Forum Discussion
Disable/Block installation of all apps
Hi, I am trying to replicate a group policy that back when I was using on-prem AD etc, we could set the policy to disable windows installer for all users, hence not allowing them to install anything.
I'm not working in a full cloud environment using M365/InTune/Defender ATP, Cloud App Sec etc... and as far as I can tell there is no equivalent configuration policy. I just want to only deploy managed apps from Intune and block everything else (maybe not store/company portal apps)
I have seen blogs on AppLocker and using ATP, but these seem rather overblown for something thats a basic requirement (in my eyes) for an organisation.
Anyone successfully doing this without lots and lots of config...
Neil
5 Replies
neilcarden this is a great question did you ever find an easy way to do this?
kengland2 I haven't had chance to have a further look but I dont think there is any easy way...
Neil
- Have you looked into Microsoft Defender Application Control, this will block all apps except stores apps - https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune
- I have been evaluating E5 license ( Windows Enterprise), you can actually achieve your objective by using Surface attack Reduction in Intune under Security Baseline + Microsoft Defender ATP. Still in Preview but you can give it try.
Otherwise you have to use some 3rd party app like ‘CensorNet’ to block executables, zip etc.
https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reductionThanks for the responses. I was hoping for something with little to no config in regards to the ASR, due to the fact I don't have time to spend looking into this.
The InTune appstore only route causes havoc for those apps we use that are not in the store...
I think i will need to set some time aside and look into the ASR route at some point.
Thanks
Neil
