Event banner
Event details
Jordan_Geurten
Microsoft
MicrosoftHi Rob, I would be interested in hearing more about your scenario. At first glance, WDAC should meet your requirements. With WDAC, you can create a deny list to deny Chrome, for example, or an allow list to deny anything that is not explicitly on your list.
If you create a Intune Managed AAD joined environment using autopilot where the user becomes a normal user and use for example the default security baselines with some additional policies you wish, a user is still able to do user installs (like chrome or firefox).
In an Enterprise Environment that is an absolute no-go because we don't manage those browsers. We only manage Edge and Edge works in most cases. I would like to be able to disable user installs in any form. It would be so nice to have that as a simple "flip the switch" policy instead of having a giant learning curve and administrative hassle that you get with WDAC or AppLocker.
Me manage 100's of customer environments and the administration burden those solutions bring to the table are fairly large and costly.
- Jordan_GeurtenHi Rob, you can do this today with WDAC very quickly. For your scenario, you would need to disallow the Chrome and Firefox installers, and any other undesirable browsers using a publisher + filename deny rule. We have more info on deny lists here: https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/create-wdac-deny-policy