Dell recommends Windows 8.

Protecting Windows 8 Desktops Against User-Installed Apps

Brien Posey, Freelance Writer and Former CIO | 4/23/2013 | 17 comments

Brien Posey
Windows 8 provides an array of tools that will help prevent users from installing unwanted applications on their devices. User-installed applications can cause problems with other applications or with the operating system.

Of course, organizations are legally responsible for making sure that any software that is installed on those computers is properly licensed. Such problems can be time-consuming to correct because the helpdesk staff may not know that there is a compatibility issue with the application that the user installed. In other words, unauthorized applications can decrease productivity while increasing support costs.

Rather than delve into a discussion of third-party solutions, I want to talk about the mechanisms that are available using native Microsoft features.

Virtual desktops
Although virtual desktops aren’t specifically intended to be a mechanism to prevent users from installing unauthorized applications, Microsoft’s VDI implementation actually does a really good job. A Windows Server based VDI implementation makes use of virtual desktop pools. Assuming that personal virtual desktops are not being used, the connection broker connects clients to random virtual desktops.

Once connected and logged in, the user is free to do anything that he wants (within the limits of the administrative controls that have been put into place). However, once the user logs out, any changes that the user might have made to the virtual desktop are rolled back, and the virtual desktop is left in a pristine state for the next user. In other words, users might theoretically be able to install unauthorized software onto a virtual desktop, but that software will be removed as soon as the user’s session ends (unless personal virtual desktops are being used).

Group policy settings
When it comes to legacy desktop applications, effective use of NTFS permissions are essential to preventing users from installing unauthorized applications. Simply put, users should not have local administrative permissions. Even so, NTFS permissions alone are inadequate for locking down Windows 8. You will also need to make use of group policy settings.

There are two main group policy settings that you should focus on. First, take a look at Computer Configuration\Policies\Administrative Templates\System\Removable Storage Access. This area of the group policy tree allows you to implement settings to block access to removable media. This can go a long way toward preventing users from installing unauthorized software from removable media.

The second group policy setting that you should focus on is Computer Configuration\Windows Settings\Administrative Templates\Windows Components\Store. This section of the group policy tree contains a setting named Turn Off the Store Application. You can use this setting to prevent users from downloading and installing apps from the Windows Store.

AppLocker is a Windows feature that is specifically designed to prevent the execution of unauthorized applications. AppLocker is technically a collection of group policy settings, but Microsoft treats it as a Windows feature rather than merely as a sub-component of group policies.

AppLocker in Windows 8 supports the creation of four different types of rules, including:

  • Executable Rules -- Executable rules either allow or block access to specific executable files. These rules can identify files based on the publisher that signed the executable, a file hash, or the path to the executable file.
  • Windows Installer Rules -- Windows Installer Rules are similar to executable rules, except that they apply to Windows Installer files. Windows Installer rules can be based on file hash, file path, or publisher.
  • Script Rules -- Script rules govern the running of scripts. These rules can apply to PowerShell scripts, batch files, VB script, Java script, and CMD files.
  • Packaged App Rules -- Packaged app rules govern packaged apps (which are also known as Windows 8 apps. Published App Rules can be based on the publisher name, package name, or package version.

As you can see, Microsoft provides a variety of mechanisms that can be used to prevent the installation of unauthorized applications. However, the most effective approach, depending on your needs, is usually to use a combination of techniques including Windows resources, third-party apps, internal policies, and user training.

View Comments: Newest First | Oldest First | Threaded View
Page 1 / 2   >   >>
Susan Fogarty   Protecting Windows 8 Desktops Against User-Installed Apps   5/21/2013 12:05:57 PM
Re: App instalation
Yes, Stacey, that sounds like a good example of "just because you can do something, doesn't necessarily mean you should do something." A little common sense goes a long way, but sometimes admins can't envision how a user (or multiple users) will actually interact with a device and applications.
StaceyE   Protecting Windows 8 Desktops Against User-Installed Apps   5/17/2013 7:23:54 PM
Re: App instalation
@ Susan

It is always a good idea to allow commonly used or NEEDED applications. One thing that got really annoying with my situation is that they had the PC set to go to sleep after 15 minutes of non-use, and it had to have the password entered to wake it up. Totally overkill...I think the boss man thought since he figured out HOW to do it, that he SHOULD......
Susan Fogarty   Protecting Windows 8 Desktops Against User-Installed Apps   5/2/2013 1:25:52 PM
Re: App instalation
Oh goodness, Stacey, that is overkill! I agree, a happy medium is best. At my former employer, for example, it would have been much easier if they had a list of approved applications you could download without their assistance. They did have some really techie things on the intranet, but there were other really common things, like Firefox, Tweetdeck, etc. that lots of needed to use for work purposes and they could have made those permissible.
StaceyE   Protecting Windows 8 Desktops Against User-Installed Apps   4/30/2013 8:42:23 PM
Re: App instalation
@  Susan

