I’m trying to keep a Microsoft program closed while the patch is installing. Basically, I would like the user to NOT be able to click and open the program while the patch is installing. DEVENV.EXE is the exe that launches visual studio. How would I keep this executable suppressed while the patch is running? What ACTION can I place at the top of the fixlet code that will keep DEVENV.EXE closed while the patch installs? Not sure if this is possible but thought I’d ask, and I’m guessing I would need something to unfreeze it once the patch is installed. Am I making any sense? Help! Please.
Normally I’d just put a message to display “while the action is running” to tell the user to not launch Visual Studio again.
Otherwise your options would be to either change the permissions on devenv.exe to prevent the user from running it, or set some kind of AppLocker policy to block the executable from running.
Either of these would be quite fragile to maintain. I suppose the main point here is that BigFix is not responsible for allowing or blocking an application, instead you need to decide which Windows controls you would like to enforce and then we can help you with how to implement those controls in a BigFix Action.
Also keep in mind that you might need to run a taskkill command to kill the application if it’s already running because setting the registry key doesn’t affect applications that are already running.
You can set a registry key to block the application from being executed but when I was doing this a while back my experience was that any registry settings for applocker in HKLM policies were requiring a reboot before they took affect. I could set the policies in HKCU and they would take affect immediately but this is an issue if multiple users are currently logged into the same machine like a shared user so you might want to use HKUsers to create the key if you were to go that route of using Applocker policies.
This is how I did it in the past:
waithidden reg add “{User key of Logged on user}\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer” /v DisallowRun /d 1 /t REG_DWORD /f
waithidden reg add “{User key of Logged on user}\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun” /v 1 /d executablename1 /t REG_SZ /f
waithidden reg add “{User key of Logged on user}\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun” /v 2 /d executablename2 /t REG_SZ /f