This series of posts is an approach to implementing Intune inside a business. So far, I have covered off:
1. Create compliance policies and update devices to be compliant
2. Implement LAPS to control the local device admin account that cannot be deleted
3. Remove all other accounts from local administrator group on devices
4. Setting the default search engine in Edge with Intune
5. Managing browser extensions in Edge with Intune
6. Setting an Edge Security Baseline with Intune
7. Setting an individual Attack Surface Reduction (ASR) rule in Intune
8. Setting Edge as the default browser using Intune
Now that we have Microsoft Edge all set up and have done as much as we can to encourage people to shift away from using other browsers, it’s now time block any other browsing options. We can again use Intune to achieve this and, typically, it can be done using a number of different methods. Here, we’ll use what I consider the easiest method.
Once again, create a Configuration profile for Windows 10 and later using the Settings catalog as shown above.
Give the policy a suitable name and continue.
In the search field type ‘specified windows application’ and select Search. The only category that appears should be Administrative Templates\System, which you should select. Then in the lower pane select Don’t run specified Windows applications (User) as shown above.
Enable the Don’t run specified Windows applications (User) and then enter the name of the applications you do not wish to run. Here, we’ll block chrome.exe and brave.exe as shown above.
These settings are covered in the RestrictApps documentation in which you will note:
1. The setting applies to users not devices:
and
2. This policy setting only prevents users from running programs that are started by the File Explorer process. It doesn’t prevent users from running programs such as Task Manager, which are started by the system process or by other processes. Also, if users have access to the command prompt (Cmd.exe), this policy setting doesn’t prevent them from starting programs in the command window even though they would be prevented from doing so using File Explorer.
3. Blocking occurs by filename only. If users can rename the file then it will execute.
As mentioned previously, this is but the simplest method to block existing applications from running. Other options are available if you wish a more comprehensive blocking approach.
Finish configuring the policy remembering to assign it to a user NOT device group.
Once the policy has been deployed to your fleet and these machines have been rebooted, when a user tried to run an application that you have specified as block in the policy they will receive message like that shown above.
The good thing about this policy is that you can easily extend it to include any other applications you don’t users to run on their Windows devices.
CIAOPS 
it is not working !!!!!
if user change the file name the application is not blocked
LikeLike
Of course. Please read the limitations outlined. If you to fingerprint a file to cover name changes then you need to use something like WDAC which is a lot trickier to configure. This is simply an easy option but if y9ou need more security then you’ll need to look at something else as I mention.
I will also point out that average users will not change a file name and doing so may prevent the app from working as well. So again, the option here is simply a quick and easy option that work for the majority (but not all cases).
LikeLike
Hi I was started testing with the RestrictApps and was wondering where is the log for the apps that it does block?
LikeLike
Event logs – https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations
LikeLike
so I checked the logs and not showing anything from that article in those spots.
does it matter that we are using the restricted apps setting
LikeLike
Without seeing your settings I can’t comments. MS has good docs on what you should see in the event logs.
LikeLike