3.4.9 — Control and Monitor User-Installed Software

Users should not be able to install whatever they want on company systems. Uncontrolled software installs bring in security risks — unlicensed tools, vulnerable applications, even malware disguised as legitimate programs.

You need a policy that governs what users can install, plus technical controls to enforce it.

Example 1: In Microsoft Intune, go to Devices > Configuration Profiles and create a Device Restrictions profile. Under General > Block the installation of apps from unknown sources, set it to block. For Windows, also configure SmartScreen to warn or block unrecognized apps via Endpoint Security > Attack Surface Reduction.

Example 2: Remove local administrator rights from standard user accounts via Group Policy. Navigate to Computer Configuration > Windows Settings > Security Settings > Restricted Groups and ensure only IT-approved accounts are members of the local Administrators group. Without admin rights, users cannot install most software on their own, and any legitimate requests route through your IT helpdesk with proper approval.