none
Software Restriction Policy not blocking MSI files

    Question

  • Hello, we have one SRP in place on our domain that includes MSI files in the Designated File Types, however it is not blocking users from running them.  Has any one else had this issue?  What are some things I should look out for?  Thanks.
    Wednesday, March 11, 2015 4:01 PM

Answers

  • The problem was that the msi was actually being called by the Java plugin, therefore SRP was never seeing the actual msi as being run.  Blocked Java and this solved the problem.
    Wednesday, July 22, 2015 1:22 PM

All replies

  • Hi Erin,

    >>we have one SRP in place on our domain that includes MSI files in the Designated File Types, however it is not blocking users from running them.

    Are these users standard user accounts (without administrative privileges) ? Besides, what SRP rule did we configure to disallow the .msi files? Here, we can run command gpreport.html gpresult/h to collect  group policy result report to check how group policy settings are applied. Note, to collect computer part group policy setting report, we need to run the command with administrative privileges.

    In addition, to block .msi files, we can also use Applocker to do this. Regarding Applocker, the following article can be referred to for more information.

    AppLocker Overview

    https://technet.microsoft.com/en-us/library/hh831440.aspx

    Understanding AppLocker Rules

    https://technet.microsoft.com/en-us/library/dd759068.aspx

    Best regards,
    Frank Shen


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Proposed as answer by Prabhu Mallick Thursday, March 12, 2015 10:28 AM
    • Unproposed as answer by Erin L. Wornick Thursday, March 12, 2015 12:29 PM
    Thursday, March 12, 2015 8:41 AM
    Moderator
  • The MSI file type is in the Designated File Types in User Config->Windows Settings->Security Settings->Software Restriction Policies.  Then, in User Config->Windows Settings->Security Settings->Software Restriction Policies->Security Levels the Default Security Level is Disallowed.  In the Additional Rules section we have unrestricted things such as the Program Files/Program Files (x86) directories and such.  EXE files do not run for these users (and yes, they are standard users, not local or domain admins) but the MSI files do.  Thank you for the links on AppLocker.  If I cannot figure out what's wrong with the SRP, I will look into this further.
    Thursday, March 12, 2015 12:19 PM
  • And I'm sorry, I unproposed the answer because I'm not sure if it actually answered my question or not.
    Thursday, March 12, 2015 12:30 PM
  • The problem was that the msi was actually being called by the Java plugin, therefore SRP was never seeing the actual msi as being run.  Blocked Java and this solved the problem.
    Wednesday, July 22, 2015 1:22 PM