This short blog will be about why baselines are very important and why you need to keep them up to date.
I am not talking about security baselines this time. What I will be talking about, is the AppLocker baseline you need to deploy to your user’s Windows 10 devices to make sure users can install apps on their own. It’s best practice to implement adminless.
*Source: Microsoft Vulnerabilities Report 2021 | BeyondTrust (great report!!)
Of course, nowadays users are no longer admin (adminless) and Applocker is configured. Installing apps can be really difficult when you are a regular user with applocker deployed.
Some time ago I posted 2 blogs. The first blog was about deploying the Company Portal to let users install apps on their own.
When you made sure you are keeping your baseline with apps up to date, each new tenant you enroll with PowerShell will profit from this baseline. And do you know what’s great? Your Servicedesk is probably going to receive a lot less phone calls.
But beware some apps are user-based runtimes and need to be allowed within your Applocker policy because the apps are launched from the local app data folder.
A very good example would be Teamviewer Quicksupport.
When you did not allow TeamViewer in your Applocker policy it will be blocked by default.
In many companies, Teamviewer quick support needs to be enabled to offer support to users. You can simply add this to your existing Applocker policy
FilePublisherRule Id="0742d552-6c5b-4aeb-b5d8-f8375562c8b3" Name="Ondertekend door O=TEAMVIEWER GERMANY GMBH, L=GÃPPINGEN, S=BADEN-WÃRTTEMBERG, C=DE" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">
<Conditions>
<FilePublisherCondition PublisherName="O=TEAMVIEWER GERMANY GMBH, L=GÃPPINGEN, S=BADEN-WÃRTTEMBERG, C=DE" ProductName="*" BinaryName="*">
<BinaryVersionRange LowSection="*" HighSection="*" />
</FilePublisherCondition>
</Conditions>
</FilePublisherRule>
Please note, when you copy/paste your existing applocker config in notepad and add this rule, the weird characters in the rule above will disappear.
After some time, you can try to open Teamviewer quick support and you will notice it is not blocked anymore.
So why not do the same as we did with the company portal baseline?
As shown in the blog above, you can automate your Applocker deployment. So keeping this baseline up to date will make sure new tenants will also profit from it.
When you combine Applocker with the Company portal you are going to increase the end-user experience beneficial.
Conclusion:
It’s important to:
-Use the Company Portal to distribute apps that can be installed and are not required!
-Use Applocker to secure your device but allow user-based runtimes (like teamviewer quicksupport)
I guess I said it many times, there should be absolutely no reason why your users need to have administrator permissions.