Announcement

Collapse
No announcement yet.

block specific .msi install

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • block specific .msi install

    Is there anyway in group policy to block a specific .msi install? I don't want to block all .msi installs...just a certain one from running.

    The user can save it anywhere on his machine, or just chose to "run" it and not save...I want to block it either way by the name of the .msi file.

    I haven't found an option for this in GP...can anyone help?

  • #2
    Re: block specific .msi install

    You could create a Hash rule through a Software restriction policy

    Ta
    Caesar's cipher - 3

    ZKHQ BRX HYHQWXDOOB GHFLSKHU WKLV BRX ZLOO UHDOLVH LW ZDV D ZDVWH RI WLPH!

    SFX JNRS FC U6 MNGR

    Comment


    • #3
      Re: block specific .msi install

      Yes, I actually have that setup for certain exe's related to this issue...but that does not block the .msi from running when you do not save it to your local machine. I'm not sure where it is running...but I have the main program files and common files folders disallowed with path and hash rules.

      ex. The user just chooses to "run" the .msi and not save it. Either way it does not get blocked...so the issue is sill there.

      Comment


      • #4
        Re: block specific .msi install

        I was under the impression that a hash rule will apply independent where the file is saved as opposed to a Path rule which does that. Can you double check if .MSI is present on the Designated file types?
        Caesar's cipher - 3

        ZKHQ BRX HYHQWXDOOB GHFLSKHU WKLV BRX ZLOO UHDOLVH LW ZDV D ZDVWH RI WLPH!

        SFX JNRS FC U6 MNGR

        Comment


        • #5
          Re: block specific .msi install

          Yes the .msi is in the designated file types...but that doesn't matter because when you "run" instead of saving the .msi file, the GPO will not catch it.

          I think the path and hash rule work hand in hand...you still need to specify the path of the .exe for the hash rule, you can't just do: "block this .msi from running or saving anywhere on the machine"

          Comment


          • #6
            Re: block specific .msi install

            Actually...I misunderstood this myself. Sorry.

            I had to save the .msi myself first, then add it in as a hash rule...I didn't realize it ONLY stores the hash (this is where I was a dummy and thought the path had something to do with it too).

            Works now, thanks!

            Comment


            • #7
              Re: block specific .msi install

              Originally posted by ekrengel View Post
              I think the path and hash rule work hand in hand...you still need to specify the path of the .exe for the hash rule, you can't just do: "block this .msi from running or saving anywhere on the machine"
              Yes you can. That's exactly what a Hash rule is. Once the hash has been generated it won't change even if the file location changes or the file is renamed. The Hash only changes if the file itself changes.
              A path rule is a totally different matter.

              Ta
              Caesar's cipher - 3

              ZKHQ BRX HYHQWXDOOB GHFLSKHU WKLV BRX ZLOO UHDOLVH LW ZDV D ZDVWH RI WLPH!

              SFX JNRS FC U6 MNGR

              Comment


              • #8
                Re: block specific .msi install

                And providing the MSI or program is not updated, the hash rule will continue to be effective. I have known this happen before on a network and the administrators could not work out why certain banned programs could suddenly be used.
                Last edited by Virtual; 4th March 2009, 00:28.

                Comment


                • #9
                  Re: block specific .msi install

                  Under User Configuration|Administrative Templates|System|Don't run specified Windows applications add the msi file. This should block the msi from running regardless of whether it's saved, run, what the path is, or what the hash is.

                  Comment


                  • #10
                    Re: block specific .msi install

                    Originally posted by joeqwerty View Post
                    Under User Configuration|Administrative Templates|System|Don't run specified Windows applications add the msi file. This should block the msi from running regardless of whether it's saved, run, what the path is, or what the hash is.
                    That should only work with specific Windows programs am affraid and even if it did work, can be easily circumvented by renaming the file. Since the OP is referring to a particular MSI file not neccessarily part of the OS, a Hash rule on a Software restriction policy would be more effective.

                    Ta
                    Caesar's cipher - 3

                    ZKHQ BRX HYHQWXDOOB GHFLSKHU WKLV BRX ZLOO UHDOLVH LW ZDV D ZDVWH RI WLPH!

                    SFX JNRS FC U6 MNGR

                    Comment


                    • #11
                      Re: block specific .msi install

                      Thanks - I didn't know of that option either.

                      That will work as well...doesn't hurt to have both there, because if the .msi file is updated, it will have a different hash, and then the "don't run specific windows app" setting should kick in.

                      Is it essentially doing string matching? Like you said though, it can easily be circumvented by renaming the file...but most users will not know that, especially after the other files have been blocked, and then they see that this one is too.

                      They will most likely give up.

                      Comment

                      Working...
                      X