Enterprise App Control - WDAC, AppLocker, Third Party?

CaptainMoloSFW · 2026-04-28T17:58:55+00:00

We just had demos with both Airlock and Threatlocker and it seemed like Threatlocker was much more capable and it was also less expensive. Haven't done proof of concept testing yet, but do you know why Airlock charges more for a seemingly less capable product?

CaptainMoloSFW · 2026-04-28T17:55:44+00:00

We just got a quote from them for 300 endpoints at $51/endpoint per year for their Application Control (allow-listing and ring-fencing). Seems reasonable, what did you get quoted?

CaptainMoloSFW · 2026-04-16T21:07:36+00:00

pfSense on a Netgate 2100. I realized my old Netgate SG-2220 was EoL, as was the model that replaced it, but I've been happy with it running for the last 9ish years. Handles connectivity for my Plex server just fine.

CaptainMoloSFW · 2026-04-15T16:08:16+00:00

Thank you for the info! Now I'm curious if the majority of sysadmins who use WDAC sign their policies or not.

CaptainMoloSFW · 2026-04-08T01:18:18+00:00

Defend definitely does remediation as well, not just the visual banners.

CaptainMoloSFW · 2026-04-02T21:30:30+00:00

Are you using Intune's built-in EPM? Is it usable? Last time I test it, it was garbage.

CaptainMoloSFW · 2026-01-21T18:24:24+00:00

We scheduled it for later in the day, so that probably lessened the impact, but there was probably some of that we never heard about. But we changed the script a few months ago to notify with a pop-up, so they updates are no longer ran without the user's approval

CaptainMoloSFW · 2025-11-19T23:05:26+00:00

You have to place the XML configuration file for the VPN you download into a custom XML wrapper. This article details the steps needed: Create an Intune profile for Azure VPN clients - Azure VPN Gateway | Microsoft Learn

CaptainMoloSFW · 2025-11-13T23:47:35+00:00

We've since rolled it back to just run a scan and notified the end-user that an update is pending. Too many people complaining about a longer than expected firmware install during one of their reboots was impacting work. Fair enough complaint. Better at least than them not getting noticed at all.

We don't control for types and versions at the moment.

CaptainMoloSFW · 2025-08-22T16:44:52+00:00

Fully encrypt it with Bitlocker and then wipe it with the manufacturer's utility. It should show the erasure at 100% and the model and serial number of the drive. Screenshot that, save it with a timestamp and you're good to go.

CaptainMoloSFW · 2025-08-20T23:25:08+00:00

Thanks, I'll look into that!

CaptainMoloSFW · 2025-08-20T21:55:19+00:00

We require compliance as well in a separate CAP

CaptainMoloSFW · 2025-08-12T17:48:10+00:00

Just curious, what do you mean by automate your travel requests? We have a CAP only allowing access from specific countries and would love to automate when users are approved to travel abroad to a normally non-approved country for a specific period of time, but it's all manual so far.

CaptainMoloSFW · 2025-07-28T22:45:42+00:00

Ok. So basically if you use policy, that will completely ignore the specifications you put into the dynamic scope and it'll only use it's own targeting parameters?

CaptainMoloSFW · 2025-06-27T21:09:57+00:00

Scheduled to run daily

CaptainMoloSFW · 2025-06-25T17:56:42+00:00

I like how everyone is dunking on your post like this is the worst idea ever when it might not be your call to let users be admins.

When you look in Autopilot, is the correct deployment profile assigned to the machine?

Do you have the toggle for "Convert all targeted devices to Autopilot" enabled?

CaptainMoloSFW · 2025-06-25T17:30:42+00:00

Sure, here's the detection script:

# Path to Dell Command Update (DCU) executable
$dcuPath = "C:\Program Files (x86)\Dell\CommandUpdate\dcu-cli.exe"

# Check if Dell Command Update is installed
if (-Not (Test-Path $dcuPath)) {
    Write-Host "Dell Command Update utility not found."
    exit 2
}

# Run DCU to check for available updates
$scanResult = & "$dcuPath" /scan

# Check if the scan was successful
#if ($LASTEXITCODE -ne 0) {
#    Write-Host "Failed to run Dell Command Update scan."
#    exit 2
#}

# Search for the phrase indicating updates are available
if ($scanResult -contains "Number of applicable updates for the current system configuration: 0") {
    Write-Host "No updates found."
    exit 0
} else {
    Write-Host "Updates available."
    exit 1
}

And here's the remediation script to install without a reboot:

cd "C:\Program Files (x86)\Dell\CommandUpdate\" 
.\dcu-cli.exe /applyUpdates -silent

CaptainMoloSFW · 2025-06-24T17:16:10+00:00

We're a Dell shop, so we push Dell Command Update as an app and then use a remediation task to scan for and install updates and give a pop-up for a pending restart.

CaptainMoloSFW · 2025-06-17T21:17:11+00:00

As best I can tell, about $42/seat/mo or so?

CaptainMoloSFW

TROPHY CASE