Certified Trainers so you can be certain that you’ll be receiving a quality education. In addition, the web page comes with a filter so you don’t have to browse over a hundred courses searching for what you need. You get to pick the material that you want to learn and focus on that only. So whether you’re a beginner or advanced, an administrator or a developer, there are courses available for you.

Certification

The tools mentioned above can help you on your journey to get certification. For a lot of people, this is the goal as it will help to improve your prospects. Microsoft certification shows that you are keeping up with recent technological advances as well as the requirements that come with various roles. Similarly to the courses above, the certifications page also has a filter that will point you to the material that you need. Doing these certifications will boost not only your productivity as an individual but your value to your organization as well. Additionally, these certifications have great potential to advance your career and prepare you for future possibilities.

Online providers

Apart from Microsoft, you can also find online service providers that can provide you with the training you need. Having alternative options gives clients a lot more convenience as well as the choice of how they want to proceed with their learning. These courses can help individuals to get an in-depth understanding of the administrative capabilities of Microsoft 365. And the key thing here is to search for courses that are led by Microsoft certified trainers. Otherwise, you may end up receiving training that will not be recognized in the future. 

Microsoft Learn

Microsoft Learn is an exciting sandbox-based learning platform that enables people to learn about various technologies. By putting everything together in one place, Microsoft makes IT professional and admin training a whole lot simpler. All you need to get started is to set up a Microsoft account if you don’t already have one. It’s a very simple process that just requires you to fill in your details. Another great benefit that you get from this platform is the fun aspect of the learning process. Things such as points and trophies awarded for reaching certain goals serve to add a little fun to the learning process.

Learning paths and modules

Microsoft offers various learning paths and modules that are designed to fully equip you with the knowledge you need. You’ll find close to 300 options available on this particular web page. So this is an area that will provide you with step-by-step guidance to mastering Microsoft products. With some of these having no prerequisites it means that you can select a learning path or module and jump straight in. You’ll need to dedicate a couple of hours to learning the material but you can do it at your convenience. If you’re looking for efficient learning platforms then this is what you need.

YouTube tutorials

In addition to the Video Hub that you get from Microsoft, you’ll find that YouTube is also a rich source of learning material. In fact, Microsoft has the vast majority of M365 videos that can be found on YouTube. The advantage of using this platform is that you get to learn from various individuals. Although some may not be Microsoft certified trainers, they can still provide you with a great learning platform. Sometimes all you need to understand a challenging concept is for someone to explain it in a slightly different way and it’s as if a light has been switched on. Without a doubt, YouTube can be a valuable learning tool, if used with discretion of course.   

Equipping yourself

Technology is moving at a very rapid pace that makes it difficult to keep up with. And because of that pace, it’s not always feasible to physically attend classes or seminars to learn what you need. Fortunately, for Microsoft 365 users they get plenty of tools to provide them with adequate training. These tools allow you to enhance your skills at your own pace and gain Microsoft certification. All of which you can achieve in the comfort of your own home. Whatever you need to learn is potentially just the click of a button away.

New Microsoft Edge based on Chromium – error status: 1603

I recently ran into to an issue deploying the New Microsoft Edge, for some reason it kept failing with Error status 1603 on most of the systems.

The deployment version was version: 87.0.664.47
It kept failing on a lot of systems with build: 1803, I did suspect a missing KB of some kind, but did not find any apparent prerequisites missing.

Tried the same method for the latests version – 87.0.664.60, both downloaded from: https://www.microsoft.com/en-us/edge/business/download and everything seem to be working, now deployed to more then 2000 systems.

