Problem Installing Software

Question

A user at my company has temporary Local Device Admin, but it being blocked from installing software on his laptop with the following message. "This app has been blocked by your system administrator." I checked and we have no App Protection policies and this is a new issue. Until recently local device admin allowed users to install software.

Answer 1

Hi Levi Folk,

How is your issue going? Has it been resolved yet? If it has, please consider accepting the answer as it helps others sharing the same problem benefit too. Thank you :)

VP

Answer 2

Dear Levi Folk,

Having Local Administrator privileges allows a user to modify system files, but it does not bypass system-wide execution controls or application deployment policies. When Windows displays the specific message that an app was blocked by the system administrator, it indicates that an execution policy like AppLocker, Windows Defender Application Control, or a packaged app restriction is enforcing a hard block at the system level. This effectively overrides the user's local administrative token. You should first determine if the user is trying to install a modern packaged app or a traditional executable.

For modern MSIX or AppX packages, installation is governed by deployment policies rather than standard file permissions. You can investigate this by checking the registry key at HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Appx. Ensure the AllowAllTrustedApps value is set to 1. If this registry value is restricted, it prevents these installations for everyone in the environment, regardless of their local privileges.

If the user is installing traditional executables, Application Control policies like AppLocker or Windows Defender Application Control are the most likely culprits. AppLocker will actively deny the execution of unrecognized installers and throw this exact error message. You can verify this by checking the Event Viewer under Applications and Services Logs, Microsoft, Windows, AppLocker, and reviewing the EXE and DLL or MSI and Script logs for event ID 8004, which indicates an execution block. Even if you have not explicitly configured this globally, a local policy or a newly applied endpoint security baseline might have activated default rules under the registry path HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\SrpV2.

It is also worth reviewing your environment's User Account Control configurations. Aggressive elevation restrictions, such as silently denying elevation requests for administrators, can manifest as a hard block during software installations. You can check the ConsentPromptBehaviorAdmin registry DWORD under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System to ensure it is not set to zero, which denies elevation requests without prompting. Auditing these execution and deployment policies will help you identify the conflict and restore the user's ability to install software.

Hope this answer brought you some useful information. If it did, please hit "accept answer". Should you have any questions, feel free to leave a comment.

VP

Answer 3

The message “This app has been blocked by your system administrator” when installing or starting apps is typically caused by application control or MSIX/app installation policies, not by local admin rights alone.

In this scenario, even though the user is a local administrator, one of the following is likely true:

1. AppLocker or similar application control is now in effect
   • When an AppLocker policy is applied, Microsoft Store apps and other executables can be blocked regardless of local admin rights.
   • By design, if AppLocker rules are configured but do not explicitly allow a given app, it will be blocked and the user sees “This app has been blocked by your system administrator.”
   • Resolution (for a domain admin):
     • Edit the AppLocker policy on a Windows Server 2012+ domain controller or on a Windows 8+ admin workstation with RSAT installed.
     • Either:
       1. Create default rules that allow all Microsoft Store apps, or
       2. Create explicit allow rules for the specific apps that must be installed/run.
2. Group Policy / registry-based MSIX or app deployment restrictions
   Even if AppLocker is not configured, Group Policy can block packaged app (MSIX) installs, including Store-signed apps such as new Outlook or new Teams. Policies are enforced via registry keys such as:
   • BlockNonAdminUserInstall
   • AllowAllTrustedApps
   • AllowDevelopmentWithoutDevLicense
   These keys may have recently been set or changed by:
   • A new or updated GPO under Computer Configuration > Administrative Templates > Windows Components > App package Deployment.
   • A security hardening or endpoint management tool.
   For MSIX / Store-style apps, if AllowAllTrustedApps is disabled, installation of trusted apps (like new Outlook or new Teams) fails even for admins. Recommended checks for the affected device:
   1. Open Local Group Policy Editor (gpedit.msc).
   2. Navigate to:
      Computer Configuration > Administrative Templates > Windows Components > App package Deployment.
   3. Verify these policies:
      • Prevent non-admin users from installing packaged Windows apps
        • Should be Not configured (or configured so it does not block admins, depending on your standard).
      • Allow all trusted apps to install
        • Should be Not configured or Enabled. If it is Disabled, trusted MSIX installs will fail.
   4. If your environment uses central GPOs, confirm these settings in the domain GPOs linked to the user’s OU or device OU, not just locally.
3. Registry-level enforcement of those policies
   If GPO is managed centrally, the effective settings are reflected in the registry:
   • Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModelUnlock
   • Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Appx
   If AllowAllTrustedApps is disabled in these locations, MSIX installs (for example, new Outlook or new Teams) will be blocked. Recent Windows cumulative updates (KB5031455 and later) address a specific issue where disabling AllowAllTrustedApps caused failures, but if the policy is intentionally disabled, the block remains by design.
4. Confirm no security software or PowerShell restrictions are blocking the installer
   For Microsoft 365 app installs, a different but related symptom is:
   • “Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item.” This is caused by:
   • PowerShell.exe being blocked by policy or security software.
   If the blocked installer uses PowerShell under the hood (common for Microsoft 365 and some enterprise deployments), temporarily allowing PowerShell.exe (as an admin) during installation may be required.

Summary of actions for the admin:

1. Check for and adjust any AppLocker policies that might be blocking the installer or Store apps; add allow rules where appropriate.
2. Review App package Deployment GPO settings, especially Allow all trusted apps to install and Prevent non-admin users from installing packaged Windows apps, and ensure they are not configured in a way that blocks installs for local admins.
3. Verify the effective registry values for BlockNonAdminUserInstall, AllowAllTrustedApps, and AllowDevelopmentWithoutDevLicense under the documented keys.
4. If the blocked app is a Microsoft 365 or MSIX-based app, ensure PowerShell.exe and MSIX installs are not being blocked by security tools.

Once the relevant AppLocker or MSIX-related policies are corrected, local device admins will again be able to install software as before.

---

References:

• Error when you start Microsoft Store apps: This app has been blocked by your system administrator
• Resolve installation issues in the new Outlook for Windows
• Resolve the new Teams client installation issues
• Group Policy and packaged apps
• "Windows cannot access the specified device, path, or file" error when installing Microsoft 365 apps