Forum Discussion
Blocking Installation of Software via Intune
Hi
We are trying to block users installing software and browser apps once a device is set up. Can we do this via a configuration policy in Intune or do we need a third party app or do we need to increase our licensing.
Hi, if you want to block users from installing software and apps once the device is set up, you can do so using Intune without necessarily relying on third-party solutions or purchasing additional licenses, as long as certain requirements are met. One effective solution is to use AppLocker, a built-in Windows tool that allows you to create rules to determine which applications (such as executable files, scripts, MSI files, DLLs, etc.) can run on the device. With Intune, you can create a custom configuration profile that distributes these rules, ensuring that only explicitly authorized applications are executed while unrecognized ones are blocked. However, it is important to note that AppLocker is only available on Windows 10/11 Enterprise or Education. If your devices run Windows Pro, this solution will not be applicable, and you may need to consider upgrading the operating system or looking for an alternative. Another built-in option is to disable the Microsoft Store through Intune policies, preventing users from installing apps directly from the store. Alternatively, you can use Windows Defender Application Control (WDAC), which works similarly to AppLocker by creating a whitelist of allowed applications.
Regarding licensing, Intune is included in Microsoft 365 Enterprise (E3/E5) or Business Premium plans, so additional licensing is generally not required. However, it is crucial to ensure that devices are running a Windows version that supports AppLocker or WDAC.
Hi, you don't need any third party software. Ensure you have the right microsoft license. Then you need to carry out the following from your intune portal;
Process
- Log in to the Microsoft Intune admin center.
- Navigate to Configuration Profiles: Go to Devices > Configuration profiles.
- Click Create profile and select "Windows 10 and later" as the platform.
- Select "Templates with Custom" as the profile type.
- Under "Configuration settings", add a new setting using the OMA-URI related to "App Control for Business".
- Within the App Control settings, specify the list of approved applications (including browsers) that users are allowed to install.
- Choose "Block" as the enforcement level to prevent users from installing any other applications not on the approved list.
Hope this answers you question.
Regards,
Joseph
thanks for the insight
How are the users to install themselves? Do they have admin rights?
Standard users are not allowed to have the admin access rights to control what or the applications to run on their computers, only the admins are entitled to do that unless PIM is deployed for certain users.
Also adhering to the practice of least privilege and zero trust across the organization for security purpose.
