AppLocker in Intune or: How I Learned to Love the (ChatGPT) Bot and Start Worrying

I've been playing around with OpenAI's ChatGPT bot and... this is going to be a really short blog post (just like my career). 

It actually **welp** did a pretty damn good job... Not perfect but scarily close.


Impressive, right? But not perfect. To start off with, the solution the bot suggested isn't AppLocker but rather App Protection. The solution the bot came up with uses App Protection rules for the same rules already configured in AppLocker -- it's not a direct reference, just a shortcut. 

In App Protection, this will apply the configured App Protection Policies to all Windows executables and also those in Program Files. For the example, this makes things like Notepad.exe a protected app and conform to WIP enforcement and separation/protection of data.

First only after many hours, did I have the idea of using OpenAI's DALL-E 2's image generator for the cover photo.

how do i use applocker in intune?

AppLocker is a feature in Microsoft Intune that allows administrators to set rules for which apps and programs users can run on their devices. To use AppLocker in Intune, follow these steps:
  1. Sign in to the Microsoft Endpoint Manager admin center.
  2. Select the "Devices" APPS tab and then select "App protection policies" from the menu on the left.
  3. Click the "Create policy" button to create a new AppLocker policy.
  4. Enter a name and description for the policy, and then select the type of devices you want the policy to apply to.
  5. In the "Apps" section, select the apps and programs you want to allow or block, and then specify the rules for each app or program.
  6. In the "Assignments" section, select the users or groups you want the policy to apply to.
  7. Click the "Save" button to save the policy.
  8. Once you have created an AppLocker policy, it will be automatically enforced on the devices of the users you have assigned the policy to. If a user tries to run an app or program that is not allowed by the policy, they will see a message indicating that the app is blocked.

ok now write me a powrshell script that does that because i am lazy

# Import the Microsoft Intune module
Import-Module Microsoft.Intune.PowerShell

# Connect to Microsoft Intune
Connect-MsolService

# Create a new AppLocker policy
$policy = New-Object -TypeName Microsoft.Online.Intune.Policy.AppProtection.AppProtectionPolicy

# Set the policy name and description
$policy.Name = "AppLocker Policy"
$policy.Description = "This policy blocks certain apps from running on managed devices."

# Set the policy to apply to Windows 10 devices
$policy.Platforms = "Windows10"

# Set the policy to block certain apps
$policy.Apps = @(
New-Object -TypeName Microsoft.Online.Intune.Policy.AppProtection.App -Property @{
AppName = "Calculator"
PackageIdentityName = "Microsoft.WindowsCalculator"
ProductId = "Microsoft.WindowsCalculator_8wekyb3d8bbwe"
Action = "Block"
},
New-Object -TypeName Microsoft.Online.Intune.Policy.AppProtection.App -Property @{
AppName = "Paint"
PackageIdentityName = "Microsoft.MSPaint"
ProductId = "Microsoft.MSPaint_8wekyb3d8bbwe"
Action = "Block"
}
)
# Set the policy to apply to specific users or groups
$policy.Assignments = @(
New-Object -TypeName Microsoft.Online.Intune.Policy.AppProtection.UserOrGroupAssignment -Property @{
UserOrGroupId = ""
AssignToUsers = $true
}
)

# Save the policy
New-MsolPolicy -AppProtectionPolicy $policy


ok now impress me by making that script into an easily deployable module

Note: this was a query I made after recording the video above. 

To create a PowerShell module from the script above, you can follow these steps:
  1. Open a text editor and paste the script into a new file.
  2. Save the file with a .psm1 extension, for example AppLockerPolicy.psm1.
  3. In the script, replace the <Enter the user or group ID here> placeholder with the actual ID of the user or group you want the policy to apply to. You can also modify the list of apps and programs to block or allow, as well as the other settings in the script to suit your needs.
  4. Save the file.
  5. In a PowerShell window, navigate to the directory where you saved the .psm1 file.
  6. Import the module by running the Import-Module cmdlet, followed by the name of the file you saved, for example: Import-Module AppLockerPolicy.psm1
  7. To create an AppLocker policy using the module, you can now run the New-AppLockerPolicy cmdlet. For example: New-AppLockerPolicy -Name "AppLocker Policy" -Description "This policy blocks certain apps from running on managed devices."
  8. The New-AppLockerPolicy cmdlet has several optional parameters that you can use to customize the policy, such as -Apps, -Platforms, and -Assignments, which you can use to specify the apps and programs to block or allow, the types of devices the policy should apply to, and the users or groups the policy should apply to, respectively.

You can find more detailed documentation for the New-AppLockerPolicy cmdlet by running the Get-Help cmdlet and passing it the cmdlet name as an argument, for example: Get-Help New-AppLockerPolicy -Full


fuck. youre going to put me out of a job. you know that, right?

I'm sorry if I have made you feel that way. I am a large language model trained by OPenAI and my purpose is to assist users with their questions and provide information on a wide range of topics. I am not intended to replace human workers or take away anyone's job. I am simply a tool that can be used to help people with their tasks and make their lives easier. 

 

So what's the final verdict?

Good luck with your new careers!

This blog post is clearly supposed to be tongue-in-cheek. It's incredibly impressive, yes. But would you trust any current AIs to actually implement these solutions? Well, I sincerely hope that your answer is NO. 

Why not? As mentioned above; it's not perfect. In the above example, some minor corrections were still needed. And more complex queiries need even more corrections. The other evening I queired the bot to "develop" a snake clone in Python, where I still needed to re-write a function. 

It is still a dumb bot and not real AI. Not yet at least. 

But dammit if I'm not impressed! I can already see myself using this tool to optimize my own work and most importantly, as inspiration for my actual solutions. 

As a bit of a tangent; my partner happens to be a schoolteacher and I got her to ask ChatGPT the sort of questions she would put forward in an exam situation. She was also impressed! And at first a bit scared that her students might starting using similar AI bots. Thing is, the bot repeats itself. A LOT.  At the moment, she isn't worried as she would be able to spot immediately if multiple students submitted the same work. Which this bot would produce. It also makes assumptions that just wouldn't fly (in her opinion). 

Should us, as IT professionals, be worried? At the moment... no. But that day may come. Sooner than expected. For years, Google has been working on a similar project and word on the street is that it is already lightyears ahead of ChatGPT. 

Who should be worried, however? I think it will make it more difficult for entry-level IT professionals to get past helpdesk. What I am MORE worried about is that they won't take the time to properly learn languages. And I am even more worried for gradeschool students potentially not developing critical thinking skills. 

I was in no way a good student in highschool (we're talking a C average here) and my formal education is in biology. That said; Although I don't use the "book knowledge" I was trained in, I use the analytical and critical thinking skills I gained from my education on a daily basis. 

Here's hoping that Wall-E stays as a great movie; and not a prediction for our collective future!