The problem
Recently we needed to deploy a firewall solution to deal with the change to MS Teams moving from a system wide installation to a per user based installation. Long story short, this causes issues with the firewall permissions in a restricted access environment where users are not allowed Local Admin. Microsoft has known about this issue and is currently working to resolve it but for now, their solution is to run a PowerShell script on each of the affected machines.
While this solution does indeed address the issue there are several reasons why this was not suitable for our environment:
- Not a long term sustainable solution – This only works for users who have ALREADY logged on to the machine, if we are deploying a new machine to users or if someone is logging into a machine for the first time, there is no way for this script to run properly to allow them to have the rules in time.
- This does not provide any visibility from the management plane – We have no way of determining if this was deployed successfully and who it applied to (you can do some of this with Intune reports but it is not very granular)
- It does not clean up the old BLOCK rules that get created when a non admin user closes the firewall prompt – As you know, DENY supersedes allow and as the MS documentation explains, if the users do not have Admin rights Teams will by default create the rules and then set them to BLOCK, meaning even if we add allow rules it will still create issues.
- There is no easy way to remove the settings when the issue is eventually resolved
- I just didn’t like it (let’s be honest, this is the real reason I wanted to do something else. 🙂 )
So, with this in mind, I figured, let’s do this better.
The Solution
The core function of the script provided by Microsoft works great and accomplishes the task, namely of identifying users who need to have the rules applied and applying them, so we will keep that. However it is a bit terse and lacks proper comments to make troubleshooting it easier for PowerShell beginners. It also is missing logging and some other features that we will add in.
However, before we begin, we need to decide on what exactly needs to be done and the method for accomplishing that task. We want to accomplish the following :
- Have a script that runs each time a user logs in that will check to ensure that their firewall rules have been created
- The script should check to remove any Deny rules for Teams to ensure users can properly run the software
- The script should create HelpDesk friendly logging so that if issues arise, HelpDesk Technicians can troubleshoot the process
- The script should be fully uninstallable, removing all traces of itself when the time comes
- We need to be able to have a versioning process so that changes to the script can be pushed to machines
In our environment the majority of machines don’t have line of site connection to DCs (So GP deployment is out) but are running Intune so we can leverage that as our deployment and orchestration mechanism.
So, pushing scripts from Intune is fairly simple, but they only run once (technically they will retry but we are figuring there is success and then done). We also need the script to run when each user logs on BUT must ALSO run in the SYSTEM context as Admin (because firewall rules can’t be added without elevation and users don’t have Local Admin). So the solution… Win32App deployments. Fairly straightforward and checks all the boxes for management, but we will also need to handle the installation and management part with helper scripts. The task will run using the Task Manager and be set to run at Logon for each user.
So, what we end up with is an outline that looks like this:
- Install/Setup script to build the scheduled task
- Script that is actually being run (the one that creates/disables firewall rules)
- Uninstall script
- Win32App that will wrap all this in
- Intune deployment to manage it
So, that is the intro and what we are going to do. Now for the fun part and actually building the things!
Check for the following parts here.
0 Comments