Forum Discussion

AhBAy2335's avatar
AhBAy2335
Copper Contributor
Feb 06, 2026

Blocking User Mode Installation

Hi Experts,

 

I have a Hybrid Azure AD Join environment with all Windows devices enrolled in Intune.

 

I have removed Domain Users from the local Administrators group on all devices via an on-premises Group Policy from the Domain Controller (Restricted Groups / Local Admin configuration).

 

But what I observe is users are still able to install application in user move no elevation, how can I block this so that when get get a prompt only IT team can enter their credentials which will allow install.

 

Currently apps are being installed in Appdata folder under user profile.

 

Thanks

 

1 Reply

  • Lucaraheller's avatar
    Lucaraheller
    MCT
    Apr 20, 2026

    Hi,

    What you are seeing is expected behaviour in Windows environments.

    Removing users from the local Administrators group only prevents installations that require elevation (for example: Program Files, services, drivers, HKLM changes, system-wide installs). It does not prevent applications that support per-user installation.

    These applications typically install under locations such as:

    • %LocalAppData%
    • %AppData%
    • User profile folders
    • HKCU registry hive

    That is why users can still install software without admin credentials.

    How to block this properly

    To control user-mode installs, you need application control, not only admin rights removal.

    Recommended options

    Option 1: AppLocker

    If you are using Windows Enterprise/Education, AppLocker is a strong and practical solution.

    You can create rules to block execution from:

    • %AppData%
    • %LocalAppData%
    • %Temp%
    • Downloads folder

    And allow trusted locations such as:

    • C:\Program Files\
    • C:\Program Files (x86)\
    • C:\Windows\

    This is a common enterprise approach.

    Option 2: Microsoft Defender Application Control (WDAC)

    This is the more advanced / modern option.

    WDAC allows only approved or trusted applications to run and provides stronger security than AppLocker.

    Recommended if you want a long-term Zero Trust application control model.

    Option 3: Intune Managed Apps

    Use Intune / Company Portal as the approved software channel and block unmanaged executables through AppLocker or WDAC.

    About forcing IT credentials

    If software requires elevation, standard users already need admin credentials.

    The reason no prompt appears now is because those apps install only in user context and do not need admin rights.

    To change that behaviour, you must block execution from user-writable locations.

    Best path for your environment (Hybrid + Intune)

    Since you already use Hybrid Azure AD Join + Intune, I would recommend:

    1. Start with AppLocker in Audit mode
    2. Review what users are running from AppData
    3. Move to Enforced mode
    4. Publish approved apps through Intune Company Portal
    5. Consider WDAC later for stronger control

    Important note

    Test carefully before enforcement, because some legitimate apps also run from AppData.

    Final recommendation

    Removing local admin rights is only step one.
    To stop user-mode installs, use AppLocker or WDAC.

    Hope this helps.