Have you tried? - App Install Control
User-installed applications
When application installers are launched on Windows we are often prompted by User Account Control (UAC) to authorise the changes to the system, as the installer requires files, or registry values, to be stashed in places that a standard user account has no write-access to. More often than not, a standard user will dismiss this UAC prompt and that is the end of the software install. They might go on to request the application to be packaged via your Helpdesk solution, or tap on your shoulder to bother you for an admin username and password.
We’ve all become used to this working relationship!
But some application installers (not the nice modern Universal Windows Platform UWP apps) are designed exclusively for standard user execution (like Zoom), or even contain a back-up routine when UAC is unsuccessful to install with the user’s privileges (I’m looking at you, Firefox!). When this happens the files get written somewhere like the user’s APPDATA folder, and registry values to the HKCU registry hive.
These applications are normally designed to look after themselves with automatic patching when launched, but there’s a few reasons to be annoyed by their sneaky presence:
The user may not know that they installed something, and will probably never act to remove it,
They may not automatically patch themselves if the application is never opened, increasing your possible attack vectors,
They don’t tend to show up on standard system software inventory reports, so they don’t appear in your list of supported applications,
They are much harder to manage, secure, and support with UEM solutions (patching, settings, etc).
So now we know that the Security, Software Management, and Modern Workplace teams are all annoyed!
Removal of User-installed applications
It’s not uncommon to see tasks assigned to Modern Workplace teams to find a way to remove the epidemic of user-based installs that have crept into the environment, and it’s a bit of a rigmarole to script the removal of applications you never approved or packaged!
And the next step is to stem the tide. How do we stop them from entering the environment all together?
AppLocker and Windows Defender Application Control (WDAC)
The big boys are AppLocker, the seasoned veteran of the application control space, and Windows Defender Application Control (WDAC) - the new kid on the block. Both products can help guard your Windows machines against unauthorised, or disreputable, application installations.
WDAC and AppLocker Overview - Windows security | Microsoft Docs
If neither of these products are in use, or being actively investigated, in your business the chances are you will want to look into one or both of them in the long run. One caveat is that they require a significant investment in planning between IT Security and Modern Workplace teams, as they can be implemented very poorly without a good understanding of how the products work.
With AppLocker and WDAC you are almost always dealing with the challenge of manageability / productivity versus security, and finding that balance must involve the parties who pay the bills, as they can be very high maintenance.
While you struggle on with that new project…
Defender Smartscreen - App Install Control
Is there anything simpler that we can implement in the meantime? I’m glad you asked! There’s a feature of Windows Defender SmartScreen called “App Install Control” which I think originated in Windows 10 S mode. The setting will enable SmartScreen to block downloaded installers (such as .EXE and .MSI), from launching.
This feature can be implemented as a short-term fix while you look into AppLocker / WDAC, or as a complimentary feature to those solutions. It’s completely standalone.
App Install Control - look and feel
SmartScreen uses the zone of origin (such as Internet, Intranet, Restricted) information gathered from the metadata of downloaded files to tag the file as something that should be blocked from running. When a block message is sent to the user, the message they receive is dynamic, and based on the content that was blocked:
Recommendations made by the pop-up can vary from “Gets apps from Store” when it has no dynamic suggestion, to “Open Microsoft Edge” when you download a rival browser (very cheeky!).
Unfortunately it is also possible that a very specific pop-up will occur, offering a UWP application link to the same application directly from the Microsoft Store. This is App Install Control’s least attractive feature in my mind, as you may not want this kind of application install either, and it totally gets around another setting you might be using to block the public Microsoft Store front (ApplicationManagement/RequirePrivateStoreOnly).
App Install Control - Settings
Configure the following settings in your TEST environment to switch on Smart Screen App Install Control:
SmartScreen/EnableAppInstallControl (Policy CSP - SmartScreen - Windows Client Management | Microsoft Docs)
”Allows IT Admins to control whether users are allowed to install apps from places other than the Store.”
0 – Turns off Application Installation Control, allowing users to download and install files from anywhere on the web.
1 – Turns on Application Installation Control, allowing users to only install apps from the Store.
This setting will block installation only while the device is online. To block offline installation too, enable the following:
SmartScreen/EnableSmartScreenInShell
0 – Turns off SmartScreen in Windows.
1 – Turns on SmartScreen in Windows.
SmartScreen/PreventOverrideForFilesInShell
0 – Employees can ignore SmartScreen warnings and run malicious files.
1 – Employees cannot ignore SmartScreen warnings and run malicious files.
App Install Control - Limitations
The Unblock Button
“This policy setting is intended to prevent malicious content from affecting your user's devices when downloading executable content from the internet.”
Though intentions are good, it’s actually quite easy for the user to bypass App Install Control on Windows 10 by using the “Unblock File” option in the file properties:
If your intention was to make your users stop and think before installing something, mission accomplished, but you may need a further setting to reduce the likelihood of them unblocking and installing the software. You could look at removing the user’s ability to modify saved zone information:
AttachmentManager/HideZoneInfoMechanism
“This policy setting allows you to manage whether users can manually remove the zone information from saved file attachments by clicking the Unblock button in the file's property sheet or by using a check box in the security warning dialog. Removing the zone information allows users to open potentially dangerous file attachments that Windows has blocked users from opening.”
If you enable this policy setting, Windows hides the check box and Unblock button.
If you disable this policy setting, Windows shows the check box and Unblock button.
Even if you set this, your users can still make use of PowerShell’s “Unblock-File” function to remove the zone information, so be aware. Remember that App Install Control is not a resilient security feature, but something to help reduce unwanted application installs.
You can’t customise it
Everything we have discussed above is the limit of App Install Control. You can’t customise the pop-ups, or look and feel. You are beholden to Microsoft’s logic and development of the feature.
Summary
App Install Control - pros:
Can be implemented in 15 minutes,
Offers a basic level of protection against User-installed software, some of which is not offered by more mature products (AppLocker / WDAC),
Free, and no maintenance required (such as application safe-listing).
App Install Control - cons:
Easily out-manoeuvred by someone competent in IT,
Approved manually installed software may need to be unblocked before installation,
No configuration options to customise the look and feel.
I would recommend looking into this feature but make sure you get buy-in from your team to see if its right for you.