CustomAction DoInstall returned actual error code -2147219187 (note this may not be 100% accurate if translation happened inside sandbox)

Error 1722. There is a problem with this Windows Installer package. A program run as part of the setup did not finish as expected. Contact your support personnel or package vendor.  Action DoInstall, location: C:\WINDOWS\Installer\MSI9085.tmp, command: /silent /install "appguid={56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}&appname=Microsoft Edge&needsAdmin=True&usagestats=0&ap=stable-arch_x64" /installsource enterprisemsi /appargs "appguid={56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}&installerdata=%7B%22distribution%22%3A%7B%22msi%22%3Atrue%2C%22system_level%22%3Atrue%2C%22verbose_logging%22%3Atrue%2C%22msi_product_id%22%3A%2292749E40-069E-3467-BB1F-78BB266190E2%22%2C%22allow_downgrade%22%3Afalse%2C%22do_not_create_desktop_shortcut%22%3Afalse%2C%22do_not_create_taskbar_shortcut%22%3Afalse%7D%7D" 

MSI (s) (10:A8) [13:21:48:649]: Product: Microsoft Edge -- Error 1722. There is a problem with this Windows Installer package. A program run as part of the setup did not finish as expected. Contact your support personnel or package vendor.  Action DoInstall, location: C:\WINDOWS\Installer\MSI9085.tmp, command: /silent /install "appguid={56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}&appname=Microsoft Edge&needsAdmin=True&usagestats=0&ap=stable-arch_x64" /installsource enterprisemsi /appargs "appguid={56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}&installerdata=%7B%22distribution%22%3A%7B%22msi%22%3Atrue%2C%22system_level%22%3Atrue%2C%22verbose_logging%22%3Atrue%2C%22msi_product_id%22%3A%2292749E40-069E-3467-BB1F-78BB266190E2%22%2C%22allow_downgrade%22%3Afalse%2C%22do_not_create_desktop_shortcut%22%3Afalse%2C%22do_not_create_taskbar_shortcut%22%3Afalse%7D%7D" 

MSI (c) (C4:44) [13:21:48:771]: Windows Installer installed the product. Product Name: Microsoft Edge. Product Version: 87.0.664.47. Product Language: 1033. Manufacturer: Microsoft Corporation. Installation success or error status: 1603.

Any ideas, other then deploying latest and greatest? Let me know

Deploy Microsoft Edge Chromium Using PowerShell App Deployment Toolkit (PSADT)

The new Microsoft Edge  is based on Chromium and was released on January 15, 2020. It is compatible with all supported versions of Windows. Installing the browser will replace the legacy version of Microsoft Edge on Windows 10.

PowerShell App Deployment Toolkit (PSADT) is a great framework to deploy and manage application deployment – it is free of charge and can be downloaded from https://psappdeploytoolkit.com/

The script is published here on Github

This deployment script example does the following within the PSADT framework:

Pre-Install:
If Microsoft Edge is open, it will prompt the user to close it or delay the deployment 3 times (Comment line 120 if you prefer to just shut it down)
As a Pre-installation task it searches the add/remove program list for any version of Microsoft Edge and uninstalls it.

Install:
It then installs the MSI file from the Files directory – MicrosoftEdgeEnterpriseX64.msi
The latests version of Microsoft Edge for Business version can also we downloaded from – https://www.microsoft.com/en-us/edge/business/download

Uninstall:
Uninstalltion is performed using the name from Add/remove programs (same as for the pre-install step) so this will require no changes. (Line 181)

Repair:
If needed repair can be enabled (or updated for other versions)
(Modify line 203 if deploy other versions)

Microsoft Edge follows the Modern Lifecycle policy. Learn more about supported Microsoft Edge releases.

Controlling User App Access With AppLocker

Most organizations could probably gain some benefits from deploying application control policies. This is something that your IT guys could use to make their work easier and improve the overall management of employee devices. AppLocker is a platform that will give admins control over which apps and files users can run including packaged app installers, scripts, executable files, Windows Installer files, DLLs, and packaged apps. Because of its features, AppLocker will help organizations to reduce their admin overhead and the cost of managing computer resources. With that said, let’s go over how AppLocker helps you to control user app access.

