ISM-2111 policy ASD Information Security Manual (ISM)

Remove Temporary Installation Files Post-Installation

Remove all temporary installation files created during user application installation once the application has been installed.

Preventative NC OS P ASD Information Security ManualGuidelines for system hardening application security software install data deletion

record_voice_over

Plain language

When software is installed, the installer extracts setup files, scripts and other temporary artefacts onto the machine. This control requires those temporary installation files to be deleted once the application is in place. Leftover installer artefacts can contain embedded credentials, helper scripts or extracted payloads that an attacker can read or reuse, so removing them shrinks the attack surface on each endpoint.

01 - Overview

Framework

ASD Information Security Manual (ISM)

Control effect

Preventative

Classifications

NC, OS, P, S, TS

ISM last updated

June 2026

Control Stack last updated

19 June 2026

E8 maturity levels

N/A

Guideline

Guidelines for system hardening

Section

User Application Hardening

Topic

Hardening User Application Configurations

Official control statement

All temporary installation files created during user application installation processes are removed after user applications have been installed.

policy ASD Information Security Manual (ISM) ISM-2111

priority_high

Why it matters

If temporary installation files are left behind after an application is installed, those artefacts can contain embedded credentials, configuration secrets, installer scripts or extracted executable payloads. An attacker or malicious insider who reaches the host can read these for credential harvesting, or reuse leftover binaries and scripts to escalate privileges or maintain persistence, increasing the attack surface on every affected endpoint.

settings

Operational notes

Identify where each installer stages temporary files, such as the user and system %TEMP% directories, the Windows Installer cache (C:\Windows\Installer), and any vendor-specific extraction or staging folders, then confirm these are cleared once installation completes. Bake the cleanup step into your standard operating environment (SOE) build and into application packaging so removal happens automatically rather than relying on manual deletion. Use endpoint management or configuration management tooling to detect and remove residual installer artefacts on an ongoing basis, and re-confirm cleanup after each new package or installer version is introduced, since vendors change where and how they stage files.

02 - Implement

build

Implementation tips

Add a cleanup step to each application package and deployment script that deletes the installer's temporary files once installation succeeds, targeting the user and system %TEMP% directories and any vendor-specific extraction or staging folder used by that installer.
Bake installer-artefact removal into the standard operating environment (SOE) build so newly provisioned endpoints never ship with leftover setup files.
Prune the Windows Installer cache (C:\Windows\Installer) of orphaned or superseded staged packages, using a supported tool such as PatchCleaner-style validation so that only entries still referenced by installed products are retained.
Configure endpoint management or configuration management tooling (for example Intune, SCCM/Configuration Manager, Group Policy, Jamf) to periodically scan for and remove residual installer extraction directories across the fleet.
Require third-party installers and managed service providers, through the contract or statement of work, to remove their installer temporary files after installation, and verify removal as an acceptance criterion before sign-off.
After packaging a new or updated installer, test on a clean host to identify exactly where it stages temporary files, then update the cleanup step so the removal stays accurate as vendors change their installers.

03 - Audit

fact_check

Audit / evidence tips

Select a sample of recently deployed user applications and inspect the host filesystem (user and system %TEMP%, C:\Windows\Installer cache and known vendor staging folders) to confirm no temporary installation files remain after install.
Examine the application packaging or deployment scripts and the SOE build to confirm a cleanup step that deletes installer temporary files is defined and runs automatically on completion.
Review deployment or configuration management logs to confirm the cleanup action executed successfully for the sampled installations rather than being skipped or failing silently.
Where third parties install software, inspect the contract, SOW or acceptance criteria for a clause requiring removal of installer temporary files, and check acceptance records show this was verified.
Review endpoint management scan results to confirm hosts are routinely checked for residual installer artefacts and that any found are remediated.

04 - Mappings

link

Cross-framework mappings

How ISM-2111 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.

ISO 27001

Control	Notes	Details
layers Partially meets (2) expand_less
Annex A 8.10	ISM-2111 requires removing temporary installation files after user applications are installed to reduce residual artefacts on systems
Annex A 8.19	ISM-2111 requires that temporary installation files created during user application installs are removed after installation

These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.