Users can install MSI (Windows Installer Packages) from a USB drive where the users have only been granted READ access by Device Manager.
PolicyPak Device manager is working as expected. You can install an MSI (Windows Installer package) from a USB drive where the user only has READ access because double-clicking (i.e., launching) an MSI is really only a READ event by C:\Windows\System32\msiexec.exe which reads the MSI's database contents and performs the install. MSIEXEC is doing the executing but only requires READ access to the MSI file in order to do so. In other words, PolicyPak DM is a FILE FILTER DRIVER which handles FILTERS. If you give someone READ, they have the FILTER to READ the file. Then MSIEXEC can pick up the ball and run with it.
In addition to limiting access to the USB drive by using Device Manager. The best way to stop MSIEXEC is to then use PolicyPak Least Privilege Manager (LPM) to block MSIEXEC since it’s calling the input to the database.
There are a few ways you can do this using PolicyPak Least Privilege Manager:
You can block MSIEXEC directly from an .EXE rule with a DENY Executable policy.
You can block all .MSIs with a DENY Windows Installer Policy.
You can turn on Admin Approval.
Why is an extra step in Least Privilege Manager needed? Because PolicyPak Least Privilege Manager is a PROCESS DRIVER which handles PROCESSES. If you specify what to do on a PROCESS level, PolicyPak Least Privilege Manager performs magic there including ELEVATION and BLOCKING.
So, you cannot use PolicyPak Device Manager to filter a PROCESS (MSIEXEC). But you could filter it for NO READ access to FILES.
And you cannot use PolicyPak Least Privilege Manager to filter specific FILES. But you can filter it to explain to MSIEXEC PROCESS what to do.