Hi All, Unfortunately i didnt find exact forum to post this thread but i need urgent assistance in it, would appreciate your soonest replies and suggessions. I have a client who's requirement is to Implement AppLocker however it shouldnt just block the blacklisted application but inform users to uninstall that application within certain time like a baloon should pop up that you have 5 days to uninstall this application and everyday countdown should reduce and if user doesnt uninstall the application still then System should uninstall the application automatically and report to the HR database that user has violated the Company Policy which can be fetched as a report to evaluate the performance and work ethics of employees. I know we can deploy AppLocker to Lock Applications and SCCM to Uninstall the Applications which is already in-place but we are talking about Automated Uninstallation and Coutdown for at least 5 days and then reporting so my questions is we have thousands of applications which might be needed to uninstall so we cannot create a uninstallation package for each and every app everytime and that would require human intervension as well. Please suggest what can be the best solutions and which products/tools/addons to use. Soonest response would highly be appreciated. Thanks MYM

As far as I know there is no tool out there that will do what you want. You would need to create an uninstall. What you might look at doing is using DCM to detect the software and send down an Advertisement with a 5 day countdown before the uninstall happens. At the end of the uninstall script have it use VBS or something else to send the message to the HR group/Databsae, etc. This will be easier in ConfigMgr 2012 :) Take a look at it.http://www.sccm-tools.com http://sms-hints-tricks.blogspot.com

Thank You Matthew for your prompt positive response :) That means we'll have to create Uninstall Packages for the applications but the question is how many applications? :) we dont know how many applications users would be installing on their systems thats why we want a sort of automated solution detects, uninstall and report. Secondly Advertisement with 5 Days Countdown doesnt make sense because that will continously be running on client's desktop (while requirement is just to show a pop up ballon that you have that number days remaining to uninstall this application) and everyday they will shutdown their systems which will stop the countdown and advertisement will start from the scratch, isn't it? hence there would be an infinite loop. Could you please elaborate ConfigMgr 2012 a bit more, have you tried it yourself? and do you think that would cater our requirement? I really appreciate your prompt support. Regards

Applocker is a client/AD/GPO feature set, so you could try the forum for GP: http://social.technet.microsoft.com/Forums/en-AU/winserverGP/threads Applocker can run in discover/audit/report mode, this helps you identify what is out there in your client landscape. you can then use that data to quickly create lockdowns (in a blacklist method). blacklisting vs. whitelisting is a decision you need to make, both approaches have advantages and disadvantages. Applocker is designed to permit or prevent specified programs from running, it isn't designed to prevent or permit installation, nor force installation nor uninstallation. (it is not a remediation solution) ConfigMgr has powerful & deep inventory and reporting features, but you need to construct a remediation method. ConfigMgr DCM forum: http://social.technet.microsoft.com/Forums/en-US/configmgrdcm/threadsDon

Agreed AppLocker is meant to allow or disallow application but combining with SCCM we can not just prevent accessing unnecessary applications but uninstall them as well so i am designing a solution in which AppLocker would be used to allow or disallow the applications and SCCM would be used to uninstall them, some other features of SCCM would also be used. Could you please elaborate a bit more about AppLocker Discover/Audit/Report Mode, any link/document would be helpful, if AppLocker is capable enought to report back then major requirement is achieved for HR we can show those reports to Management and HR Personnel. Looking forward to have soonest response. Thanks.

Can I test my AppLocker rules before I enforce them? Yes, you can use the AppLocker Audit only enforcement mode to test your rules before they are enforced. When implemented, applications that would have been blocked will be recorded as warning events in the AppLocker logs. Technet library for AppLocker: http://technet.microsoft.com/en-us/library/dd723678(WS.10).aspx includes an Executive overview & also FAQ Don

As far as I know there is no tool out there that will do what you want. You would need to create an uninstall. What you might look at doing is using DCM to detect the software and send down an Advertisement with a 5 day countdown before the uninstall happens. At the end of the uninstall script have it use VBS or something else to send the message to the HR group/Databsae, etc. This will be easier in ConfigMgr 2012 :) Take a look at it. http://www.sccm-tools.com http://sms-hints-tricks.blogspot.com I said pretty much the same thing in the Scripting Guys forum as below: You're asking for quite a lot there and you have no scripting questions or request so this discussion really ends here, sorry. Having said that, I'm certified in both Applocker and SCCM so I'll try and point you in the right direction. Applocker will prevent defined software from being used by exeption. It has nothing to do with removal. Its events are heavily logged on each client so there is your first starting point in detection. In SCCM, you could create a Desired Configuration Management configuration baseline and configuration item to check for compliance based on the existence of a program by searching for it's registry uninstall key. Example: XML Notepad is installed on my machine. It's uninstall key is stored here: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{FC7BACF0-1FFA-4605-B3B4-A66AB382752D} DCM can monitor for the existence of that key and you could create a query based collection of non compliant machines(Computers that have XML Notepad installed) From that you could assgn a package which is a script that can trigger the uninstall command of: MsiExec.exe /I{FC7BACF0-1FFA-4605-B3B4-A66AB382752D} The advertisement can be set to run in 5 days and to notify the user in a pop-up balloon(that the script will run). You will not however be able to make a custom balloon popup message for this. Finally, whoever's implementing Applocker for your client should have the expertise to advise them of Applockers capabilitys and limitations. They should also have the confidence to just say 'No, it's not designed to do that'. Hope this helps.