Admin by Request + MS AppLocker = GREAT

Companies need to fulfil regulations, to document what specific applications that is running on the PC. Here it can be hard to make sure users don’t download software that is not approved and run ex. Shareware/malware, TeamViewer QuickSupport or Google Chrome. But Companies still want the flexibility to allow some apps to run for special matter. Here Admin by Request can help.

The request feature in Admin by Reqeust will “win” over AppLocker to actually give the possibility to do the request and run specific application. AppLocker is a perfect solution to make sure apps from specific vendor, specific version or from Read-Only folders can run.

But it can be hard to give back some of this flexibility and still audit this in a smart process.

I have made a demo video – with 5 common scenarios.

My AppLocker policy for the demo – very simple.

In Admin by Request I have activated, so users can do Run As Admin, but need approval.

PC 1

  • Downloaded TeamviewerQS – and run, NOT Allowed.
  • Downloaded Notepad++ – Request to install, Allowed
    • Installed in Program Files – Allowed to run
  • Request TeamviewerQS to run – Allowed.
  • Close TeamviewerQS, try run again, Not allowed(Only single session is approved).

PC 2

  • Request to install Notepad++, Allowed
    • Install to C:\Notepad\
    • Not allow to Run (Only allowed to run from Program Files and Windows folder)

Conclusion

We now have full control of all executables on the Windows client. Everything is allowed to run from Read-only folders, like Program Files and Windows. Software is typical installed in these folders by MEM/SCCM.

All apps that is downloaded – and tried to installed/run will be blocked. Users is able to request install/run on a single session. IT Admins can then from Admin by Request approve single session to run.