We have found if the user installs an app like Firefox without having admin rights, it allows the user to install but places the executable in the appdata folder. Once we sent out the GP it restricted the use of it. Our easy fix was to have someone with administrator rights to reinstall Firefox.

We have found one other app, Spotify that does the same thing to get around the user not having admin privileges.

From: Al Puzzuoli [mailto:[log in to unmask]]
Sent: Thursday, November 07, 2013 10:39 AM
To: [log in to unmask]
Subject: [MSUNAG] Drawbacks to Preventing Executables from Running in AppData?

Hi everyone,

Curious as to whether any of you have taken the approach described in the attached PDF of preventing executables in %AppData% from running? I’ve justcreated a GPO as outlined in that document and am testing it on my own machine. So far, nothing appears to be breaking, and I can’t think of many vital apps that this would disrupt. I figure I can easily whitelist the few I might find that actually do break. Are there any disadvantages I might be missing to this approach?

Thanks,