Two April patches, KB3146706 and KB3147071, break AppLocker when used for whitelisting on an Admin account

Topic

New Reply

From AB- Two updates from April effectively break AppLocker, if you’re using it as an additional security measure (whitelisting) on an admin account.
[See the full post at: Two April patches, KB3146706 and KB3147071, break AppLocker when used for whitelisting on an Admin account]

Reply | Quote

Replies

Is this the built in “administrator” account, or a created admin account?

Reply | Quote

Hmmm, this is interesting for the admins in relatively restricted environments.

Reply | Quote

@NotReallyBob:

It’s the default account that you get when you install W7.
I don’t know if it happens with other admin accounts as well. My guess is yes, but I didn’t try.

Keep in mind that this affects W7 only, since in W8 and W10 AppLocker already works that way by default, aka it’s always been kinda useless for admin accounts there. (If you removed the admin whitelist rule, you’d have to disable and re-enable AppLocker for many installs…)

Reply | Quote

It’s the default account that you get when you install W7.

AB, that one is not the built-in account and it is normally subject to UAC in the default configuration.
The built-in administrator is called “Administrator”, is disabled by default and does not have a password after installation. If enabled, it should be configured with a password.
There are significant differences in behaviour between the built-in Administrator (not subject to UAC) and all the other Administrator accounts – the consequence of a setting named Admin Approval Mode.

Reply | Quote

When the updates came out, this one was shown as an “update only”, not a “security update”, it was also NOT checked.

Because of this I hid the update and haven’t seen anything about it until now. I’ve followed the “rules” about not installing the updates UNLESS they show they are a security update and also NOT installing those without a check mark.

Any new information about this?

Reply | Quote

My apology – – – I was referring only to KB3147071. I haven’t seen anything to change the other one (KB3146706) which I still have pending and unchecked.

Reply | Quote

I still recommend that you only install security patches that have been checked. On rare occasion I’ll suggest that you check something that isn’t identified as a security patch, or something that isn’t checked automatically, but for the most part, that’s the sad state of affairs we’re in right now.

If Microsoft stops sliding Win10 related patches out the chute after July 29, then patching will suddenly become much simpler.

Right now, I suggest you don’t install anything. Patch Tuesday is coming.

Reply | Quote

If Microsoft stops sliding Win10 related patches out the chute after July 29, then patching will suddenly become much simpler.

Place it on your wish list Woody, schedule a reminder for July 29 and let’s talk if the patching has become “much simpler” after that date

Reply | Quote

HA! I”ll just be sure not to mention it in print. No telling what would happen…

Reply | Quote

Hi Woody and all,

Do you think people running Win 7 Home Premium x64 are safe installing KB3146706, since Home doesn’t have AppLocker? Or should I just hide it and move on to waiting for the all clear on May’s updates?

Thanks a lot,

SBS

Reply | Quote

No need to install them yet.

Reply | Quote

Thank you. I’ll wait to install the stragglers from March (KB3139398) and April until I see you say otherwise. Much appreciated.

Reply | Quote