Installation

Users that are running the enterprise-level editions of Windows will find that AppLocker is already included. Microsoft allows you to author rules for a single computer or a group of computers. For single computers, you’ll need to use the Local Security Policy Editor (secpol.msc). And for a group of computers, you can use the Group Policy Management Console to author the rules within a Group Policy Object (GPO). However, it’s important to note that you can only configure AppLocker policies on computers running the supported versions and editions of the Windows operating system.

Features of AppLocker

AppLocker offers its clients several great features to help you to manage access control. It allows you to define rules based on file attributes and persisting across app updates. These include publisher name, file name, file version, and product name. You can also assign rules to individual users or security groups as well as create exceptions to rules.

In order to understand the impact of a policy before enforcing it, AppLocker allows you to use audit-only mode to first deploy the policy. Another feature enables the creation of rules on a staging server that you can test before exporting them to your production environment and importing them into a Group Policy Object (GPO). And then by using Windows Powershell cmdlets for AppLocker, you’ll have an easier time creating and managing rules.

Enhancing security

AppLocker works well at addressing the following security scenarios:

  • Application inventory: AppLocker policies can be enforced in an audit-only mode where all application access activity is registered in event logs.
  • Protection against unwanted software: you can exclude from the list of allowed apps any app that you don’t want to run and AppLocker will prevent it from running.
  • Licensing conformance: AppLocker enables you to create rules blocking the running of unlicensed software while limiting licensed software to authorized users.
  • Software standardization: to have a more uniform application deployment, you can set up policies that will only allow supported or approved apps to run on PCs within a business group.
  • Manageability improvement: AppLocker has improved a lot of things from its predecessor Software Restrictions Policies. Among those improvements are audit-only mode deployment, automatic generation of rules from multiple files, and importing and exporting policies.

Apps to control

Each organization determines which apps they want to control based on their specific needs. If you want to control all apps, you’ll note that AppLocker has policies for controlling apps by creating allowed lists of apps by file type. When you want to control specific apps, a list of allowed apps will be created when you create AppLocker rules. Apart from the apps on the exception list, all the apps on that list will be able to run. For controlling apps by business group and user, AppLocker policies can be applied through a GPO to computer objects within an organizational unit.

Allow and deny actions

Because each AppLocker rule collection operates as an allowed list of files, the only files that are allowed to run are the ones that are listed in this collection. This is something that differs from Software Restriction Policies. Also, since AppLocker operates by default as an allowed list, if there is no explicit rule allowing or denying a file from running, AppLocker’s default deny action will block that file. Deny actions are typically less secure because a malicious user can modify a file thereby invalidating the rule. One important thing to remember is that when using the deny action on rules, you need to first create rules allowing the Windows system files to run. Otherwise, a single rule in a rule collection meant to block a malicious file from running will also deny all other files on the computer from running.

Administrator control 

The last thing most organizations would want is any standard user or worse a malicious one modifying their policies. Therefore, AppLocker only allows administrators to modify AppLocker rules to access or add an application. For PCs that are joined to a domain, the administrator can create AppLocker rules that can potentially be merged with domain-level rules as stated in the domain GPO.

Is AppLocker for you?

If you see the need to improve app or data access for your organization then AppLocker is something you should be considering. Also, if your organization has a known and manageable number of applications then you have an additional reason. Ask the question, does your organization have the resources to test policies against the organization’s requirements? Or the resources to involve Help Desk or to build a self-help process for end-user application access issues? If yes to the above, then AppLocker would be a great addition to your organization’s application control policies.

Wrap up

Software that enhances the way an organization controls access to its applications and data can play a significant role in boosting efficiency. AppLocker is one such platform. With all the great features available, it can easily become a fantastic tool for your IT team. Not only does it simplify access control management, but its various actions will also result in greater security. Without a doubt, AppLocker can be a valuable addition to your application control policies.

