Category filter
Script to restrict Standard users from installing apps on Windows 10
App management takes various approaches depending on the business needs of an organization. App deployment is considered one of the basic steps to ensure that the device has the essential resources to start a task. As part of app management policies, if you want to prevent the installation of unnecessary apps or limit app installation only to administrator accounts, there are several ways to achieve it. This documentation includes PowerShell scripts that will help restrict the app installation on the device when the signed-in user is a standard user. The Execute Custom Script action on the Hexnode console is a reliable method to remotely execute such customized scripts on Windows devices.
The Sample Scripts provided below are adapted from third-party Open-Source sites.
Disable Microsoft Installer to prevent installation of MSI files
Windows Installer is a configuration service that manages the installation and uninstallation of MSI-based applications. Disabling it can help you prevent the users from installing MSI files. For example, when the user tries to install an MSI file, the following script prompts the user that the administrator has set policies to prevent the installation.
|
1 2 3 4 5 6 7 8 9 10 |
#script to disable msi $path1 = 'HKLM:\SOFTWARE\Policies\Microsoft\Windows' $path2 = 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\Installer' If (-NOT (Test-Path $path2)) { New-Item -Path $path1 -Name 'Installer' New-ItemProperty -Path $path2 -Name 'DisableMSI' -Value 2 -PropertyType DWord } If ((Get-Item -Path $path2).GetValue('DisableMSI') -ne '2') { New-ItemProperty -Path $path2 -Name 'DisableMSI' -Value 2 -PropertyType DWord } |
However, these restrictions can be removed if the user deletes this policy by accessing the Registry Editor or Local Group Policy Editor on the device. In addition, since only an administrator user can make changes to the settings configured there, it prevents other user accounts from modifying the settings.
How to re-enable the Microsoft Installer?
You have to change the settings from the device end to re-enable the Microsoft Installer. It can achieved in two ways:
Using the Registry Editor
- Open the Registry Editor app on the device.
- Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer.
- Right-click on the policy name corresponding to the one specified on the script.
- Click Delete.
Using Local Group Policy Editor
- Enter gpedit.msc on the search bar.
- Navigate to Computer Configuration > Administrative Templates > Windows Components > Windows Installer > Turn off Windows Installer.
- The setting would be shown ‘Not Configured’. However, click on the ‘Disabled’ radio button and click on Apply. Click OK to confirm.
- Further, open the Turn off Windows Installer setting and re-enable the ‘Not configured’ radio button. Click Apply. Click OK to confirm.
Only an admin user can change these settings from the device.
Disable a particular user from installing the given .EXE file
This method is a selective approach to preventing the user from installing specific files. You can mention the user account and the .EXE file that should not be permitted to install on the device.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 |
$username=$args[0] $user = New-Object System.Security.Principal.NTAccount($username) $sid = $user.Translate([System.Security.Principal.SecurityIdentifier]) $sid_value = $sid.Value Get-ChildItem registry::HKEY_USERS\.DEFAULT $path3 = 'registry::HKEY_USERS\' + $sid_value + '\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\' $path1 = 'registry::HKEY_USERS\' + $sid_value + '\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer' $path2 = 'registry::HKEY_USERS\' + $sid_value + '\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun ' $name = $args[1] $value = $args[2] If (-NOT (Test-Path $path1)) { New-Item -Path $path3 -Name 'Explorer' } If ((Get-Item -Path $path1).GetValue('DisallowRun') -ne '1') { New-ItemProperty -Path $path1 -Name 'DisallowRun' -Value 1 -PropertyType DWord } If (-NOT (Test-Path $path2)) { New-Item -Path $path1 -Name 'DisallowRun' } New-ItemProperty -Path $path2 -Name $name -Value $value |
For instance, if you want to restrict the installation of Firefox 98.0.1 on a user account named “Gerald Nathan,” you can specify it while you execute the script from the Hexnode console. Include it in the following format as Argument “Gerald Nathan” “100” “Firefox 98.0.1.exe”. The value (100) is nothing but a random number for each extension and should not be equivalent to ‘0’.
Thus, when the user tries to install the given .EXE file, it prompts for authentication using the administrator password.
- It is recommended to manually validate the script execution on a system before executing the action in bulk.
- Hexnode will not be responsible for any damage/loss to the system on the behavior of the script.
