WikiTwist

Blocking Co-Installers in Windows with Intune Remediations

When using Windows 10/11, Windows Plug & Play drivers can automatically install applications (unsecured, dangerous or both) on your computer. This is a feature called Co Installers.

This – initially convenient – behaviour can be undesirable for most of us. For example a bug in Razer’s Synapse software allowed standard users to gain admin access to the machines.

At BoucheCousue, we offer managed services to our customers and our therefore looking to reduce any surface of attack on the machines being used by end users.

How to block CoInstallers?

You can manually edit your registry by adding or changing a key in

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionDevice Installer 

Modify or create the value DisableCoInstallers as a DWORD-32 with a value of 1

Source: BleepingComputer

How to block CoInstallers using Intune Remediations

For Intune, you can use Remediation Scripts to change registry settings automatically.

Here is the detection script to upload:

## DetectCoInstallers - BoucheCousue
## Detection script for Intune Remediation

# Parameters
$regkey="HKLM:SOFTWAREMicrosoftWindowsCurrentVersionDevice Installer"
$name="DisableCoInstallers"
$value=1

# Registry Detection Template
If (!(Test-Path $regkey))
{
Write-Output 'RegKey not available - remediate'
Exit 1
}

$check=(Get-ItemProperty -path $regkey -name $name -ErrorAction SilentlyContinue).$name
if ($check -eq $value){
write-output 'setting ok - no remediation required'
Exit 0
} Else {
write-output 'value not ok, no value or could not read - go and remediate'
Exit 1
}

And the remediation one:

## DetectCoInstallers - BoucheCousue
## Remediation script for Intune Remediation

# Parameters
$regkey="HKLM:SOFTWAREMicrosoftWindowsCurrentVersionDevice Installer"
$name="DisableCoInstallers"
$value=1

#Registry Template
If (!(Test-Path $regkey))
{
New-Item -Path $regkey -ErrorAction stop
}

if (!(Get-ItemProperty -Path $regkey -Name $name -ErrorAction SilentlyContinue))
{
New-ItemProperty -Path $regkey -Name $name -Value $value -PropertyType DWORD -ErrorAction stop
write-output "remediation complete"
exit 0
}

set-ItemProperty -Path $regkey -Name $name -Value $value -ErrorAction stop
write-output "remediation complete"
exit 0

Base script by MikeMDM, customized for the needs of this registry key.

Thanks: Big up to Mattias Melkersen for bringing up this topic on X and to Nathan McNulty for sharing the fix that Will Dormann offered.

This post is also available in fr_FR.

Exit mobile version