I think there needs to be a happy medium when it comes to permissions. At a past job my manager set up the PC in the shipping department to need an administrator password...and since I was assistant manager, I got the honors of typing in the password every 10 minutes for someone. All because one employee was caught using that workstation during luch to check her Myspace page (that gives you a hint to how long ago it
Susan Fogarty   Protecting Windows 8 Desktops Against User-Installed Apps   4/30/2013 8:29:18 PM
Re: App instalation
Wow, Stacey, that's crazy. At the company I worked at before this one, we couldn't download anything on our PCs unless it was pushed to us by the IT department. If we wanted anything else, no matter how small, we had to request permission and have administrator rights granted, which lasted 15 minutes. I appreciated the idea, but it was really a pain!
anthony.nima   Protecting Windows 8 Desktops Against User-Installed Apps   4/29/2013 10:24:21 AM
Re: App instalation
@Zaius: I think this happens mainly when it comes for outsourcing. I think the bigger risk is for the company and it will be bad if they does not know the value of their data sets.            
StaceyE   Protecting Windows 8 Desktops Against User-Installed Apps   4/28/2013 4:39:15 PM
Re: App instalation
@ Susan

I recently contracted with a small software company and I was actualy shocked about how relaxed they were with employee computer uses. In the call center techs would be literally doing whatever they want between calls. One guy made a game of finding at least one really wierd app per day and showing it off to everyone. This was the polar opposite of the company before that, you had to enter a paswword practically every time you changed windows....and you wouldn;t have wanted to even think about logging into Facebook or checkingyour private e-mail!
Zaius   Protecting Windows 8 Desktops Against User-Installed Apps   4/27/2013 10:44:44 AM
Re: App instalation
Often, the 'owner' does not know his data is valuable or not (like the hospital Trek mentioned). And, their outsourcing partners are indifferent. This can be bad for both is something like a breach happens.
Randomus   Protecting Windows 8 Desktops Against User-Installed Apps   4/25/2013 12:11:37 PM
Re: App instalation
Trek:  I find it funny to hear about how things operate from the other side, as I think it's up to the outsourced IT provider and the client to iron out details related to their own business agreement.
Zaius   Protecting Windows 8 Desktops Against User-Installed Apps   4/24/2013 10:46:24 PM
Re: App instalation
@Trek: Sometimes ther is a differnce what the IT does and the organizations want. As you said, if not properly co-ordinated, things fall apart and users get the freedoms , and this goes un-noticed.
Page 1 / 2   >   >>

The blogs and comments posted on do not reflect the views of TechWeb,, or its sponsors., TechWeb, and its sponsors do not assume responsibility for any comments, claims, or opinions made by authors and bloggers. They are no substitute for your own research and should not be relied upon for trading or any other purpose.

More Blogs from Brien Posey
Brien Posey   9/5/2013   10 comments
One of the main benefits of virtual desktop infrastructure is the ability to run many virtual machines on a single host, making the most efficient possible use of the resources available. ...
Brien Posey   8/28/2013   57 comments
By now you know that Windows 8.1 will release to the public on October 18. You may not know that with Windows 8.1, Microsoft is releasing a brand new version of Internet Explorer, IE 11.
Brien Posey   8/22/2013   22 comments
Operating system upgrades have always been something of a crapshoot. We as administrators make every effort to follow all of the recommended best practices, but it is difficult to know ...
Brien Posey   8/15/2013   20 comments
Significant changes are coming to Microsoft TechNet. If your organization uses TechNet software for planning or testing, you may need to modify your approach.
Brien Posey   8/6/2013   10 comments
The tool of choice for Microsoft operating system deployments is System Center Configuration Manager (SCCM). For those who have never worked through a bare metal Windows 8 deployment, it ...
Dell Information Resources
On-demand Video with Chat
The culture of work is changing. Tech-savvy and always-connected people want faster, more intuitive technology, uninterrupted services, and freedom to work anywhere, anytime, on a variety of devices.
Latest Archived Broadcast
Bring-Your-Own-Device (BYOD) is about more than just a device.
© 2019 UBM TechWeb - Privacy Policy