Preventing software installation without AppLocker

mf flag

In the light of recent news we are seeking wisdom on how to block Oracle Java from installing on all domain-joined Windows computers. The major headache is that the organisation doesn't use AppLocker.

Hardcodig every possible installation path seems to be a pain and adding every Java installer into our antivirus creates issues with customers whom we provide managed AV services to.

Are there any other ways to prevent specific applications from installing without using AppLocker?

cn flag
Most organizations aren't able to use AppLocker. The rest don't use it. It's difficult to configure and maintain, and no-one uses "paths". So the dilemma is, the organization does not have the appetite to make AppLocker work, but also does not have the appetite to do the other things that they aren't doing but they think AppLocker will fix but will not.
cn flag

Two categories of things you can do. Implement allow listing of software to only allow authorized things to run. Inventory all installed software, and review what is running.

Allow listing is a large project, not many accomplish it, but will reliably improve your security and compliance with software licensing. AppLocker or Windows Defender Application control are not the only implementations out there, but Server Fault is not for recommendations, you'll have to find something that fits your needs.

Obviously people still need software to do their jobs, so a major part of the allow list implementation is letting them to do so. Get input from people, and make it easy to approve software they want. Perhaps start gradually by blocking anything signed by Oracle, but allow most other things. Ideally, eventually get to the point where all software providers are known, and anything unknown is blocked.

Locking down known install paths is a weak defense. Clever users may get around this by using portable binaries in another location. Or the software has some versioned path that keeps updating. If you are attempting something high maintenance anyway, might as well consider getting tools that will allow full control and visibility over what runs.

As to inventory, find some method of listing all installed packages on hosts. Review these, and identify platforms. You mentioned Java, you can make policy where Java apps will use a preferred OpenJDK build, and keep it updated.

fo flag


There are alternative ways to prevent specific applications from installing on domain-joined Windows computers without using AppLocker. One option is to use Group Policy to restrict software installation, while another is to use third-party software such as EMET or SRP. However, thorough testing of any third-party software is important to ensure it does not interfere with normal system operation.

I sit in a Tesla and translated this thread with Ai:


Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.