Disable/Block installation of all apps

Brass Contributor

Hi, I am trying to replicate a group policy that back when I was using on-prem AD etc, we could set the policy to disable windows installer for all users, hence not allowing them to install anything.


I'm not working in a full cloud environment using M365/InTune/Defender ATP, Cloud App Sec etc... and as far as I can tell there is no equivalent configuration policy. I just want to only deploy managed apps from Intune and block everything else (maybe not store/company portal apps)


I have seen blogs on AppLocker and using ATP, but these seem rather overblown for something thats a basic requirement (in my eyes) for an organisation.


Anyone successfully doing this without lots and lots of config...



5 Replies
I have been evaluating E5 license ( Windows Enterprise), you can actually achieve your objective by using Surface attack Reduction in Intune under Security Baseline + Microsoft Defender ATP. Still in Preview but you can give it try.

Otherwise you have to use some 3rd party app like ‘CensorNet’ to block executables, zip etc.

Have you looked into Microsoft Defender Application Control, this will block all apps except stores apps - https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-con...

Thanks for the responses. I was hoping for something with little to no config in regards to the ASR, due to the fact I don't have time to spend looking into this.

The InTune appstore only route causes havoc for those apps we use that are not in the store...


I think i will need to set some time aside and look into the ASR route at some point.




@neilcarden this is a great question did you ever find an easy way to do this?

@kengland2 I haven't had chance to have a further look but I dont think there is any easy way...