Disable/Block installation of all apps

%3CLINGO-SUB%20id%3D%22lingo-sub-1306932%22%20slang%3D%22en-US%22%3EDisable%2FBlock%20installation%20of%20all%20apps%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1306932%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%20I%20am%20trying%20to%20replicate%20a%20group%20policy%20that%20back%20when%20I%20was%20using%20on-prem%20AD%20etc%2C%20we%20could%20set%20the%20policy%20to%20disable%20windows%20installer%20for%20all%20users%2C%20hence%20not%20allowing%20them%20to%20install%20anything.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI'm%20not%20working%20in%20a%20full%20cloud%20environment%20using%20M365%2FInTune%2FDefender%20ATP%2C%20Cloud%20App%20Sec%20etc...%20and%20as%20far%20as%20I%20can%20tell%20there%20is%20no%20equivalent%20configuration%20policy.%20I%20just%20want%20to%20only%20deploy%20managed%20apps%20from%20Intune%20and%20block%20everything%20else%20(maybe%20not%20store%2Fcompany%20portal%20apps)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20seen%20blogs%20on%20AppLocker%20and%20using%20ATP%2C%20but%20these%20seem%20rather%20overblown%20for%20something%20thats%20a%20basic%20requirement%20(in%20my%20eyes)%20for%20an%20organisation.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAnyone%20successfully%20doing%20this%20without%20lots%20and%20lots%20of%20config...%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ENeil%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1306932%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EIntune%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMobile%20Device%20Management%20(MDM)%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESoftware%20Management%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1307705%22%20slang%3D%22en-US%22%3ERe%3A%20Disable%2FBlock%20installation%20of%20all%20apps%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1307705%22%20slang%3D%22en-US%22%3EI%20have%20been%20evaluating%20E5%20license%20(%20Windows%20Enterprise)%2C%20you%20can%20actually%20achieve%20your%20objective%20by%20using%20Surface%20attack%20Reduction%20in%20Intune%20under%20Security%20Baseline%20%2B%20Microsoft%20Defender%20ATP.%20Still%20in%20Preview%20but%20you%20can%20give%20it%20try.%3CBR%20%2F%3E%3CBR%20%2F%3EOtherwise%20you%20have%20to%20use%20some%203rd%20party%20app%20like%20%E2%80%98CensorNet%E2%80%99%20to%20block%20executables%2C%20zip%20etc.%3CBR%20%2F%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fthreat-protection%2Fmicrosoft-defender-atp%2Fattack-surface-reduction%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fthreat-protection%2Fmicrosoft-defender-atp%2Fattack-surface-reduction%3C%2FA%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1308362%22%20slang%3D%22en-US%22%3ERe%3A%20Disable%2FBlock%20installation%20of%20all%20apps%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1308362%22%20slang%3D%22en-US%22%3EHave%20you%20looked%20into%20Microsoft%20Defender%20Application%20Control%2C%20this%20will%20block%20all%20apps%20except%20stores%20apps%20-%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fthreat-protection%2Fwindows-defender-application-control%2Fdeploy-windows-defender-application-control-policies-using-intune%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fthreat-protection%2Fwindows-defender-application-control%2Fdeploy-windows-defender-application-control-policies-using-intune%3C%2FA%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1308416%22%20slang%3D%22en-US%22%3ERe%3A%20Disable%2FBlock%20installation%20of%20all%20apps%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1308416%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%20for%20the%20responses.%20I%20was%20hoping%20for%20something%20with%20little%20to%20no%20config%20in%20regards%20to%20the%20ASR%2C%20due%20to%20the%20fact%20I%20don't%20have%20time%20to%20spend%20looking%20into%20this.%3C%2FP%3E%3CP%3EThe%20InTune%20appstore%20only%20route%20causes%20havoc%20for%20those%20apps%20we%20use%20that%20are%20not%20in%20the%20store...%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20think%20i%20will%20need%20to%20set%20some%20time%20aside%20and%20look%20into%20the%20ASR%20route%20at%20some%20point.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%3C%2FP%3E%3CP%3ENeil%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2099930%22%20slang%3D%22en-US%22%3ERe%3A%20Disable%2FBlock%20installation%20of%20all%20apps%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2099930%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F346060%22%20target%3D%22_blank%22%3E%40neilcarden%3C%2FA%3E%26nbsp%3Bthis%20is%20a%20great%20question%20did%20you%20ever%20find%20an%20easy%20way%20to%20do%20this%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2117744%22%20slang%3D%22en-US%22%3ERe%3A%20Disable%2FBlock%20installation%20of%20all%20apps%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2117744%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F26207%22%20target%3D%22_blank%22%3E%40Kendall%20England%3C%2FA%3E%26nbsp%3BI%20haven't%20had%20chance%20to%20have%20a%20further%20look%20but%20I%20dont%20think%20there%20is%20any%20easy%20way...%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ENeil%3C%2FP%3E%3C%2FLINGO-BODY%3E
Contributor

Hi, I am trying to replicate a group policy that back when I was using on-prem AD etc, we could set the policy to disable windows installer for all users, hence not allowing them to install anything.

 

I'm not working in a full cloud environment using M365/InTune/Defender ATP, Cloud App Sec etc... and as far as I can tell there is no equivalent configuration policy. I just want to only deploy managed apps from Intune and block everything else (maybe not store/company portal apps)

 

I have seen blogs on AppLocker and using ATP, but these seem rather overblown for something thats a basic requirement (in my eyes) for an organisation.

 

Anyone successfully doing this without lots and lots of config...

 

Neil 

5 Replies
I have been evaluating E5 license ( Windows Enterprise), you can actually achieve your objective by using Surface attack Reduction in Intune under Security Baseline + Microsoft Defender ATP. Still in Preview but you can give it try.

Otherwise you have to use some 3rd party app like ‘CensorNet’ to block executables, zip etc.

https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-su...
Have you looked into Microsoft Defender Application Control, this will block all apps except stores apps - https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-con...

Thanks for the responses. I was hoping for something with little to no config in regards to the ASR, due to the fact I don't have time to spend looking into this.

The InTune appstore only route causes havoc for those apps we use that are not in the store...

 

I think i will need to set some time aside and look into the ASR route at some point.

 

Thanks

Neil

@neilcarden this is a great question did you ever find an easy way to do this?

@Kendall England I haven't had chance to have a further look but I dont think there is any easy way...

 

Neil