User Installed Software and Why You Should Care
Configuration Manager (SCCM / ConfigMgr) administrators should care about user installed software because these apps can be a big security threat. Unfortunately, users, with low user-rights, can install many software programs directly onto their work computers. Worse yet, admins often don’t know what is installed or where it’s installed. Here, are some widely used software titles that fall into this category: Firefox, Zoom, Chrome, Teams, etc.
In this blog post, I first show you what happens when a user with low user-rights installs this type of software; specifically Zoom and Firefox. Next, I demonstrate how ConfigMgr doesn’t see that this software is installed. Finally, I show you that there is hope by using Endpoint Insights. With Endpoint Insights Reporting it is possible to inventory all user installed software titles!
User Installed Software – Zoom
First, I am going to install Zoom by using the credentials of a low rights user named Morgan. All over the news these days, there are questions about Zoom and its privacy, so let me show you just how easy it is for someone to install Zoom on their work computer.
Morgan wants to host a meeting, so he turns to this free application. After locating the app, he downloads the Zoom installer by clicking on Save.
Once downloaded, he clicks on Run.
Zoom is always installed within the user profile. This means that the end-user, in this case Morgan, never sees the above screenshot unless he installs Zoom under the local system account.
Note: other software titles, such as Firefox, prompt the UAC (see the section below), but when the UAC is cancelled the software still gets installed within the user profile.
Morgan is now ready to run his meeting.
User Installed Software – Firefox
Morgan downloads Firefox by clicking on the Download Now button.
Next, he clicks Save.
Then he clicks Run.
At the User Account Control (UAC) prompt, Morgan clicks on the “X” button in the top right-hand corner. The installer now installs Firefox within the user profile. The same would also happen if Morgan clicked on the No button.
By the way, if an administrator account was used, Firefox is installed on the computer and not just within the user profile.
Firefox is installing.
The Firefox install is complete and Morgan is ready to use it!
Programs and Features
In both of the examples above, Morgan installed software without needing administrator rights. Now, how do you know what software is installed on this computer? I am going to turn to Programs and Features or what used to be called Add/Remove Programs (ARP). It is important to remember the ARP moniker because it is still used within the ConfigMgr SQL Server database. I am going to see first what it tells me about the software on Morgan’s profile and then what it tells me is on my profile for the same computer.
You can see in the above screenshot that Zoom and Firefox (along with Microsoft OneDrive) were installed on April 5, 2020.
Now, notice that when I logon as me (Garth), Zoom and Firefox are not listed among the software titles. You might also notice that I installed Microsoft OneDrive at an earlier date, but not on April 5 as Morgan did.
What Does Configuration Manager See?
Now I force ConfigMgr hardware inventory to run because I just installed these new software titles. Under normal circumstances, I would wait for the next hardware inventory cycle to occur.
Looking at the ARP x86 software, which in Resource Explorer is listed as Installed Applications, I sort the names displayed from “z-a.” Zoom isn’t listed.
Now looking at Installed Applications (64) / ARP x64, I sort the titles again from “z-a” and notice that Zoom still isn’t listed.
Finally, I look at ConfigMgr Asset Intelligence (AI). AI lists both x86 and x64 software titles and Zoom still isn’t there.
Why isn’t Zoom listed in either Programs and Features/ARP or AI? The ConfigMgr inventory task uses the local system account to inventory software titles. Therefore, only software listed within the HKLM or the HKCU for the local system account profile is inventoried and then displayed. When users install software within their user profile, it is stored within HKCU for that user. The local system account doesn’t have access to other users’ HKCU profiles, so it can’t report on software titles that it can’t access.
Enhansoft’s User ARP
When you deploy Endpoint Insights Reporting, it captures all user ARP details stored within each user profile. This allows you to see what software is installed by every low rights user (and admin if they have software installed within their user profile) within ConfigMgr.
Below is what Endpoint Insights Reporting collected about my computer; the ARP details about both Morgan’s profile and my user profile are displayed.
Within Resource Explorer you can see that two different versions of Zoom (purple arrows) are installed. One for Morgan and a second one for Garth. You can also see that Firefox is installed; one version for Morgan and another for Garth (red arrows). Without tools like Endpoint Insights Reporting and its User Programs reports there are no easy ways to determine if these software titles are installed or where they are installed. Now that I know that Zoom and Firefox are installed, I can, at a minimum, report on what versions are installed. Or, I can create a package to remove or upgrade this software.