How to keep Windows 10 Enterprise from using anything other than the C: system drive for installs?

Copper Contributor

This is a question about the latest patch level of Windows 10 Enterprise 22H2.

I work in Enterprise IT; I've been doing it for 25+ years. That includes a lot of offline networks disconnected from the Internet. Many of those networks have heavy restrictions on removable media use and I cannot get into details here. Depending on security policy, it can get end users fired because they triggered security events by running exes which are not allowed to be run from removable media. The problem here is this is now being done automatically by Windows installer.

 

Some time ago, Windows 10 started misbehaving and leveraging removable media as scratch space.
I just took a Microsoft SQL Server patch i.e. SQLServer2019-KB5033688-x64.exe copied into C:\temp and ran it to patch a local SQL Express instance. My C: drive was actually NVRAM and had enough room.
It started writing stuff to my mounted removable drive, a much slowed HD mounted over USB, without asking.

How can we configure a Windows 10 Enterprise system so the Microsoft installers will never do this again?

 

Please note I am NOT asking about restricting whether USB removable media can be used on a system. I am specifically asking about new installer behaviour which started about a year ago where any Windows 10 system seemed to start using whatever drive it wants as scratch space for installs.

3 Replies

Sadly this did not work. What appears in gpedit.msc is also slightly different than what is described above. On a fully patched as of 2024-04-16 Windows 10 Enterprise 22H2 system there are two of these which could be related I have set in gpedit.msc: "Disable installing Windows Apps on non-system volumes" and "Prevent users' app data from being stored on non-system volumes". I set both to enabled and rebooted to make sure these would take effect. I copied to installer for SQL Express 2019 RTM and latest CU patch to C:\temp. I mounted my slow removable bitlocked hard drive on E:. I installed SQL Express 2019 RTM without issue but while attempting to patch it to the current CU with KB5035123 it once again extracted to a folder E: and ran EXEs from that space. If this option actually worked, it should have prevented that.

We still have had zero luck anything mentioned in this thread set using gpedit.msc to prevent this misbehaviour. We did find similar settings in Group Policy in a production domain testing using a current Windows 11 Enterprise system and that did prevent this misbehaviour on the production network.

Press Win + R to open the Run dialog, then type "gpedit.msc" and press Enter to open the Local Group Policy Editor.
1. Navigate to Computer Configuration > Administrative Templates > Windows Components > Windows Installer.
2. Double-click on the "Disable removable media source for any install" policy setting.
3. Select the "Enabled" option, then click Apply and OK to save the changes.
I am running Windows 10 Enterprise 22H2 patched to current. "Disable removable media source for any install" does NOT appear under Computer Configuration > Administrative Templates > Windows Components > Windows Installer. Any idea how I can make that appear?