Forum Discussion
Blocking Installation of Software via Intune
Hi
We are trying to block users installing software and browser apps once a device is set up. Can we do this via a configuration policy in Intune or do we need a third party app or do we need to increase our licensing.
7 Replies
Hi, if you want to block users from installing software and apps once the device is set up, you can do so using Intune without necessarily relying on third-party solutions or purchasing additional licenses, as long as certain requirements are met. One effective solution is to use AppLocker, a built-in Windows tool that allows you to create rules to determine which applications (such as executable files, scripts, MSI files, DLLs, etc.) can run on the device. With Intune, you can create a custom configuration profile that distributes these rules, ensuring that only explicitly authorized applications are executed while unrecognized ones are blocked. However, it is important to note that AppLocker is only available on Windows 10/11 Enterprise or Education. If your devices run Windows Pro, this solution will not be applicable, and you may need to consider upgrading the operating system or looking for an alternative. Another built-in option is to disable the Microsoft Store through Intune policies, preventing users from installing apps directly from the store. Alternatively, you can use Windows Defender Application Control (WDAC), which works similarly to AppLocker by creating a whitelist of allowed applications.
Regarding licensing, Intune is included in Microsoft 365 Enterprise (E3/E5) or Business Premium plans, so additional licensing is generally not required. However, it is crucial to ensure that devices are running a Windows version that supports AppLocker or WDAC.
Hi, you don't need any third party software. Ensure you have the right microsoft license. Then you need to carry out the following from your intune portal;
Process
- Log in to the Microsoft Intune admin center.
- Navigate to Configuration Profiles: Go to Devices > Configuration profiles.
- Click Create profile and select "Windows 10 and later" as the platform.
- Select "Templates with Custom" as the profile type.
- Under "Configuration settings", add a new setting using the OMA-URI related to "App Control for Business".
- Within the App Control settings, specify the list of approved applications (including browsers) that users are allowed to install.
- Choose "Block" as the enforcement level to prevent users from installing any other applications not on the approved list.
Hope this answers you question.
Regards,
Joseph
thanks for the insight
How are the users to install themselves? Do they have admin rights?
The major issue/oversight with Windows is that while you need admin rights to install software at a system level, or for all users on a device, there is nothing stopping a user from modifying their user profile/appdata. So self-run software, or software that only changes items in the user's registry/appdata can generally install just fine by default... this includes most browser installs, store apps, file viewers, and simple utilities.
The admin prompt will prevent issues around catching a virus or malicious app at the system level... but a user installing something that exfiltrates their documents folder or file shares they have access to, or can otherwise run as the user to modify files... all fair game unless there are additional blocks in place. Thankfully, this is where blocking the ability to run services and scripts as the user (even admin users) really does a lot of heavy lifting for security. It is much more difficult (though not impossible) to do something sneaky and underhanded when you can't automate a bad action and have to trick the user to do the heavy lifting of compromising themselves for you.
The issue as an admin... sometimes there is a specific app(s) you want to block/remove, but without having users/helpdesk go through a whole change mgmt process to micromanage every app that is allowed to run in an environment. Depending on your infrastructure team, and security stance, there is an unfortunate lack of scalability options for controlling apps on the user side. It often becomes a free-for-all, or overly cumbersome to manage, with few options in-between... which is why most of IT is focused around managing dataflows at the network level rather than the specific non-virus-risk apps a user may choose to use inside of their profile (especially with multi-platform environments, or BYOD options where a corporate windows control often just doesn't apply). Or using antivirus solutions to prevent the run of specific apps in memory without bothering with blocking the download/install/copy process of the app to the user's profile.Standard users are not allowed to have the admin access rights to control what or the applications to run on their computers, only the admins are entitled to do that unless PIM is deployed for certain users.
Also adhering to the practice of least privilege and zero trust across the organization for security purpose.
That's not really true and that's the problem. Chrome Browser and other applications can install "User-based" and in doing so bypass the administrator requirements. I get that this calls into question the symantics of what "installed" is as it's not installed to the system. But It registers to add/remove programs if I remember correctly so I consider that "installed".
