I'm managing IT for a small company with less than 13 employees, and I'm fairly self-taught in this area. We use Intune to control app updates through Robopack, which works well for critical applications. However, I'm facing a challenge: staff members frequently download unauthorized apps on their Windows PCs, which isn't an issue with our Apple devices since the App Store is restricted. While I can prevent them from adding apps to the M365 backend without admin approval, I'm worried about how to minimize risks associated with unauthorized downloads on their PCs. Is there a straightforward way to lock down app installations on these devices, either through policies or other controls? I'm also curious if restricting access will lead to a flood of requests for random apps, so any insights or links for further reading would be appreciated.
3 Answers
You can use Group Policy Objects (GPO) to block access to the Windows Store, but bear in mind this method only works with Enterprise editions. Even then, it doesn’t prevent installations from apps.microsoft.com, and could also disrupt updates for built-in Windows apps. An alternative to consider is ensuring that users aren't local administrators on their machines, as this often eliminates most app installation issues. AppLocker can help control app access too; just make sure to implement it properly!
Thanks for the heads-up! I don't have the Enterprise license, so that approach won't work for me.
If you're looking for solutions outside of the built-in tools, consider applications like ThreatLocker, AirLock, or Heimdall, which can provide easy ways to manage and restrict software installations. Make sure you talk to your CSP about what options are available; I've found some of these solutions quite effective!
Absolutely, they're designed for ease of use while providing robust security. Definitely worth exploring!
Are those tools user-friendly for someone who’s not an IT pro? I want something that won't complicate my life!
To really lock things down on Windows, consider a few strategies: restrict the Store through Intune, ensure users aren’t local administrators, and look into using AppLocker or Windows Defender Application Control (WDAC). AppLocker is the older method but still effective, while WDAC might have a steeper learning curve. If you deploy apps via the Company Portal, enabling the managed installer feature through WDAC can help ensure those apps are always trusted. Just be aware of potential conflicts when deploying new apps!
You could try setting up a dedicated test environment to experiment with the transitions to Autopilot without affecting your main operations.
I see! My team is remote, and I'm transitioning to Autopilot but can't get admin access ahead of device replacements, which complicates matters.
Just a note: Winget can bypass these restrictions since it's a command-line tool; keep that in mind!