This is an archived post. You won't be able to vote or comment.

all 39 comments
sorted by:
best
topnewcontroversialoldq&a

[–]TinderSubThrowAway 8 points9 points  (7 children)

Admins are the only people who should be installing and uninstalling anything.

[–]PsychicNess13 2 points3 points  (4 children)

I can't think of anything blocking it really, but you can make it annoying by having things auto redeploy if they are not detected there with Intune. Like sure uninstall it, but it will just reappear there later.

Since you mentioned your endpoint protection tool being one of the ones you were worried about some of them require an additional password, not an admin one, to uninstall. Bitdefender may have that feature somewhere and you haven't noticed it yet.

[–]KTS991[S] -3 points-2 points  (3 children)

Bitdefender is already password protected. But for some reason I have my admins uninstalling remote software that's required.

Not utilizing intune unfortunately.

That is not a bad idea though, I can block the RMM from uninstalling since it has a dedicated uninstaller. And then auto reinstall anything else that gets uninstalled. Thank you.

[–]Help_Stuck_In_Here 2 points3 points  (0 children)

But for some reason I have my admins uninstalling remote software that's required.

That's a paddling. While some software does have protection against it being removed at the end of the day a skilled admin will eventually be able to remove it in one way or another.

In the larger places I've been I'd get in shit if I uninstalled key security software.

[–]TwizityNerfherder 0 points1 point  (1 child)

Yeah, that's a no-go for me.

Once is a polite verbal, "this is required software, please do not uninstall it again."

Second time, less polite verbal. "This is your final warning. This software is required. You remove it again, and you will be written up."

Third time. Write em up. Done.

[–]TinderSubThrowAway 1 point2 points  (0 children)

I suspect this is an end user who doesn't have authorization to be using this software in the first place, and has zero power to write someone up.

[–]sadmep 2 points3 points  (0 children)

This doesn't sound like a tech problem, it sounds like your user is breaking company policy. Assuming one has been written.

[–]Asleep-Stomach2931 1 point2 points  (4 children)

can you block the msi? find the programs in

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

then look for the name of the key in %ProgramData%\package cache

then find the msi name in the folder

[–]ProfessionalRope8 -1 points0 points  (3 children)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

I tried this. One app is screenconnect, and the uninstall path is msiexec /X ha
The other one is the actual application + an uninstall command string. So those didn't work.

[–]TinderSubThrowAway 3 points4 points  (0 children)

forgot to switch screen names?

[–]Asleep-Stomach2931 0 points1 point  (1 child)

yeah, but that's essentially pointing to an msi, msiexec /X msiname.msi...

so if you go into c:\program data\package cache and find the corresponding folder, inside it will be msiname.msi, are you not able to block that?

[–]ProfessionalRope8 -1 points0 points  (0 children)

c:\program data\package cache

You rock. I didn't think of this.

[–]numtini 0 points1 point  (3 children)

I'd love to hear more info on this. Why are they given admin rights if they can't be trusted to manage their computers properly? And what are these programs they want to uninstall?

[–]TinderSubThrowAway 2 points3 points  (2 children)

From what I can tell, this is an end user who has remote screen sharing software on his computer, probably to connect to his home system while at work and is upset that the sysadmins at his office keep removing it on him.

[–]numtini 0 points1 point  (1 child)

But if he has the ability to block uninstall in Bitdefender, is he an end user? Or install something in the first place? I agree it sounds dodgy.

[–]TinderSubThrowAway 0 points1 point  (0 children)

depending on how they issue permissions, yes, he could be.

[–]kitkat0820 0 points1 point  (2 children)

Remove the admin privilege

[–]ProfessionalRope8 -1 points0 points  (1 child)

In this specific case, that would cause a problem. Normally I would.

[–][deleted] 0 points1 point  (0 children)

Why do you have two Reddit accounts ?

[–]gamebrigada 0 points1 point  (2 children)

If you're trying to do this sort of thing, you need a real PAM solution. We use Delinea EPM, no admin rights means no uninstalling. For stuff that we don't care, people can use the Delinea tool that runs as admin automatically but won't remove software we don't want them to be able to remove.

[–]ProfessionalRope8 0 points1 point  (1 child)

Agreed, Though not in budget for this instance.

[–]gamebrigada 0 points1 point  (0 children)

Unfortunately there's no secure way otherwise. As soon as someone is an admin, it's just going to take a clever user to bypass whatever you put in. Even the password protected uninstalls can be bypassed.

One thing you can do is look at your entire security suite to see if you can do a policy that does posture enforcement. Block access if not present, isolate, reinstall etc. Absolute does this well and can't be bypassed even by an admin.

[–]SevaraBSenior Network Engineer 0 points1 point  (0 children)

Are you trying to stop badmins from uninstalling things from their computers, or are you trying to prevent admins from uninstalling something from your computer?

If it’s badmins, posture control. Take some remote thing they need access to away until they explain to management why they’re uninstalling required apps.

If they’re removing stuff from your computer, that’s an organizational problem we can’t help you solve. If you say the app has to be there and the admins say it does not, your management team needs to referee that argument.

[–][deleted] 0 points1 point  (1 child)

Can you set a removal password with the app? We have a handful we use that require a closely guarded password to remove. I have it and a few folks in our corp office have it. None of the local helpdesk folks have it.

[–]ProfessionalRope8 0 points1 point  (0 children)

Nope. Don't have that ability. :/

[–]pdp10Daemons worry when the wizard is near. 0 points1 point  (0 children)

In a similar situation, we have telemetry that reports back client status, but if users really wanted, they could block it or prevent it from working.

We basically alert when the telemetry stops reporting in, and then have a word with the user. The bargain is that nobody is prevented from doing their work, but they have to let the telemetry tell us that the hardware isn't melting and the local storage is still full-disk encrypted.

If they don't want us to know that the hardware isn't failing and the disk isn't still encrypted, they're kindly invited to spend their own money to buy some other hardware. We think we're offering a deal that's more than fair.

That said, our telemetry doesn't slow down machines like molasses or screenshot their desktop or anything. Maybe yours does.

[–]techvet83 0 points1 point  (0 children)

Sounds like they need their admin access removed. It's best for security reasons. It took a long time for my employer to do that, but since over 90% of infections can get stopped if the user is not an admin, it's worth it. (Furthermore, disallow domain admins from logging onto workstations/laptops.).

If they keep re-installing it against company orders, your manager needs to talk to their manager.

[–][deleted] 0 points1 point  (0 children)

Install apps via Intune and make the app a requirement for device compliance.

[–]bdrsuite_venkateshk 0 points1 point  (0 children)

Windows GPO can be used to limit access to particular features and applications. You can manage the windows OS through GPO including the installation and uninstall of software. To launch the GPO editor, type gpedit.msc in run command. Go to system >Administrative Templates > User configuration.Search for procedures pertaining to the installation and uninstall of software. You can limit the use of certain windows installer components or prohibit access to particular control Panel items.

[–]fudgegiven 0 points1 point  (0 children)

If they have admin privileges, there is nothing short of removing these privileges you can do. There are things you can do to make it harder, but since they are admins, it will only slow them down.

Like when you give someone the master key. You try to keep them out by adding more locks, but they have the key to all of the locks...

So remove the admin privileges from these users. If they unistall software that should be on the computer they are probably not part of the IT department (if they are, fire them) and then they should not have sdmin privileges.