Forum Discussion

AaronDurber's avatar
AaronDurber
Copper Contributor
Feb 06, 2025

Blocking Installation of Software via Intune

Hi We are trying to block users installing software and browser apps once a device is set up. Can we do this via a configuration policy in Intune or do we need a third party app or do we need to inc...
Intune
mobile device management (mdm)
rahuljindal's avatar
rahuljindal
Bronze Contributor
Feb 07, 2025

How are the users to install themselves? Do they have admin rights?

CaedenV's avatar
CaedenV
Copper Contributor
Nov 12, 2025

The major issue/oversight with Windows is that while you need admin rights to install software at a system level, or for all users on a device, there is nothing stopping a user from modifying their user profile/appdata.  So self-run software, or software that only changes items in the user's registry/appdata can generally install just fine by default... this includes most browser installs, store apps, file viewers, and simple utilities.
The admin prompt will prevent issues around catching a virus or malicious app at the system level... but a user installing something that exfiltrates their documents folder or file shares they have access to, or can otherwise run as the user to modify files... all fair game unless there are additional blocks in place.  Thankfully, this is where blocking the ability to run services and scripts as the user (even admin users) really does a lot of heavy lifting for security.  It is much more difficult (though not impossible) to do something sneaky and underhanded when you can't automate a bad action and have to trick the user to do the heavy lifting of compromising themselves for you.

The issue as an admin... sometimes there is a specific app(s) you want to block/remove, but without having users/helpdesk go through a whole change mgmt process to micromanage every app that is allowed to run in an environment.  Depending on your infrastructure team, and security stance, there is an unfortunate lack of scalability options for controlling apps on the user side.  It often becomes a free-for-all, or overly cumbersome to manage, with few options in-between... which is why most of IT is focused around managing dataflows at the network level rather than the specific non-virus-risk apps a user may choose to use inside of their profile (especially with multi-platform environments, or BYOD options where a corporate windows control often just doesn't apply).  Or using antivirus solutions to prevent the run of specific apps in memory without bothering with blocking the download/install/copy process of the app to the user's profile.