Setup School PC user rights problem

Copper Contributor

Hi,

in our organisation we use the Setup School PC App to deploy Windows to our student PCs.

 

All apps should be deployed only by Admin and the students should not be able to install anything.

To realize this we use MS365, Intune with Configuration manager profiles. The device configuration GPO „Turn off Windows Installer (\Windows Components\Windows Installer) returns with error code 0x20100 with some PCs.

 

If the students uses a organisation - PC with „by hand installation“ they do not have installation rights as required.

 

Any hint how to solve this issue?

 

Best regards.

3 Replies

You are aware that only disabling Windows Installer (msiexec) doesn't block all installation options? 

If you're looking to prevent any software from being installed, your best bet would be something like WDAC or AppLocker.

 

To address your specific question: is anything logged to your DeviceManagement-Enterprise-Diagnostics-Provider event log?

Hi Niels,
thanks for your reply.

Blocking all installer via WDAC works fine, but it blocks also the apps which should be installed with Intune / Endpoint manager (f.e. Adobe reader intunewin-package).

So I'm still struggeling with a simple problem.