uninstall password

Avatar
  • updated
  • Archived

We would like to have the option to add a password to protect the screen connect client from being uninstalled by users with local admin privileges. I have found that when the client is installed from labtech, users don't recognize it and tend to remove it. This causes problems with the labtech SC plugin.

Duplicates 2
access agent password protection

Please consider adding the option to password protect installation of an access agent against deletion.   Some circumstances require users to have admin privilege to operate their workstation.  Either by accident or intent,  an access agent can be deleted.  By requiring a password for deletion would insure that deletion was desired and intended and eliminate the need for tedious workarounds using the registry or special utility programs.

block deinstalation screenconnect agent

How can I block the removal of the agent on a computer where the user has administrator rights?

Is it possible to make a password when trying to delete

Pinned replies
Avatar
-1
Sean White Team Member
  • Answer
  • Archived

This is a feature that we will not implement for a few reasons:

  • OS settings can be applied to prevent users from uninstalling software
  • Having a password baked into the agent to prevent uninstall could be used maliciously
    • A scammer could essentially prevent an agent from being uninstalled on an unsuspecting victim of fraud
    • A legitimate agent could be left behind if the end user no longer wishes to receive service and the service provider does not uninstall the software as part of an offboarding process.
Avatar
0
SDR
Quote from Jstepp

This would have been a worthwhile feature, for sure. However, since it didn't seem like it was ever going to happen, I finally found a workaround that worked "enough" for my needs. I don't want to post links here, but you can look up "sc sdset" and find documentation. Basically, you have to use the Security Templates snap-in to create a template and then you can set the permissions on any system services that you want...save the template, open the template to get the SDDL string for the service(s) and permissions...and deploy in some way to your machines. The command will look something like "sc.exe sdset LTService D:AR(D;;DCWPDTCRSD;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCLCSWLOCRRC;;;IU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)" I had to deploy with Intune, unfortunately, but I figured out a way. This was NOT something I was familiar with, so I played with it a lot before I deployed to anything, and I created a security template to UNLOCK everything and created scripts for that so that I have them when I need them.  Service lock and unlock scripts.  Maybe this will help somebody out there.  It was a huge pain, but it was the only thing that worked in my environment.

Glad you found something but this is not something our company is going to use to deploy. Has anyone found any good alternatives to ScreenConnect/ConnectWise? I have seen enough from responses in these forums to know this company does not listen to its end users.

Avatar
1
Jstepp

This would have been a worthwhile feature, for sure. However, since it didn't seem like it was ever going to happen, I finally found a workaround that worked "enough" for my needs. I don't want to post links here, but you can look up "sc sdset" and find documentation. Basically, you have to use the Security Templates snap-in to create a template and then you can set the permissions on any system services that you want...save the template, open the template to get the SDDL string for the service(s) and permissions...and deploy in some way to your machines. The command will look something like "sc.exe sdset LTService D:AR(D;;DCWPDTCRSD;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCLCSWLOCRRC;;;IU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)" I had to deploy with Intune, unfortunately, but I figured out a way. This was NOT something I was familiar with, so I played with it a lot before I deployed to anything, and I created a security template to UNLOCK everything and created scripts for that so that I have them when I need them.  Service lock and unlock scripts.  Maybe this will help somebody out there.  It was a huge pain, but it was the only thing that worked in my environment.

Avatar
1
Ian L-F
Quote from Sean White

This is a feature that we will not implement for a few reasons:

  • OS settings can be applied to prevent users from uninstalling software
  • Having a password baked into the agent to prevent uninstall could be used maliciously
    • A scammer could essentially prevent an agent from being uninstalled on an unsuspecting victim of fraud
    • A legitimate agent could be left behind if the end user no longer wishes to receive service and the service provider does not uninstall the software as part of an offboarding process.

These reasons are simply silly when other solutions, as already state, offer this without issue.

Avatar
0
YoDawg

Pretty sad this request has been declined without much effort. So other RMM agents like SolarWinds and Ninja have this ability. Sophos central has this ability but CWC aka ScreenConnect will not have this ability. The work arounds are not going to work for us from a management standpoint so its either switch to another remote management solution or hire a developer to build our own solution to fit our growing demands. Most of our small business environment requires most users to be the local admin of the computers due to PMP app functionality. Some users have purposely removed our management agent fearing they are being tracked but they don't grasp that our web content actually tracks them so we have had to enable remote desktop within the orgs or redeploy with gpo. 

Avatar
0
Alex Heylin
Quote from Sean White

This is a feature that we will not implement for a few reasons:

  • OS settings can be applied to prevent users from uninstalling software
  • Having a password baked into the agent to prevent uninstall could be used maliciously
    • A scammer could essentially prevent an agent from being uninstalled on an unsuspecting victim of fraud
    • A legitimate agent could be left behind if the end user no longer wishes to receive service and the service provider does not uninstall the software as part of an offboarding process.

OS settings cannot be used to prevent uninstallation by a local administrator or other suitably privileged account.   Removing the entry in add/remove programs does not prevent uninstall - it just obfuscates it so that most numpty users can't manage it. MSIEXEC /X will still work. 


If you're not implementing the password, can I suggest either an option in the installer to NOT add it to Add / Remove programs, or at the very least an official KB on how to remove it - with example commands, which would seem to address >90% of the cases here. 

I think your points about the baked in password have some validity though. 

Avatar
-1
Sean White Team Member
  • Answer
  • Archived

This is a feature that we will not implement for a few reasons:

  • OS settings can be applied to prevent users from uninstalling software
  • Having a password baked into the agent to prevent uninstall could be used maliciously
    • A scammer could essentially prevent an agent from being uninstalled on an unsuspecting victim of fraud
    • A legitimate agent could be left behind if the end user no longer wishes to receive service and the service provider does not uninstall the software as part of an offboarding process.
Avatar
0
Alex Heylin
Quote from Enterprise IT

I have been checking on this for years, could we at the very least get a reason what is stopping this from moving forward or provide measures such as a reg hack that might enable such a feature.

Just delete the entry in add / remove programs.  That'll deal with 99% of users who uninstall things. 


https://support.microsoft.com/en-us/topic/removing-invalid-entries-in-the-add-remove-programs-tool-0dae27c1-0b06-2559-311b-635cd532a6d5

Avatar
0
Enterprise IT

I have been checking on this for years, could we at the very least get a reason what is stopping this from moving forward or provide measures such as a reg hack that might enable such a feature.

Avatar
0
YoDawg

Might see this feature before i leave this planet

Avatar
1
gprscrprs

I will plus one that this "is where most good ideas go to die". :(

 Commenting is disabled

Top contributors

Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar