Hi,
You could check out the Microsoft Defender Application Control, this will block all apps except stores apps.
Intune's built-in WDAC support enables you to deploy a policy which only allows Windows components and Microsoft Store apps to run.
Please kindly refer to:
Deploy Windows Defender Application Control policies by using Microsoft Intune
Also Use attack surface reduction rules to prevent malware infection
Best regards.
**
If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.