Our vulnerability scanning software is detecting vulnerable software installed in user profiles, eg Zoom, because the user installed it once and then never ran it again and so it’s never been updated.
We use ImmyBot for our software management and so on the surface it seems like it is the right tool to manage per-user installs of software as well as machine wide installs.
The registry uninstall stuff in HKCU:Software works like the system stuff in HKLM:Software with the uninstall string and software name etc, but of course the uninstall itself needs to be run in the user context - running
"C:\Users\james\AppData\Roaming\Zoom\uninstall\Installer.exe" /uninstall
does nothing useful when run as SYSTEM.
Software in ImmyBot would need a “per-user” flag to indicate whether it’s possible that this software could be installed per-user, and a “per-user” uninstall script, maybe, or maybe it could just use the uninstall script assigned to the software (which would need to be updated to know when it was being called in per-user mode). Custom version detect scripts would also need to be aware of per-user installs, and somehow feed that info back.
Then an option on the deployment page to tell ImmyBot what to do about per-user installs for this deployment (only if the Software is per-user aware). The options I can think of are:
- Ignore - just pretend that the per-user install isn’t there, like ImmyBot does now
- Stop - don’t proceed and report failure if a per-user install is detected
- Uninstall - Mandatory - uninstall the per-user installation, don’t proceed with the machine install until the per-user install is removed
- Uninstall - Lazy - attempt to uninstall the per-user installation, but keep going if this isn’t possible right now, or at all. Probably this option and Ignore are the only two that are workable.
Finally, figure out how to actually run the uninstall. This could be:
- Just hope that the user is logged in when maintenance runs
- Use the ActiveSetup logic to do the uninstall work when the user logs in (possibly leaving them with no install of the software until maintenance runs next, if “Uninstall - Mandatory” was selected as an option)
- When a user logs in, get the ImmyBot Agent to connect to ImmyBot and tell it to do the per-user maintenance. The per-user maintenance would then run the per-user uninstall etc. This would actually be really cool as it would allow ImmyBot to do some other user maintenance tasks, unrelated to this feature request. Even better if it could be tied up in the Active Setup login delay.
There’s some things I don’t have answers to, like:
- What happens when we detect (eg) Zoom installed in the profile of an ex-employee who is never going to use this computer again? That’s why “Ignore” and “Uninstall - Lazy” are probably the only two workable install options.
- What about roaming profiles where we only have access to a cached NTUSER.DAT and so can’t authoritatively detect software that is installed, only what was installed last time the user logged in
- Probably lots of other stuff
Bonus points if ImmyBot could fully manage locally installed software, rather than just uninstall it, eg because some software is only able to be installed per-user.
Thanks for listening
James