cancel
Showing results for 
Search instead for 
Did you mean: 
jakobs
Level 7

Our MSI based SCCM packages are blocked by Application Control

Jump to solution

Hi,

We've have started to test Applicaiton Control 6.1.2 in our EPO environment, but we're having some problems when trying to deploy applications to the test desktops using our SCCM systems. Packages which contains a MSI installation are prevented by Application Control to get installed(Application Control is reporting PACKAGE MODIFICATION PREVENTED on the MSI file) , whereas packages which contains a setup.exe (like an installshield installation) will be installed without any problems. On the EPO server, the blocked solidcore event is of course registered, and we can allow the msI files one by one, and if redeployed the SCCM installation will run correctly.

I had the impression that all the steps needed for whitelistning SCCM actions were predefined out of the box when deploying the Application Control feature, but based on our expericence I guess that something needs to be configured, but failing to do so  on my own, I'm hoping that someone with some more expericence can share some light on this matter.

Kind Regard,

Jakov Svarrer

0 Kudos
1 Solution

Accepted Solutions
mcafeenewb
Level 9

Re: Our MSI based SCCM packages are blocked by Application Control

Jump to solution

Just for testing, in the features policy check the box for Bypass Package control.

I had a similar issue with my offload scan servers "MOVE" when scanning .msi files.  Was advised by support to select Bypass Package control. It cleared the issue.

From what I understand this does not make you less safe since what this is doing is allowing something other that msiexec to manipulate an .msi file.

0 Kudos
3 Replies
mcafeenewb
Level 9

Re: Our MSI based SCCM packages are blocked by Application Control

Jump to solution

Just for testing, in the features policy check the box for Bypass Package control.

I had a similar issue with my offload scan servers "MOVE" when scanning .msi files.  Was advised by support to select Bypass Package control. It cleared the issue.

From what I understand this does not make you less safe since what this is doing is allowing something other that msiexec to manipulate an .msi file.

0 Kudos
jakobs
Level 7

Re: Our MSI based SCCM packages are blocked by Application Control

Jump to solution

Hi,

Thank you so much for your kind response. Your suggestion solved the issue, so now we can proceed with our tests.

Have a nice day.

Kind Regards,

Jakob

0 Kudos
enzosimoni
Level 7

Re: Our MSI based SCCM packages are blocked by Application Control

Jump to solution

Hi Jakob,

Do you know which specific SCCM exes need to be made updaters in order for Application Control to work properly with SCCM?

I see these files but don't know which is the correct one to select as the updater.

Any help will be greatly appreciated.

Ccm32BitLauncher.exe
ccmdump.exe
CcmEval.exe
CcmExec.exe
ccmrepair.exe
CcmRestart.exe
CMHttpsReadiness.exe
OSDBitLocker.exe
OSDBitLocker_wtg.exe
OSDDiskPart.exe
OSDDownloadContent.exe
OSDJoin.exe
OsdMigrateUserState.exe
OSDNetSettings.exe
OSDPrepareOS.exe
OSDPrepareSmsClient.exe
OSDPrestartCheck.exe
OSDRunPowerShellScript.exe
OSDSetDynamicVariables.exe
OSDSetupWindows.exe
OSDSmpClient.exe
OSDUpgradeOS.exe
OSDWinSettings.exe
SCClient.exe
SCNotification.exe
SCToastNotification.exe
ShellExecuteMSStore.exe
smsappinstall.exe
smsboot.exe
smsnetuse.exe
smsswd.exe
tsenv.exe
TSInstallSWUpdate.exe
TSManager.exe
TSMBootstrap.exe
TsProgressUI.exe
UpdateTrustedSites.exe
VAppCollector.exe
VAppLauncher.exe
0 Kudos