How to block domain users from installing any apps

Question

Hello Team,

We have received a request from the client to ensure that no applications (including .msi or .exe files) can be installed on PCs unless the user has domain administrator credentials. This measure is intended to mitigate the risk of potential security breaches.

So far, I have attempted the following approaches:

AppLocker – Did not produce the desired results.

Software Restriction Policies (SRP) – Partially effective, but still allows some installations.

Despite these efforts, browsers like Chrome, Mozilla, Opera, and Brave can still be installed without domain admin credentials. In some cases, even when prompted for admin credentials, clicking “Cancel” still allows the installation to proceed.

Additionally, while testing different combinations, system applications such as Cortana, Mail, Calculator even Display settings. were unintentionally blocked.

Here are the SRP paths I attempted (which had limited success):

C:\Windows\Temp\*.exe  
C:\Windows\Temp\*\*.exe  
%USERPROFILE%\AppData\Local\*.exe  
%USERPROFILE%\AppData\Local\*\*.exe  
%USERPROFILE%\AppData\Roaming\*.exe  
%USERPROFILE%\AppData\Roaming\*\*.exe  
C:\Users\lantek.READINGHA\Downloads\*.exe

While these rules block several executables, applications like Microsoft Teams fail to install even when using domain credentials.

I’m seeking guidance to implement a reliable solution where domain users are completely restricted from installing any applications unless they have domain administrator rights.

Appreciate your assistance on this.

Best regards, Zeeshan

Answer 1

Hello Zeeshan,

Thank you for posting question on Microsoft Windows forum!

Based on your query of implementing a reliable solution where domain users are completely restricted from installing any applications** unless they have domain administrator rights. The core issue is probably that browsers install per-user without requiring admin rights, bypassing traditional blocks. To achieve that goal, using GPO approach that will lock down all installs—MSI or EXE—so that only users in the Domain Admins (or any other explicitly allowed) group can do them. You can try the following steps to see if it works as expected.

1.Disable per-user MSIs via Windows Installer policy:

• In your GPO, go to Computer Configuration → Policies → Administrative Templates → Windows Components → Windows Installer
• Enable Disable Windows Installer, set to Always (value 2). This prevents any MSI-based install unless you’re elevated as an admin.
• Also enable Prohibit User Installs (sometimes called “DisableUserInstalls”). This blocks the “per-user” branch of the Windows Installer entirely.

2.Lock down UAC so standard users can’t “Cancel” their way around a prompt:

• In the same GPO under Computer Configuration → Policies → Windows Settings → Security Settings → Local Policies → Security Options
• Set User Account Control: Behavior of the elevation prompt for standard users to Automatically deny elevation requests.
• This means if a non-admin hits “Cancel,” the install will immediately fail instead of falling back to a per-user workaround.

3.Block all other EXEs/MSIs with AppLocker Option:

• Computer Configuration → Policies → Windows Settings → Security Settings → Application Control Policies → AppLocker
• Start the Application Identity service on clients (GPO under Computer Configuration → Policies → Windows Settings → System Services)
• Right-click Executable Rules → Create Default Rules (allows %ProgramFiles% & %Windows%)
• Then under Executable Rules → Create New Rule → • Action: Deny • User or Group: Everyone • File Hash or Path: %USERPROFILE%\* and %TEMP%\* (and your download folders)
• Repeat for Windows Installer Rules (MSI/MSP) and Script Rules if needed.

4.Scope any “Allow” rules to your Admin group only:

• If you need to let domain admins install from a network share, add a single Allow rule scoped to the Domain Admins group pointing at that UNC path.
• Everyone else will get blocked by the default-deny AppLocker rule.

Hope the above information is helpful!