Share via

How can we prevent employees from downloading unauthorized applications on company laptops while allowing a selected group of employees to do so?

Anonymous
2025-02-05T11:16:52.9833333+00:00

I can see that we can do it will following way :

  • Deploy the Policy via Intune
    I went to Intune/ endpoint security/ account protection/ created a policy/.
    NameWindows LAPS Policy

Description No Description

PlatformWindows

Assignments Edit

Included groups groupname

Excluded groups No Excluded groups
Configuration settingsEdit

LAPS

Backup Directory Backup the password to Azure AD only

Password Age Days 7

Administrator Account Name Built-in Administrator

Password Complexity Large letters + small letters + numbers + special characters

Password Length 8

Post Authentication Actions Reset the password and logoff the managed account: upon expiry of the grace period, the managed account password will be reset and any interactive logon sessions using the managed account will terminated.

Post Authentication Reset Delay 24

After I write the policy in laps, i can see its been successful while viewing the report but it didnt worked. When tried to download brave app, it was downloading without blocking. Also, when try to check the deployment I couldn't see local admin password.\

Also, I found old versions of guide. Can you provide me with a better, easy and safer solution for doing this and provide me with updated guidelines?

Thanks!

Microsoft Security | Intune | Other

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Crystal-MSFT 54,306 Reputation points Microsoft External Staff
    2025-02-06T01:33:10.9666667+00:00

    @Anjeela Sthapit, Thanks for posting in Q&A. If the users already have local admin right, it can install applications by default. I suggest removing the local administrators for the users and only keep the users you want in the local administrators group by Local user group membership policy.

    https://techcommunity.microsoft.com/blog/intunecustomersuccess/new-settings-available-to-configure-local-user-group-membership-in-endpoint-secu/3093207

    To let standard users to install some applications that require elevated privileges, EPM is an option.

    https://learn.microsoft.com/en-us/mem/intune/protect/epm-overview

    To help prevent undesired apps from running on your managed Windows devices, you can use Microsoft Intune App Control for Business policies. Here is a link with more details:

    https://learn.microsoft.com/en-us/mem/intune/protect/endpoint-security-app-control-policy

    Hope the above information can help.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    Was this answer helpful?

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.