Applocker Strategy for Microsoft Teams

Question

Microsoft Teams stores its .exe .dll files in the local user profile. I need to whitelist Teams through applocker and have tried whitelisting the main .exe files (teams, updater etc) using the "publisher" applocker option.

I have so far had to whitelist over 10 dll's and i still get dll and .node blocks in my applocker logs.

It is not an option (or sensible) to whitelist the path (as the user has full rights here), so have others ran into this and come up with a sensible solution that also allows for Teams not to break when it gets updated?

Answer 1

Hi @ian wilson_68 ,

Based on my knowledge, we recommend that you use the publisher condition rules since all Teams app files are digitally signed. We don't recommend the use of path rules because the Teams installation directory is user-writable. We also don't recommend the use of hash rules because the rules would have to be updated each time the Teams client app is updated.

You can try to add the following to the Executable Rules & DLL Rules for the Teams client app:

Publisher: O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US
Product name: MICROSOFT TEAMS
Product name: MICROSOFT TEAMS UPDATE

---

If the response is helpful, please click "Accept Answer" and upvote it.

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Answer 2

Hi and Thanks.

Your suggestion worked perfectly.

I had not at the time understood that you could use the path rule and then edit the entry and provide a * wildcard in the "Filename" option.