installing .exe apps from apps.microsoft.com

Ivan Bajo 31 Reputation points
2024-09-20T10:44:54.15+00:00

Hi,

What is the purpose of having different types of accounts if normal user can install .exe application from apps.microsoft.com?
How to administer Microsoft OS if you have done this?

This is a huge security issue because normal users can install games, kali linux, social media etc.

How did we come to this?

Windows
Windows
A family of Microsoft operating systems that run across personal computers, tablets, laptops, phones, internet of things devices, self-contained mixed reality headsets, large collaboration screens, and other devices.
5,412 questions
0 comments No comments
{count} votes

4 answers

Sort by: Most helpful
  1. Zunhui Han 2,240 Reputation points Microsoft Vendor
    2024-09-20T15:06:37.1566667+00:00

    Hello,

    Thank you for posting in Q&A forum.

    If you want to prohibit standard users from installing applications through group policies, you can try these steps, provided that your system can invoke group policies (there are no group policies in the Home Edition)

    1. In the taskbar, search for Edit group policy and open it.
    2. Expand "Administrative Templates "--"Windows Components"--"Windows Installer", find" Turn off Windows Installer" on the right, double-click on it, Select Enabled and click Ok to save.

    Image

    Image

    I hope the information above is helpful.

    Best regards

    Zunhui

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    0 comments No comments

  2. Michael Taylor 54,401 Reputation points
    2024-09-20T15:27:40.3566667+00:00

    How is this a security issue? Users have always been able to install applications on their own accounts unless you block them from installing apps via GP. For years a user has been able to install per-user applications without admin privileges.

    A per-user app runs in the context of the user and therefore has no more privileges to the system then the user normally would have. For example any user can install the per-user instance of Chrome or per-user instance of Azure Data Studio. This is no different than the user downloading a ZIP file with an EXE inside it and then running the EXE. The EXE has no rights that the user couldn't already do and therefore is not a security vulnerability.

    Apps downloaded from the MS Store are even more locked down. In general they run in a sandbox and only have the rights that are granted to them by the user, who themselves are limited by their user account rights. Again, not a security vulnerability at all.

    From a vulnerability point of view, a user doing something manually, such as creating a file or replacing something on their desktop, or a program doing it for them has the same security risks.

    As Zunhui Han mentioned, if you don't want user to be able to install anything and/or only run apps that you approve then there are GP policies for that. Additionally you can configure Windows to only allow apps to be installed via the MS Store using the Apps \ Advanced app settings UI.


  3. Ivan Bajo 31 Reputation points
    2024-09-20T16:44:36.4766667+00:00

    That GPO is not working with .exe application from apps.microsoft.com which are store apps.

    Installing kali linux on machine that has enabled "Windows Subsystem for Linux" is security issue.

    Standard users installing games, linux, social media apps is security issue no matter if pc is used in business or at home.

    What's the point of standard user in Windows Pro edition if it doesn't mean a thing? Standard users that can install something that you don't want them install is possible.
    Removing MS Store doesn't help, getting back MS Store for standard user is painfull and easiest way is to give the user local admin rights untill it's back.

    Microsoft standard apps calc, notepad, snipping tools etc. stops working after upgrade when MS Store is been removed.

    I fell sorry for you guys that have to work for these new M$ management, hope you'll resist this kind of politics someday

    0 comments No comments

  4. Ivan Bajo 31 Reputation points
    2024-09-26T09:41:26.03+00:00

    I've finally found a way to get back store that was removed for standard users with GPO:

    • you need to have .bat and .ps1 and create immediate task for "User Configuration" that will run (when user is logged on with highest privileges) "\NetworkPath\WinStoreReinstall.bat" (powershell.exe -ExecutionPolicy Bypass -File "\NetworkPath\WinStoreReinstall.ps1") which will run WinStoreReinstall.ps1(Add-AppxPackage -RegisterByFamilyName -MainPackage Microsoft.WindowsStore_8wekyb3d8bbwe)

    GPO to disallow user to open store and install from apps.microsoft.com:

    • software restriction to folder %programfiles%\WindowsApps\Microsoft.WindowsStore*
    • Administrative Templates/Windows Components/Windows Defender SmartScreen/Explorer/Configure App Install Control - Enabled

    And if you have errors with opening store Apps and nothing helps:

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.