• I found out what this is about.
    Although MS claims “all editions support this”, the logging only works for exe and appx since only those use SRPv2 (=Applocker) blocking, the rest still uses SRPv1 (Software restriction policies).. But there is a way to do logging for the rest:

    Just create the following Reg_SZ entry “LogfileName”at HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsSaferCodeIdentifiers
    with a value like c:logmylog.txt
    That log will be populated with entries for ALL types, example entries:

    cmd.exe (PID = 6852) identified C:Usersatesttest.bat as Disallowed using SRPv2 rule, Guid = {c71b5435-1293-4848-b0a3-b53066c76ca2}
    msiexec.exe (PID = 1496) identified C:UsersaDesktopISORecorder31x64.msi as Disallowed using SRPv2 rule, Guid = {c71b5435-1293-4848-b0a3-b53066c76ca2}

    So this interesting log shows the GUIDs of the rules, which it correctly identifies as applocker (=SRPv2) rules, but the GUIDs… where does it find those? No idea.
    And what if we want to do audit logging and receive these “would have been blocked” messages? Nope, can’t be done for MSI or script… in auditing mode, that SRP logfile would read
    msiexec.exe (PID = 9024) identified C:UsersaDesktopISORecorder31x64.msi as Unrestricted using SRPv2 rule, Guid = {c71b5435-1293-4848-b0a3-b53066c76ca2}

    Conclusion: not 100% the same when it comes to logging, only when it comes to blocking 😐

  • @bunglegrind
    You are right, this MDM implementation has issues.
    If I take my script and change all 8 occurences of EnforcementMode=”Enabled” to EnforcementMode=”AuditOnly”, it works as expected (things run), but ONLY FOR EXE, the audit log is used, not for MSI or scripts. That is strange. Will need to investigate further.

    When I tested logging, I must admit that I did only .exe, assuming the rest would work as well (why shouldn’t it)…

  • @bundlegrind
    What do you need a workaround for? Please be specific.
    What you link shows that logging is not working as expected, still blocking works as expected.

  • Hi Abhku.

    The error message proves that you have modified my script, since line 28 is empty, normally. Please use my script and see if it works unmodified. It it does, tell me what you are trying to change or let me look at your modified script.

  • Hi Fabian.

    Sure, that is how it works, but still, the PC you connect to should be able to ask the DC if that user is allowed to logon. In the meantime, I have contacted Microsoft, since it does not happen on Win11 insider builds, only on older stable builds. So far, Microsoft support is confused, talking of “Our engineering group is reviewing this…” but stopped reacting.

    To me, this looks dangerous as it is not documented.

  • If only someone could tell me how to deploy this to offline systems.
    It installs alright, but never starts (no error message) unless you connect these systems to the internet while starting Terminal. After that, you may disconnect and start Terminal offline.

  • In the past, AppLocker was available only for Windows Enterprise and Education subscribers. In this post, I will show you a way to use AppLocker on Windows 10 Pro and Windows 11 Pro.

  • Hi Brandon, all.

    If you would like to see true 2-factor-auth with TPMVSC, here’s an enhancement that I have invented. See my article at EE: https://www.experts-exchange.com/articles/35652/SmartCard-2-factor-domain-authentication-for-free.html (sorry, wasn’t registered here already at that time).

  • In this guide, I’ll take a closer look at the process of restoring a BitLocker-encrypted drive from an image backup. Along the way, you’ll learn about a solution for BitLocker backups that allows you to avoid re-encryption of the system drive after the restore.

  • Tony, Jakob, it seems you think that the article is suggesting a complicated method to an easy problem that can be solved by disjoining and re-joining. No, the article shows you the quickest way to get going again for each situation. And when you could do without a reboot, you would prefer that, wouldn’t you? So disjoining and joining again takes more time and should not be preferred.

  • If, at logon, you receive an error message that the trust relationship between a workstation and the primary domain failed, and you cannot logon, there are several ways to deal with the issue. These solutions also work on Windows 11 systems, where you may still log on, but the network connections tray icon in the system claims that the computer is part of an unidentified network.

  • The purpose of this article is to raise awareness of the possibility of sending mail anonymously through Microsoft Exchange Servers and to show mitigations for the resulting risks. After setting up Exchange Server 2019, you might be unaware that it’s possible to send mail anonymously to internal recipients by default. This means that, using PowerShell, for example, anyone in your LAN may send messages to internal accounts without revealing their identity.

  • Welf Alberts's profile was updated 3 months, 3 weeks ago

  • Self-solved, and the solution is rather cute: the above script brings up a dialogue window in which you may enter the PIN using your keyboard. If you leave it blank and JUST PRESS ENTER, the PIN-Pad activates on its own. Found accidentally 🙂

  • Hi.

    Imagine you are using a SmartCard to logon to windows, a SmartCard with different Credentials on it.

    When you want to run something as different user, you press shift while right-clicking the executable to select “run as different user”, enter you SmartCard PIN and that’s it.

    I would like to script that process to have a 1-click experience. The script should ask for the SmartCard-PIN and start my executable. I already have a script and it works as long as I use a Yubikey-like device, that is, a SmardCardreader that utilizes the laptop keyboard. However, I prefer to use an external SmartCard reader that has its own Pin-Pad, but with that thing, the script does not work.

    Expected behavior: the Pin Pad activates and asks for the PIN. Observed behavior: the PIN needs to be entered using the keyboard.

    Question: who of you PowerShell heroes understands what needs to be changed here to make this work:

    Function Get-SmartCardCred{
    
    
    
    [cmdletbinding()]
    
    param()
    
     
    
    $SmartCardCode = @”
    
    // Copyright (c) Microsoft Corporation. All rights reserved.
    
    // Licensed under the MIT License.
    