Benefits of Using Microsoft FastTrack

Benefits of Using Microsoft FastTrack

Cloud technology has grown significantly in importance in recent years. Not only has the technology brought great convenience but it’s also available to everyone. From Fortune 500 companies to small startup businesses, there are options for everyone. As is often the case, the challenge comes with making the change to using cloud resources. Lack of knowledge and a fear of the unknown can make a lot of people hesitant. Consequently, making that transition can be very challenging. And so to deal with this issue, Microsoft offers us FastTrack. It’s a solution that will help clients to deploy Microsoft cloud solutions. There are some great benefits that come with that and we shall be going over them below.   

Get expert guidance

Microsoft FastTrack is a service that helps clients onboard Microsoft Cloud solutions. It also helps to drive user adoption. So who exactly is doing the assisting? Microsoft has FastTrack specialists who are responsible for your overall onboarding experience. Because of the very different situations that clients may need to deal with, FastTrack provides you with several specialists for specific topics. Therefore, you’ll have the necessary expertise for your particular situation. Included among these specialists are Microsoft personnel, vendors, and approved partners. Specialists will help you with: recommended onboarding processes and guidance, understanding key success adoption factors, conducting technical workshops and providing specific guidance, as well as serving as subject matter experts on various technologies.

Solve compatibility issues

New products can at times come with compatibility problems. As well as the frustrations that would cause, it’s likely to affect business operations. Fortunately, with FastTrack, there are specialists on hand to provide the necessary guidance when you are facing such issues. All you need to do is complete the App Assure service request. In addition, partners can also process these requests for their clients. By enabling this feature, FastTrack offers clients even greater convenience. Remediation assistance is available for apps deployed on Windows 10, Microsoft 365 Apps, the new Microsoft Edge, and Windows Virtual Desktop.  

Plan ahead

The transition to using cloud resources is a process that involves plenty of stages. And if you don’t plan adequately, a lot can go wrong. FastTrack deals with this during the envisioning phase. Here you get to go over all the details of what needs to be done before setting the plan in motion. This is something that you can discuss with your Microsoft partner and thus work out a comprehensive plan that caters to your vision. Microsoft also provides optimization and feedback assistance to make sure that all your goals are met. Instead of just plowing ahead and potentially falling into issues later on, the envisioning phase gives you the confidence to transition without fear.

Data migration

Data migration can be a labor-intensive and tedious task to carry out. In other words, it costs a lot of time and money. With FastTrack, you will get help with migrating the mail and file data in your source environments to Office 365. Although, for Office 365 tenants with 150 to 499 licenses, you still need to perform the data migration yourself. However, FastTrack provides the necessary guidance to help you carry out the process.  As a result, clients get to benefit from a smooth data migration process that makes the transition extremely efficient.

Drive user adoption

People don’t always welcome new technology with open arms. Regardless of how brilliant certain solutions may be, it’s equally important to get people on board. So instead of just accelerating deployment, FastTrack also plays a crucial role in increasing user adoption. By increasing awareness among end-users, FastTrack can help them to appreciate the solutions on offer. In addition, the end-users can also receive training to prepare them for all the various cloud solutions they will use. That way, FastTrack can drive user adoption and thus ensure that your investment is well worth it.     

Cost-free assistance

FastTrack has a lot of advantages for companies and the fact that you get it for free is massive. Of course, this is for clients who have already purchased an eligible plan. These include plans under Microsoft 365, Office 365, Enterprise Mobility + Security, and OneDrive for Business among others. Because Microsoft tries to cater to everyone, the plans can cover individual products or a suite of products. So you get FastTrack services with a new or existing subscription. Clients will receive great assistance to enable them to take full advantage of their purchases.  And getting that help at no extra cost makes it even better.

Availability

As some people would say, the internet makes the world one global village. Thus services like FastTrack need to be easily available across borders. Microsoft addresses that need by availing FastTrack in all markets. It offers remote assistance in several languages namely: Chinese Simplified (Mandarin dialect), Chinese Traditional (Mandarin dialect), English, French, German, Italian, Japanese, Korean, Portuguese (Brazilian), Spanish, Thai, and Vietnamese. Furthermore, FastTrack.microsoft.com is also available in the 12 languages above plus 15 others. This availability means great things for businesses all across the globe. Not only will it improve efficiency but it increases the appeal of the product even more.

