Installing MSI with AppLocker active

1
votes

We ship a component of our software as MSI to customers who have AppLocker activated. The installation fails with AppLocker kicking in. As far as I understand, the problem is:

  • AppLocker default rules only allow Administrators to install MSI files
  • By design, Windows installer runs MSI files unprivileged at first and only switches later to elevated privileges

So the installer is "to late" for AppLocker. What works (only tried the 1-3):

  1. Open a Command Prompt as Admin and run the MSI file
  2. Create an AppLocker rule to allow normal users to install MSI from a specified directory
  3. Let a setup.exe run the MSI and run setup.exe as an Administrator
  4. Hack Windows to create a "run as" context menu entry for MSI files
  5. Wrap the MSI into a self extracting EXE

All of these are either require changes on the customer's side (2, 4), are not as easy as installing should be (1, 3) or double the packages (5). (Other customers require MSI for deployment.)

Is there an easy way to make MSI work with AppLocker?

2
windowswindows-installerwindows-security

2 Answers

0
votes

AppLocker is a feature that allows an enterprise to create protective policies of what software can be installed and executed. This is a problem of your customers making and they need to handle whitelisting your application internally.

MSI and AppLocker are functioning exactly as designed. Security and usability is inversely proportional. :(

0
votes

Is there an easy way to make MSI work with AppLocker?

Yes, my suggestion would be to digitally sign the MSI.

With the digital signature the customer can then create a Publisher Rule to allow rule to allow any MSI signed by your company to install from any location on the host system.

References:

Understanding the Publisher Rule Condition in AppLocker

https://technet.microsoft.com/en-us/library/ee460943(v=ws.11).aspx

Windows Installer Rules in AppLocker

https://technet.microsoft.com/en-us/library/ee460957(v=ws.11).aspx