Disable/Block installation of all apps

Contributor

Hi, I am trying to replicate a group policy that back when I was using on-prem AD etc, we could set the policy to disable windows installer for all users, hence not allowing them to install anything.

 

I'm not working in a full cloud environment using M365/InTune/Defender ATP, Cloud App Sec etc... and as far as I can tell there is no equivalent configuration policy. I just want to only deploy managed apps from Intune and block everything else (maybe not store/company portal apps)

 

I have seen blogs on AppLocker and using ATP, but these seem rather overblown for something thats a basic requirement (in my eyes) for an organisation.

 

Anyone successfully doing this without lots and lots of config...

 

Neil 

5 Replies
I have been evaluating E5 license ( Windows Enterprise), you can actually achieve your objective by using Surface attack Reduction in Intune under Security Baseline + Microsoft Defender ATP. Still in Preview but you can give it try.

Otherwise you have to use some 3rd party app like ‘CensorNet’ to block executables, zip etc.

https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-su...
Have you looked into Microsoft Defender Application Control, this will block all apps except stores apps - https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-con...

Thanks for the responses. I was hoping for something with little to no config in regards to the ASR, due to the fact I don't have time to spend looking into this.

The InTune appstore only route causes havoc for those apps we use that are not in the store...

 

I think i will need to set some time aside and look into the ASR route at some point.

 

Thanks

Neil

@neilcarden this is a great question did you ever find an easy way to do this?

@Kendall England I haven't had chance to have a further look but I dont think there is any easy way...

 

Neil