Keeping up with technology

Technology is constantly evolving and keeping up with all the developments can be challenging. Especially when it comes to transitioning to the cloud. This can be a very daunting task for most businesses. Needless to say, Microsoft FastTrack is a solution that businesses can benefit immensely from. Being able to migrate rapidly, effectively, and securely is fantastic for all parties. Any time you need assistance with deployment and enhancing adoption, you’ll have a specialist ready to assist. The expertise on offer and the simplicity of the process makes keeping up with technology a lot easier. With the use of best practices in your business, success becomes the expectation.

List Packages that run in user context (Run with user’s rights)

Introduction

After last weeks post with the script sample to list Packages that run in user context, there where some good feedback from people still using packages, and requiring a list of packages that install within the user context (Run with user’s rights / Execution mode as user)

It seemed that many was still using Packages, either as a result of legacy migration or to avoid some application re-packaging.

So here is the followup post, with a new script to list all packages and package with programs that run in user context.

From my point of view, its still the same; Using PSADT pretty much any package can be converted to be installed as system, and the needed stuff (registry keys, files etc) in the user context can be added in a structured and controlled way.

I do still come across some applications that i would prefer to have in MSI with all settings etc added, at least for simplicity, for those packages I still prefer to use Advanced Installer.
When talking Advanced Installer, they also have a great support for MSIX, that makes to process so much easier and cost efficient.

This script will list all packages with programs, that is configured to install as user (within the user context)

All you need to do is configure the path to your import module and set the site code.

A file will be created in “C:\TEMP\Packages_and_Programs_Run_Mode_List.csv” with the following format:

“Package Name”,”Package ID”,”Program Name”,”Run with USER’s right”
“My Application”,”BB10001D”,”execute”,”TRUE

With the example above we have a package ‘My Application’ that has a run mode configured: Run with user’s rights

Properties on the program, where the program run enviroment is configured to Run with Users’s rights


Download the script from TechNet Galleryhttps://gallery.technet.microsoft.com/Generate-a-list-of-d8778d4c?redir=0



MSiX Insider Preview Build 1.2019.402.0

Yet another release of the MSIX Packaging tool (1904) is nearing general public release.

Here is the list of features and fixes

  1. Ability to convert on a remote machine.
    1. We talked about that earlier here
  2. Improved management experience in package editor.
    1. Auto versioning recommendations when saving in package editor.
    2. Now supports existing folder addition to package in VFS.
  3. User can specify known valid exit codes for CLI conversions.
  4. Added the ability to time stamp your signed package in all of the workflows where signing is currently available.
    1. You can specify your default time stamp URL and type of time stamp server in the tool Settings page.
  5. Updated AppID generation logic, and added additional validation fro package name and app.
  6. Bug fixes and performance improvements

The detailed history for the app release can be found here


Cleaning up shortcuts

So the issue at hand;
I was replacing a Office application on Windows systems, where i noticed that shortcuts created by the users, was not upgraded/removed when the new office version was installed.

The issue seems to be related to users creating custom shortcuts, directly to exe files.
I some cases the shortcut name was clear, but in other cases the users had chosen something they found fit.

The following PowerShell script was created to remove shortcuts (lnk files) based on the executable. This means you can specific the exe or use a wildcard if there is multiple executable files releated to an application.

$ShortcutLocations = Get-ChildItem -Recurse (“C:\Users”,”C:\ProgramData\Microsoft\Windows\Start Menu”) -Include *.lnk -Force -ErrorAction SilentlyContinue

########
# This script searches for all *.lnk files to "C:\Program files (x86)\App\My Application.exe" or "C:\Program Files\App\My Application.exe"
# It searches in C:\users\* profiles paths, including Users Desktops, %AppData%\Microsoft\Internet Explorer\Quick Launch and in ProgramData...StartMenu
# The name of the link file can have many different names, therefore we must find each shortcut based on path to target exectuable and not on lnk name.
# Then the lnk file must be deleted.
#
# The script should be run with admin rights, otherwise shortcuts will only be deleted for the user running the script.
########

