Windows 10 version 1903: Prevent Software Installation by Users

Article
1/17/2024

Introduction:

Sometimes users without having much knowledge about applications start installing applications. As a result, the system soon become full of bloatware. There may be possibility of installing applications with malware. The system become slow and performance drops.

How to make changes via Group Policy:

Turn off Windows Installer:

In Start Search type Gpedit.msc and hit the Enter key.
The Local Group Policy Editor opens.
Now locate:

Computer Configurations > Administrative Templates > Windows Components > Windows Installer > Turn off Windows Installer

Double click on it and select Enabled.
Now you will find three options under Disable Windows Installer

Always
For non-managed applications only
Never

# If you opt Always "Always" option indicates that Windows Installer is disabled.

This affects Windows Installer only. But users can use other methods to install and upgrade programs.

# The "Never" option indicates Windows Installer is fully enabled. Users can install and upgrade software. This is the default behavior for Windows Installer on Windows 2000 Professional, Windows XP Professional and Windows Vista when the policy is not configured.

#The "For non-managed applications only" option permits users to install only those programs that a system administrator assigns.

Always install with elevated privileges:

In Start Search type Gpedit.msc and hit the Enter key
In Local Group Policy Editor locate the following:

User Configuration > Administrative Templates > Windows Components. Locate Windows Installer and configure it to Always install with elevated privileges.

To do this double click on Always install with elevated privileges.
Click Enabled
If you enable this policy setting, privileges are extended to all programs. These privileges are usually reserved for programs that have been assigned to the user
If you disable or do not configure this policy setting, the system applies the current user's permissions when it installs programs that a system administrator does not distribute or offer.

[This policy setting appears both in the Computer Configuration and User Configuration folders. To make this policy setting effective, you must enable it in both folders.]

Prevent running specific Windows Applications :

Open Group Policy Editor.
Now locate the following:

User Configuration > Administrative Templates > System. In the right-hand side pane, look for Don’t Run Specified Windows Applications.

Click Enabled

A new option appears called List of Disallowed Applications. Click Show and a Show Contents window appears where you type in the location of the program to be blocked. Now, you’re going to add the Windows Installer Program which is called msiexec.exe and is found at: C:\WINDOWS\system32\msiexec.exe Copy and paste that into the space provided in the box and click OK. The Windows Installer should now be blocked.

Run only specified Windows applications:

User Configuration > Administrative Templates > System. In the right-hand side pane, look for Run only specified Windows applications.
Select Enabled.
If you enable this policy setting, users can only run programs that you add to the list of allowed applications.
If you disable this policy setting or do not configure it, users can run all applications.

Restrict via Registry Edit:

In Start Search type Regedit and hit the Enter key.
Accept UAC.
In Registry Editor locate the following:

HKEY_LOCAL_MACHINE\Software\Classes\Msi.Package\DefaultIcon.

Right click, select Edit and change the 0 to a 1 to disable Windows Installer.

Conclusion:

Apart from Group Policy editing or Registry tweaking there are number of third party applications are also available in the market. But when things can be done without any assistance of third party applications then better to stick to that.
This is also applicable for Windows 10 version 20H2.