Preventing software installation without AppLocker

In the light of recent news we are seeking wisdom on how to block Oracle Java from installing on all domain-joined Windows computers. The major headache is that the organisation doesn't use AppLocker.

Hardcodig every possible installation path seems to be a pain and adding every Java installer into our antivirus creates issues with customers whom we provide managed AV services to.

Are there any other ways to prevent specific applications from installing without using AppLocker?

Two categories of things you can do. Implement allow listing of software to only allow authorized things to run. Inventory all installed software, and review what is running.

Allow listing is a large project, not many accomplish it, but will reliably improve your security and compliance with software licensing. AppLocker or Windows Defender Application control are not the only implementations out there, but Server Fault is not for recommendations, you'll have to find something that fits your needs.

Obviously people still need software to do their jobs, so a major part of the allow list implementation is letting them to do so. Get input from people, and make it easy to approve software they want. Perhaps start gradually by blocking anything signed by Oracle, but allow most other things. Ideally, eventually get to the point where all software providers are known, and anything unknown is blocked.

Locking down known install paths is a weak defense. Clever users may get around this by using portable binaries in another location. Or the software has some versioned path that keeps updating. If you are attempting something high maintenance anyway, might as well consider getting tools that will allow full control and visibility over what runs.

As to inventory, find some method of listing all installed packages on hosts. Review these, and identify platforms. You mentioned Java, you can make policy where Java apps will use a preferred OpenJDK build, and keep it updated.

Yes.

There are alternative ways to prevent specific applications from installing on domain-joined Windows computers without using AppLocker. One option is to use Group Policy to restrict software installation, while another is to use third-party software such as EMET or SRP. However, thorough testing of any third-party software is important to ensure it does not interfere with normal system operation.