3 Replies Latest reply on Apr 8, 2016 12:34 PM by enzosimoni

    Our MSI based SCCM packages are blocked by Application Control

    jakobs

      Hi,

       

      We've have started to test Applicaiton Control 6.1.2 in our EPO environment, but we're having some problems when trying to deploy applications to the test desktops using our SCCM systems. Packages which contains a MSI installation are prevented by Application Control to get installed(Application Control is reporting PACKAGE MODIFICATION PREVENTED on the MSI file) , whereas packages which contains a setup.exe (like an installshield installation) will be installed without any problems. On the EPO server, the blocked solidcore event is of course registered, and we can allow the msI files one by one, and if redeployed the SCCM installation will run correctly.

      I had the impression that all the steps needed for whitelistning SCCM actions were predefined out of the box when deploying the Application Control feature, but based on our expericence I guess that something needs to be configured, but failing to do so  on my own, I'm hoping that someone with some more expericence can share some light on this matter.

       

      Kind Regard,

       

      Jakov Svarrer

        • 1. Re: Our MSI based SCCM packages are blocked by Application Control
          mcafeenewb

          Just for testing, in the features policy check the box for Bypass Package control.

           

          I had a similar issue with my offload scan servers "MOVE" when scanning .msi files.  Was advised by support to select Bypass Package control. It cleared the issue.

           

          From what I understand this does not make you less safe since what this is doing is allowing something other that msiexec to manipulate an .msi file.

          • 2. Re: Our MSI based SCCM packages are blocked by Application Control
            jakobs

            Hi,

             

            Thank you so much for your kind response. Your suggestion solved the issue, so now we can proceed with our tests.

            Have a nice day.

             

            Kind Regards,

             

            Jakob

            • 3. Re: Our MSI based SCCM packages are blocked by Application Control
              enzosimoni

              Hi Jakob,

               

              Do you know which specific SCCM exes need to be made updaters in order for Application Control to work properly with SCCM?

               

              I see these files but don't know which is the correct one to select as the updater.

               

              Any help will be greatly appreciated.

               

               

              Ccm32BitLauncher.exe
              ccmdump.exe
              CcmEval.exe
              CcmExec.exe
              ccmrepair.exe
              CcmRestart.exe
              CMHttpsReadiness.exe
              OSDBitLocker.exe
              OSDBitLocker_wtg.exe
              OSDDiskPart.exe
              OSDDownloadContent.exe
              OSDJoin.exe
              OsdMigrateUserState.exe
              OSDNetSettings.exe
              OSDPrepareOS.exe
              OSDPrepareSmsClient.exe
              OSDPrestartCheck.exe
              OSDRunPowerShellScript.exe
              OSDSetDynamicVariables.exe
              OSDSetupWindows.exe
              OSDSmpClient.exe
              OSDUpgradeOS.exe
              OSDWinSettings.exe
              SCClient.exe
              SCNotification.exe
              SCToastNotification.exe
              ShellExecuteMSStore.exe
              smsappinstall.exe
              smsboot.exe
              smsnetuse.exe
              smsswd.exe
              tsenv.exe
              TSInstallSWUpdate.exe
              TSManager.exe
              TSMBootstrap.exe
              TsProgressUI.exe
              UpdateTrustedSites.exe
              VAppCollector.exe
              VAppLauncher.exe