### Specify shortcut's target executable here.
$AppExecutable = "C:\Program files*\Microsoft Office\Office15\*.exe"
# * Due to mask it contains "Program files" and "Program files (x86)" paths both.
###

### Paths to browse and search for shortcuts.
$ShortcutLocations = Get-ChildItem -Recurse ("C:\Users","C:\ProgramData\Microsoft\Windows\Start Menu") -Include *.lnk -Force -ErrorAction SilentlyContinue
# * -Recurse = Includes all subdirectories.
###


### Get properties for shortcuts in the locations

Function Get-ShortcutsProperties {
$Shell = New-Object -ComObject WScript.Shell 
Foreach ($Shortcut in $ShortcutLocations)
{
$Properties = @{
ShortcutName = $Shortcut.Name;
ShortcutFullName = $Shortcut.FullName;
ShortcutLocation = $shortcut.DirectoryName
ShortcutTarget = $Shell.CreateShortcut($Shortcut).targetpath
}
New-Object PSObject -Property $Properties
}
[Runtime.InteropServices.Marshal]::ReleaseComObject($Shell) | Out-Null
}
###

$ShortcutsList = Get-ShortcutsProperties

### Compare shortcut's target path with $AppExecutable and delete it in case of corresponding one
Foreach ($item in $ShortcutsList) {

if ($item.ShortcutTarget -like $AppExecutable) {

Remove-Item -Path $item.ShortcutFullName -Force -ErrorAction SilentlyContinue
 }
}
######## End of the script

Download the PowersShell Script here: DeleteApplicationShortcuts

MSiX – Remote machine conversions

The MSiX Packaging Tool (1.2019.226.0) Preview now has the ability to connect to a remote machine, where you can run the conversion.
This is great news, and solves the normal issue with contamination on “non-sanitised” machines.

I have always preferred to do my packaging and re-packaging on Hyper-V Virtual Machines
This gives a total control and clean enviroment, with easy ability to get back to a controlled point of reference, using checkpoints.

Getting started with remote machine conversions? Fear not! It is quite simple to get started.

– PowerShell remoting must be enabled for secure access to the remote machine.
– You must be logged on with administrative privileges on the machine.

To enable PowersShell remoting on the machine, run the following command in an elevated PowerShell prompt: Enable-PSRemoting -Force -SkipNetworkProfileCheck

If network/firewall restrictions are in place, remember to allow inbound traffic on port 1599 (MSiX Packaging Tool default port, it can be changed with the settings tab)

If you are connecting using a non-domain joined machine, you must use a certificate to connect over https.
To enable PowerShell remoting and allowing WinRM over https run the following commands in an elevated PowerShell prompt

Enable-PSRemoting -Force -SkipNetworkProfileCheck

New-NetFirewallRule -Name "Allow WinRM HTTPS" -DisplayName "WinRM HTTPS" -Enabled True -Profile Any -Action Allow -Direction Inbound -LocalPort 5986 -Protocol TCP

To generate a self-signed certificate, configure WinRM secure configuration and export the certificate, you can run this script: (or download: GenerateSelfsignedWinRMHTTPS)

$thumbprint = (New-SelfSignedCertificate -DnsName $env:COMPUTERNAME -CertStoreLocation Cert:\LocalMachine\My -KeyExportPolicy NonExportable).Thumbprint
$command = "winrm create winrm/config/Listener?Address=*+Transport=HTTPS @{Hostname=""$env:computername"";CertificateThumbprint=""$thumbprint""}"
cmd.exe /C $command
Export-Certificate -Cert Cert:\LocalMachine\My\$thumbprint -FilePath <path_to_cer_file>

On your locale Machine, copy the exported certificate and install it into the Trusted Root Store.
It can be imported with the following command: Import-Certificate -FilePath <path> -CertStoreLocation Cert:\LocalMachine\Root