     
    
    using System;
    
    using System.Management.Automation;
    
    using System.Runtime.InteropServices;
    
    using System.Security;
    
    using System.Security.Cryptography.X509Certificates;
    
     
    
     
    
    namespace SmartCardLogon{
    
     
    
    static class NativeMethods
    
    {
    
     
    
    public enum CRED_MARSHAL_TYPE
    
    {
    
    CertCredential = 1,
    
    UsernameTargetCredential
    
    }
    
     
    
    [StructLayout(LayoutKind.Sequential)]
    
    internal struct CERT_CREDENTIAL_INFO
    
    {
    
    public uint cbSize;
    
    [MarshalAs(UnmanagedType.ByValArray, SizeConst = 20)]
    
    public byte[] rgbHashOfCert;
    
    }
    
     
    
    [DllImport(“advapi32.dll”, CharSet = CharSet.Unicode, SetLastError = true)]
    
    public static extern bool CredMarshalCredential(
    
    CRED_MARSHAL_TYPE CredType,
    
    IntPtr Credential,
    
    out IntPtr MarshaledCredential
    
    );
    
     
    
    [DllImport(“advapi32.dll”, SetLastError = true)]
    
    public static extern bool CredFree([In] IntPtr buffer);
    
     
    
    }
    
     
    
    public class Certificate
    
    {
    
     
    
    public static PSCredential MarshalFlow(string thumbprint, SecureString pin)
    
    {
    
    //
    
    // Set up the data struct
    
    //
    
    NativeMethods.CERT_CREDENTIAL_INFO certInfo = new NativeMethods.CERT_CREDENTIAL_INFO();
    
    certInfo.cbSize = (uint)Marshal.SizeOf(typeof(NativeMethods.CERT_CREDENTIAL_INFO));
    
     
    
    //
    
    // Locate the certificate in the certificate store
    
    //
    
    X509Certificate2 certCredential = new X509Certificate2();
    
    X509Store userMyStore = new X509Store(StoreName.My, StoreLocation.CurrentUser);
    
    userMyStore.Open(OpenFlags.ReadOnly);
    
    X509Certificate2Collection certsReturned = userMyStore.Certificates.Find(X509FindType.FindByThumbprint, thumbprint, false);
    
    userMyStore.Close();
    
     
    
    if (certsReturned.Count == 0)
    
    {
    
    throw new Exception(“Unable to find the specified certificate.”);
    
    }
    
     
    
    //
    
    // Marshal the certificate
    
    //
    
    certCredential = certsReturned[0];
    
    certInfo.rgbHashOfCert = certCredential.GetCertHash();
    
    int size = Marshal.SizeOf(certInfo);
    
    IntPtr pCertInfo = Marshal.AllocHGlobal(size);
    
    Marshal.StructureToPtr(certInfo, pCertInfo, false);
    
    IntPtr marshaledCredential = IntPtr.Zero;
    
    bool result = NativeMethods.CredMarshalCredential(NativeMethods.CRED_MARSHAL_TYPE.CertCredential, pCertInfo, out marshaledCredential);
    
     
    
    string certBlobForUsername = null;
    
    PSCredential psCreds = null;
    
     
    
    if (result)
    
    {
    
    certBlobForUsername = Marshal.PtrToStringUni(marshaledCredential);
    
    psCreds = new PSCredential(certBlobForUsername, pin);
    
    }
    
     
    
    Marshal.FreeHGlobal(pCertInfo);
    
    if (marshaledCredential != IntPtr.Zero)
    
    {
    
    NativeMethods.CredFree(marshaledCredential);
    
    }
    
     
    
    return psCreds;
    
    }
    
    }
    
    }
    
    “@
    
     
    
    Add-Type -TypeDefinition $SmartCardCode -Language CSharp
    
    Add-Type -AssemblyName System.Security
    
     
    
    $ValidCerts = [System.Security.Cryptography.X509Certificates.X509Certificate2[]](Get-ChildItem ‘Cert:CurrentUserMy’)
    
    $Cert = [System.Security.Cryptography.X509Certificates.X509Certificate2UI]::SelectFromCollection($ValidCerts, ‘Choose a certificate’, ‘Choose a certificate’, 0)
    
     
    
    $Pin = Read-Host “Enter your PIN: ” -AsSecureString
    
     
    
    Write-Output ([SmartCardLogon.Certificate]::MarshalFlow($Cert.Thumbprint, $Pin))
    
    }
    
    $cred=Get-SmartCardCred
    
    $StartInfo = New-Object System.Diagnostics.ProcessStartInfo
    
    $StartInfo.FileName = ‘cmd.exe’
    
    $StartInfo.UseShellExecute = $false
    
    $StartInfo.UserName = $Cred.Username
    
    $StartInfo.Password = $Cred.Password
    
    $StartInfo.WorkingDirectory = $env:windir
    
    $Process = New-Object System.Diagnostics.Process
    
    $Process.StartInfo = $StartInfo
    
    $Process.Start()
    
    $Cred = $null

    How do code tags work here?

  • We use this since 2006 – never had a problem restoring such a backup no matter how it was created.

    For DR, he would not need to use sector based backups nor disable or even suspend Bitlocker – that was his main fear, he confused suspending Bitlocker for disabling (decrypting) the drive, by the way, but even this (suspending) is not needed.

  • That said, it’s also possible from WinPE to mount a bitlocked drive using a bek file for example

    (manage-bde -unlock c: -rk e:some.bek) and do drive snapshot afterwards, if you prefer to get an unencrypted image.

  • Drive snapshot is a command line tool which (as x64 version) may run from any WinPE or Windows setup based WinPE.

    If it does not recognize the file system, it simply copies all sectors. That does not make a difference for the result.

  • Load More
© 4sysops 2006 - 2022

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account