1

Let me start off by saying that I love the fact that I have some students that are capable of thinking outside the box and learning to do these things but my administration is on me to restrict their access to curb time wasting, etc.

For students, they are locked down pretty tight via gpo, I have the windows store completely blocked, they cannot run any kind of installer files but they are finding ways to install games like Minecraft, etc. It appears to be installed from the Windows app store (Microsoft.MinecraftUWP_1.20.3002.0_x64__8wekyb3d8bbwe). Has anyone else ran into this and found a working solution?

32 Spice ups
2

Are they able to manually install the app using a different way than the store? There are different ways to install a MS Store app. There are even .exe files that will. Most store apps install to the Appdata as a local user.

If you have access to Applocker, you can just block the application.

5 Spice ups
3

I don’t have an answer for you, just a comment. Last weekend while on a car trip, my son and his friend were discussing the various ways to get around the school’s blocks on the gaming sites (apparently forgetting that sound travels from the back seats to the front); they attend different schools. They listed off several sites to go to that weren’t blocked as well has how to install some games from USB drives or run them directly of USB drives. It was an enlightening conversion. (I did have a talk with my son later on about this)

It sounds much like the Wack-a-Mole game. Good luck.

15 Spice ups
4

I can almost bet they’re using this AppX Downloader along with a PowerShell command similar to this.

add-appxpackage –path "C:\Users\root\Downloads\DigitalchemyLLC.CalculatorFree_1.4.0.78_neutral__q7343f88mnb03.Appx"
7 Spice ups
5

These are the only ways that I can see that Minecraft could be installed, either with an executable or command line, etc. But all of these options are blocked by gpo. They cannot open any .exe, .msi, etc files. Commad line and powershell are all blocked.

@Frank it up, you’re exactly right. It is a constant wack-a-mole. It’s so easy nowadays for anyone to go home and set up a VPN type server, etc and access from school. Our internet filters are great at blocking VPN sites that have been spotted and categorized but as soon as that happens they can just change the URL and start all over again the next day. If these guys would put this much effort into being productive who knows where they could end up one day.

13 Spice ups
6

You can try to add the APPX file extension

227732af-6222-4502-bf45-5dddae5fca80-APPX.PNG

5 Spice ups
7

Easy :wink:

Go to the store (at home or on your smartphone) and find the URL (or just Product-ID) of the app.

Now open the following website to download the Appx package and all denpendencies:

Microsoft Store - Generation Project (v1.2.3) [by @rgadguard & mkuba50] (rg-adguard.net)

Download the appxBundle or whatever is listed in the context (sometimes more than one AppxBundle)

Open Powershell and install via

Add-AppxPackage -Path "c:\temp\Microsoft.MyFancyApp_2.46.41622.0_neutral___8wekyb3d8bbwe.AppxBundle"

The only point, where they might face a problem is a admin-account (if needed).

Hope it helps …

4 Spice ups
8

Based on what @bytemeoftn ​ said, I would disable Power Shell at the user level. Do not disable it overall. This will cripple the device as Power Shell is needed at the machine level.

6 Spice ups
9

You may want to think more about what isn’t blocked. That gives you your attack vectors. Most whitelist aren’t checking a checksum (and for good reason), so you can just replace the whitelisted exe in many cases and the machine will implicitly trust it’s the correct executable. I used to do this all the time with a windows recovery disk to give myself a local admin on customer computers who’d forgotten their password. I’d just replace the accessibility exe with cmd.exe (backing up the original exes of course) then just launch the “accessibility” exe at the login screen. That would give me a cmd prompt to do whatever I needed from.

Blocking PowerShell also doesn’t block every part of PowerShell (most of the time), and there are side channels you can use to access and run specific parts of dlls. This also may only be a couple of kids that do this and have started a side hustle doing this for other students. We used to do that in high school. Most kids sold gum, we sold access to quake 3. Good times.

4 Spice ups
10

You have no idea…

We’re pretty good here, but still see things like this. We hope to be better once we finally get our Servers updated to a “modern” server OS.

1 Spice up
11

Have you considered using the N version of Windows Education? At least for students. It’s the best way in my opinion.

2 Spice ups
12

I personally preferred Windows LTSC for students. It was extremely bare metal, very similar to a stock install of Server OS.

2 Spice ups
13

I’ve been considering creating an image with LTSC but everything I’ve read says MS does not recommend using it for anything other than static type devices like POS, etc. Have you ran into any issues with any software having issues? We’re basically just using Office and Adobe CC apps on student devces.

14

@jasonbaxter8979 ​ Applocker if you have little to no budget and plenty of free time, or purchase ThreatLocker from an IT MSP to manage it for you. If you don’t have at least one person with eyes on ThreatLocker at all times, it can become a bit more of a hindrance than a help, BUT it is hands-down the best solution, period, end of story, full stop. @spencer-threatlocker @danny-threatlocker

15

The old person in me thinks…Take away the devices. Devices are a privilege, not a right. If they don’t know how take care of them too bad! Damn whippersnappers!

16

Yes,yes it is but much funnier.

I wrote a simple powershell Wack-a-complete-site room by room script, that uninstalls, so funny watching the icon disappear before their eyes.

@jasonbaxter8979 ​ yeah, same no cmd etc no privileges, Unfortunately if you go for decrapifier and remove the store, it’s like asking for problems down the line. Anyone with a Office 365 license appears to be good to go.

@jameswalker20 ​ Powershell is not needed (and blocked also) to the minions, and they don’t use/need it, although they do tend to have a go with vbs for other nefarious activities.

@Spicehead-hu580 N Win Ed is deployed, what is amusing is Microsoft stick xbox into it

There are a lot of them online sharing tips and tricks, like going through google (try blocking google).

@oscaroneeyeI totally agree

17

turn of scripting by GPO, then VBS and scripting fails too

1 Spice up
18

Could also silently ruin their ability to connect to most servers by blocking ports 25565 (Java), 19132 and 19133 (Bedrock) for TCP and UDP. But preventing Powershell being used is likely going to block their (current) method of installing it.

Otherwise, learn how to use Applocker and enforce that across the machines.

You also need to re-iterate your IT policy to the students, (which you totally have, right?) and remove access for users that violate it.

19

The only issue I noticed is there isn’t a decent photo viewer. There was a registry setting to enable the default windows one, but it was weird still. I was only using them for basic student computer lab devices. I also only set up a few at first to see if any one had any issues. and eventually rolled them out to all the computers. I like that there isn’t any feature updates that will inevitably mess something up.

20

Common sense, as well as logic, and “actions have consequences” support your statement. Reality on the other hand…

  1. Education content is delivered electronically these days (ie: online content is the current version of a textbook).

  2. Schools are required to provide education content to students equally.

  3. As many people I work with have mentioned when I bring up the topic: “The problem is, you’re using logic…”

1 Spice up