Event banner
Event details
33 Comments
Can't wait for this one. Still looking into a solution where we are able to disable user installs of for example Google Chrome, etc. I believe WDAC could be a potential option to tackle that.
- Jordan_Geurten
Microsoft
Hi Rob, I would be interested in hearing more about your scenario. At first glance, WDAC should meet your requirements. With WDAC, you can create a deny list to deny Chrome, for example, or an allow list to deny anything that is not explicitly on your list.- If you create a Intune Managed AAD joined environment using autopilot where the user becomes a normal user and use for example the default security baselines with some additional policies you wish, a user is still able to do user installs (like chrome or firefox). In an Enterprise Environment that is an absolute no-go because we don't manage those browsers. We only manage Edge and Edge works in most cases. I would like to be able to disable user installs in any form. It would be so nice to have that as a simple "flip the switch" policy instead of having a giant learning curve and administrative hassle that you get with WDAC or AppLocker. Me manage 100's of customer environments and the administration burden those solutions bring to the table are fairly large and costly.
- We use a third-party AV (Mcafee), is WDAC usable in this case or do we need to remove McAfee and switch to all defender to allow it to work?
- Most of WDAC features are part of Windows OS and those features are managed from Intune, Configuration Manager or GPO. You don't need to uninstall McAfee in order to work. Some Defender for endpoint (EDR) security remote tasks may use WDCA in order to enforce app execution restrictions.
- awesome, thankyou.
