That bad part is on the how it is tried to be micro-managed not the idea of allowlisting Windows Services in general. There are good reasons to allowlist things like Windows Services, sure. How you micro-manage that allowlist can be bad.

Specific to this case, `ssh-agent` is a Windows Service shipped with Windows and signed by Microsoft. If your allowlist doesn't include built-in Windows services maybe your allowlist is deficient. Further specifically in this case, if you are using ssh (and/or sftp) as business tools and expecting some users to have those tools in their job workflows and processes, it really doesn't make sense not to allowlist the `ssh-agent` service so that those jobs can be performed, at least for those users doing those tasks. That should be obvious to any IT person that has used SSH ever before that having access to a reliable SSH agent is important. If your micro-management processes don't have good processes for making the right exceptions you teach your users to instead rely on the wrong loopholes, that's bad corporate policy.

(Seriously, why would you encourage users to use an out-of-date program with known vulnerabilities, a tiny bus factor, existing known fakes that are malware vectors in the wild, when you can just quickly allowlist a single Windows service, shipped by Windows, and signed by Microsoft? How can you call any such corporate policy anything but bad in this specific example?)

> If your allowlist doesn't include built-in Windows services maybe your allowlist is deficient.

Maybe. Or maybe as a matter of corporate policy you don't want your users connecting to other machines via SSH.

...and this is why PAGEANT.EXE is required for Microsoft OpenSSH.

And it’s why shadow IT exists and shadow IT is why companies don’t fall apart.

It’s also why web apps are so popular and why the blackberry failed.