none
Group policy to delete unauthorised software

    Question

  • Hi everyone,

    I have a unique case where I need some help to. I have a group of  on site engineers (domain users but have local administrators rights) who are using laptops. They are required to install software occasionally when they travel, therefore I need a way using group policy to remove all these software not installed by group policy. I understand that one way to do it is to remove the registry of all software not installed by group policy so that it cannot be used. I only want the software(s) to be removed when they connect to the company network.

    1) run group policy when connected to company network everytime

    2) the above group policy will delete software not installed by group policy (by deleting the registry key of the software)

    3)basic hardware drivers installed on the laptop should not be affected

    4)software installed by group policy should not be affected

    5)Is it possible to use WMIC as well?

    Monday, July 20, 2015 3:55 AM

Answers

  • > I need a way using group policy to remove all these software not
    > installed by group policy
     
    You cannot. Or do you have a comprehensive list of all registry and file
    system changes your GPO software imposes? How would you identify a given
    directory eg in %Program Files%\Common Files as belonging to GPO soft or
    manual install?
     

    Greetings/Grüße, Martin

    Mal ein gutes Buch über GPOs lesen?
    Good or bad GPOs? - my blog…
    And if IT bothers me - coke bottle design refreshment (-:
    Monday, July 20, 2015 12:54 PM
  • For one, every company works differently in terms of rules and policies because different humans make them based on individual company needs. I can't control that or things I am asked to do, so I am doing my best to try to solve this.

    Now based on what I this registry area, HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall. I would be able to run some sort of msiexec.exe /x {utorrent.msi guid number} or C:\Program Files (x86)\DAEMON Tools Lite\uninst.exe as a base to start out

    The script I am looking for will search the registry at the location above, compare it to a whitelist of programs that will be safe from being uninstalled (7zip, java,intel wireless, etc) and uninstall the rest . Thats a start I guess





    Friday, July 24, 2015 2:34 AM

All replies

  • > I need a way using group policy to remove all these software not
    > installed by group policy
     
    You cannot. Or do you have a comprehensive list of all registry and file
    system changes your GPO software imposes? How would you identify a given
    directory eg in %Program Files%\Common Files as belonging to GPO soft or
    manual install?
     

    Greetings/Grüße, Martin

    Mal ein gutes Buch über GPOs lesen?
    Good or bad GPOs? - my blog…
    And if IT bothers me - coke bottle design refreshment (-:
    Monday, July 20, 2015 12:54 PM
  • Hi John,

    I agree with Martin. Group Policy can't help us do this.

    Best regards,

    Frank Shen


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, July 22, 2015 9:54 AM
    Moderator
  • If thats the case

    Can anyone show me a basic logon script that I can edit with just MS word or notepad ? I will be taking a risk by modifying the registry in this case. For instance, HKEY_CURRENT_USER\Software, I want to preserve 7zip, adobe reader, java and dell registry keys and delete the rest of the keys.

    I know its not the full list of what I want to preserve, but I just need a starting point

    I am using a test environment so it should be ok


    • Edited by johnlee87 Thursday, July 23, 2015 6:55 AM edit
    Thursday, July 23, 2015 6:53 AM
  • > this case. For instance, HKEY_CURRENT_USER\Software, I want to preserve
    > 7zip, adobe reader, java and dell registry keys and delete the rest of
     
    If you start deleting registry values, you only will render the software
    partially unusable - you will neither remove it nor make it inaccessible.
     
    I still fail to fully understand your requirement - you give admin
    rights to your users to install software, so you are out of control of
    your computers anyway :)
     

    Greetings/Grüße, Martin

    Mal ein gutes Buch über GPOs lesen?
    Good or bad GPOs? - my blog…
    And if IT bothers me - coke bottle design refreshment (-:
    Thursday, July 23, 2015 9:12 AM
  • For one, every company works differently in terms of rules and policies because different humans make them based on individual company needs. I can't control that or things I am asked to do, so I am doing my best to try to solve this.

    Now based on what I this registry area, HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall. I would be able to run some sort of msiexec.exe /x {utorrent.msi guid number} or C:\Program Files (x86)\DAEMON Tools Lite\uninst.exe as a base to start out

    The script I am looking for will search the registry at the location above, compare it to a whitelist of programs that will be safe from being uninstalled (7zip, java,intel wireless, etc) and uninstall the rest . Thats a start I guess





    Friday, July 24, 2015 2:34 AM
  • Hi John,

    For ask for helping regarding scripting, in order to get better assistance, it's recommended that we ask for suggestions in the following scripting forum.

    The official scripting guys forum

    https://social.technet.microsoft.com/Forums/scriptcenter/en-US/home?forum=ITCG

    Best regards,

    Frank Shen


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Thursday, July 30, 2015 8:40 AM
    Moderator