This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(19.2, 46%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERD%3C/text%3E%3C/svg%3E)
We’ve deployed six laptops using Microsoft Intune Autopilot, following the steps provided by our vendor (Acloud). The initial goal was to ensure users could operate the devices without the ability to make system-level changes — such as modifying account types, installing unauthorized software, or adding new users.
However, after applying the current policies, we've encountered a significant issue: users are now unable to execute any downloaded applications, even legitimate ones. The devices allow downloads, but block execution, which severely limits usability.
We asked Acloud whether there's a policy that would allow users to download and run applications without giving them elevated privileges. Their response was that no such policy exists.
Instead, their suggestion was to create a local administrator account that users could temporarily log into whenever they need to install or run software — then log back out and return to their standard user account. While this technically works, it defeats the core purpose of enforcing least privilege and creates a security risk, as users would still have full administrative rights during those sessions.
Ideally, we're looking for a policy configuration that:
Based on our understanding, this should be achievable with a properly scoped AppLocker or Endpoint Security policy in Intune. We’d appreciate confirmation or guidance on how to implement this securely and effectively.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(230.39999999999998, 69%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERJ%3C/text%3E%3C/svg%3E)
The recommended approach here is install the apps as managed through the company portal. On enterprise devices, you should not allow users to download and install anything that can potentially cause issues. If you do want the users to install something or carry out tasks with elevated permissions then you have two options. LAPS and EPM.
Can I use the free trail for 90 days and what will expect to see
