I have laptop users who were made local admins to their devices.
I now need to prevent them from installing non approved applications.
The options as I see it is to remove then from the local administrators group but I am not sure if VSA can do this.
The other option is to build up an Application Blacklist via Agent>Protection>Application Blocker OR create a white-list instead but I cannot see this option. Does this exist?
By the way, can non Admins still install apps from the Microsoft Store in any case? Might to block this via Group Policy if that is the case.
Any advice would be appreciated.
A simple procedure, run as SYSTEM, with the following:
NET LOCALGROUP ADMINISTRATORS <userid> /DELETE
You can get the userid and insert it as an argument.
Removing the user from administrators group is probably best as most users have no need to always run as an admin level user.
The only issue I have found is that non local admins cannot install printers unless the driver is already known to Windows.
Looking at all the options, this does seem to be the most simplified.
Many thanks for the syntax tip.