Forum Discussion

lfk73's avatar
lfk73
Brass Contributor
Jul 25, 2023

Selectively allow app updates

We have company policies that prevent user from installing applications unless they are a local admin. We have a few cases in which applications update regularly and the user cannot install those updates.

 

Rather than giving them local admin access we are looking at using ApplicationManagement enabling the reg key AllowAllTrustedApps for the updates to install.

 

This however opens up the possibility for them to install other non business approved software.

 

Wondering if there is a way to specify what they can and cannot install? The application in question is Adobe Creative Cloud and the Adobe applications e.g. Photoshop, Aftereffects etc.

Active Directory
Management
security
Windows Server
  • LeonPavesic's avatar
    LeonPavesic
    Silver Contributor
    Jul 25, 2023

    Hi lfk73,

    To allow selective app updates for applications like Adobe Creative Cloud, Photoshop, and After Effects while preventing unauthorized software installations, we'll use Group Policy along with AppLocker.

    Understand AppLocker rules and enforcement setting inheritance in Group Policy - Windows Security | Microsoft Learn

    Import an AppLocker policy into a GPO - Windows Security | Microsoft Learn

    AppLocker - Windows Security | Microsoft Learn

    Here are the steps how can you try to do this (I assume that you use Windows Server and Active directory):

    1. In the Active Directory Users and Computers, create a new folder called ofr example "Selective App Update Computers." This folder will hold the computers that need specific app update permissions.

    2. Move your selected Computers to the New Folder:
    Drag and drop the computers that require selective app update permissions into the "Selective App Update Computers" folder.

    3. Set Up a New Group Policy:
    Open the Group Policy Management Console (GPMC) on your domain controller. Right-click on the "Selective App Update Computers" folder and choose "Create a GPO in this domain, and Link it here." Give the policy a clear name, like "Selective App Update Policy."

    4. Edit the Policy:
    Right-click on the newly created policy and select "Edit." This will open the Group Policy Management Editor.

    5. Configure AppLocker Rules:
    In the Group Policy Management Editor, go to "Computer Configuration" > "Policies" > "Windows Settings" > "Security Settings," and click on "Application Control Policies." Choose "AppLocker."

    6. Allow Specific Applications:
    To allow specific applications, you need to create executable rules. Right-click on "Executable Rules" and choose "Create New Rule."

    7. Allow Adobe Applications (Publisher Rules):
    For Adobe Creative Cloud and its applications (e.g., Photoshop, After Effects, etc), you will need to create publisher rules. These rules will allow any application signed by Adobe to run.

    a. Select "Publisher" as the rule type.
    b. Click on "Next," then "Browse" to locate the executable files for Photoshop and After Effects.

    8. Set Enforcement Options:
    After adding the publisher rules, we'll configure enforcement options. Right-click on "AppLocker" and choose "Properties." In the Properties window, select "Configured" for "Executable rules," and choose "Enforce rules" for enforcement.

    9. Apply the Policy: link the "Selective App Update Policy" to the "Selective App Update Computers" folder.

    10. Update Group Policy:
    On the client computers within the "Selective App Update Computers" folder, open a command prompt, and run the command gpupdate /force to apply the new Group Policy settings.


    By doing all this, you will set up a Group Policy using AppLocker to allow selective app updates for Adobe Creative Cloud and its authorized applications, while preventing any installation or execution of non-approved software. 

    Please click Mark as Best Response & Like if my post helped you to solve your issue.
    This will help others to find the correct solution easily. It also closes the item.


    If the post was useful in other ways, please consider giving it Like.


    Kindest regards,


    Leon Pavesic

     

    • lfk73's avatar
      lfk73
      Brass Contributor
      Jul 25, 2023

      LeonPavesic thanks I’ll give it a try.

       

      Curious though how does this address to issue if needing local admin rights to install the software?

       

      Or are you saying this applocker approach needs to be used in conjunction with the Allow Trusted Apps reg setting which takes care of the local admin requirement.

      • LeonPavesic's avatar
        LeonPavesic
        Silver Contributor
        Jul 26, 2023

        Hi lfk73,

        you are right in your undesrstanding.

        The AppLocker approach I mentioned is used in conjunction with the "Allow Trusted Apps" registry setting to address the issue of needing local admin rights to install the software updates.

        By combining the "Allow Trusted Apps" registry setting with AppLocker rules, you can create a more controlled environment where users can only update specific applications (in this case, Adobe Creative Cloud and its authorized applications) while still preventing them from installing any other non-approved software.

        In summary, the "Allow Trusted Apps" registry setting takes care of the local admin requirement for installing updates, while AppLocker ensures that only trusted and authorized applications can be updated, providing an additional layer of security and control.

        Please click Mark as Best Response & Like if my post helped you to solve your issue.
        This will help others to find the correct solution easily. It also closes the item.


        If the post was useful in other ways, please consider giving it Like.


        Kindest regards,


        Leon Pavesic

Resources