Preventing users from installing unauthorised software is a key part of endpoint hardening. Intune gives you several tools to do this: Device Restrictions to block the Microsoft Store, AppLocker for rule-based allow/deny lists, and Windows Defender Application Control (WDAC) for modern kernel-enforced application control. This guide covers all three approaches and when to use each.
Three approaches to blocking apps
Block the Microsoft Store
Under App Store:
AppLocker via Intune
AppLocker is deployed via Intune using a custom OMA-URI with an AppLocker XML policy. It requires Windows Enterprise or Education.
# OMA-URI for AppLocker
./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/{Group}/EXE/Policy
# Example AppLocker XML - block a specific app
<AppLockerPolicy Version="1">
<RuleCollection Type="Exe" EnforcementMode="Enabled">
<FilePublisherRule Id="..." Name="Block TorBrowser" UserOrGroupSid="S-1-1-0" Action="Deny">
<Conditions>
<FilePublisherCondition PublisherName="*TorProject*" ProductName="*" BinaryName="*" />
</Conditions>
</FilePublisherRule>
</RuleCollection>
</AppLockerPolicy>Windows Defender Application Control (WDAC)
WDAC is the recommended modern approach. Intune supports deploying WDAC policies natively via the Endpoint Security blade.
For a managed installer policy that allows apps deployed via Intune while blocking everything else:
# PowerShell - create a base WDAC policy allowing only Intune-deployed apps New-CIPolicy -ScanPath "C:\Program Files" -Level Publisher -FilePath "C:\WDACPolicy.xml" Set-RuleOption -FilePath "C:\WDACPolicy.xml" -Option 13 # Enable managed installer ConvertFrom-CIPolicy -XmlFilePath "C:\WDACPolicy.xml" -BinaryFilePath "C:\WDACPolicy.bin"
Preventing Win32 installs via standard user accounts
The simplest control is ensuring users run as standard users rather than local admins. When a user without admin rights tries to run an installer that requires elevation, Windows prompts for admin credentials. Without them, the install fails.
Combine this with Intune's LAPS for local admin password management and you have a solid base layer before adding AppLocker or WDAC on top.
Frequently Asked Questions
Use a Device Restrictions profile in Intune. Under App Store settings, enable "Block all Microsoft Store app" to prevent Store installs, and use AppLocker or WDAC policies to block Win32 app installations for non-admin users.
AppLocker is the older solution - simpler to configure but requires Enterprise/Education edition. Windows Defender Application Control (WDAC) is the modern replacement - works on all editions, is more secure (kernel-enforced), and is configurable via Intune. For new deployments, use WDAC.
Yes. With WDAC or AppLocker you can create deny rules for specific apps by publisher, file hash, or file path. Intune WDAC policies support publisher rules which are the most maintainable - block a specific vendor or app name without needing to update the policy every version update.
Blocking future installations does not affect apps already installed. Existing apps continue to run. WDAC enforcement only prevents new execution of blocked apps - it does not remove existing installations.