I'm looking for a way to control software installations on Windows systems by blocking them, but I want the ability to easily grant exceptions when needed. We've previously tried using AppLocker and WDAC, but found them to be complicated and hard to maintain. I'm interested in any third-party solutions that can manage this without needing an agent and that won't affect system performance. Bonus points if the solution incorporates agentic AI capabilities!
3 Answers
Have you considered why you specifically want an agentless solution? Sometimes an agent can provide more functionality without significantly impacting performance.
You might want to check out Ansible. It could fit your needs when it comes to managing installations without a direct agent presence.
Thanks for the suggestion! Could you share any resources or the official website for Ansible?
Keep in mind that AppLocker doesn't actually interfere with the kernel drivers, and if you're an admin needing to allow installations, you would usually want to validate with proper credentials. Isn't it better to manage installations through deployment software?
We do recognize that AppLocker has a strong foundation, but the real hassle comes from having to create a golden Allowlist policy that works for a fleet of diverse laptops. It's a headache to maintain when introducing new machines! We found both AppLocker and WDAC a bit unfriendly in this regard.
Actually, AppLocker does interact with kernel drivers, which complicates things.
It can be any agent as long as it doesn't mess with the kernel driver and isn't performance-heavy. From what we’ve seen, many third-party tools dive deep into the kernel and can cause odd issues over time.