Forum Discussion

AaronDurber's avatar
AaronDurber
Copper Contributor
Feb 06, 2025

Blocking Installation of Software via Intune

Hi We are trying to block users installing software and browser apps once a device is set up. Can we do this via a configuration policy in Intune or do we need a third party app or do we need to inc...
Intune
mobile device management (mdm)
rahuljindal's avatar
rahuljindal
Bronze Contributor
Feb 07, 2025

How are the users to install themselves? Do they have admin rights?

  • CaedenV's avatar
    CaedenV
    Copper Contributor
    Nov 12, 2025

    The major issue/oversight with Windows is that while you need admin rights to install software at a system level, or for all users on a device, there is nothing stopping a user from modifying their user profile/appdata.  So self-run software, or software that only changes items in the user's registry/appdata can generally install just fine by default... this includes most browser installs, store apps, file viewers, and simple utilities.
    The admin prompt will prevent issues around catching a virus or malicious app at the system level... but a user installing something that exfiltrates their documents folder or file shares they have access to, or can otherwise run as the user to modify files... all fair game unless there are additional blocks in place.  Thankfully, this is where blocking the ability to run services and scripts as the user (even admin users) really does a lot of heavy lifting for security.  It is much more difficult (though not impossible) to do something sneaky and underhanded when you can't automate a bad action and have to trick the user to do the heavy lifting of compromising themselves for you.

    The issue as an admin... sometimes there is a specific app(s) you want to block/remove, but without having users/helpdesk go through a whole change mgmt process to micromanage every app that is allowed to run in an environment.  Depending on your infrastructure team, and security stance, there is an unfortunate lack of scalability options for controlling apps on the user side.  It often becomes a free-for-all, or overly cumbersome to manage, with few options in-between... which is why most of IT is focused around managing dataflows at the network level rather than the specific non-virus-risk apps a user may choose to use inside of their profile (especially with multi-platform environments, or BYOD options where a corporate windows control often just doesn't apply).  Or using antivirus solutions to prevent the run of specific apps in memory without bothering with blocking the download/install/copy process of the app to the user's profile.

  • Joseph Kilonzo's avatar
    Joseph Kilonzo
    MCT
    Mar 01, 2025

    Standard users are not allowed to have the admin access rights to control what or the applications to run on their computers, only the admins are entitled to do that unless PIM is deployed for certain users.

    Also adhering to the practice of least privilege and zero trust across the organization for security purpose.

    • Jerome Wink's avatar
      Jerome Wink
      Copper Contributor
      May 30, 2025

      That's not really true and that's the problem.  Chrome Browser and other applications can install "User-based" and in doing so bypass the administrator requirements.  I get that this calls into question the symantics of what "installed" is as it's not installed to the system.  But It registers to add/remove programs if I remember correctly so I consider that "installed".

Resources