How to Block Apps with Intune

Topics: Intune

Managing app installations is a vital aspect of IT administration for any organization, helping to improve security and ensure compliance with internal policies.  

Why Block Apps with Intune? 

With recent legislative actions, such as the US House of Representatives and the President moving toward a potential ban of TikTok, compliance with new regulations may become mandatory for many US organizations. This guide will walk you through the steps to block specific apps, such as TikTok, within the Microsoft Store using Microsoft Intune by leveraging the AppLocker functionality in Windows. 

Blocking specific apps is important for several reasons: 

  • Security Considerations: Preventing installations of apps that could pose security risks. 
  • Enhancing Productivity: Limiting access to apps that might distract employees. 
  • Compliance and Regulatory Requirements: Ensuring only approved apps are used in regulated environment 

Step-by-Step Guide to Blocking Apps with Intune 

Section 1: Creating an AppLocker Policy in Windows 

  • On your test machine, visit the Microsoft Store and install “TikTok.” 
  • Go to the Start Menu, type “Local Security Policy,” right-click on it, and run as Administrator. 
  • Navigate to Application Control Policies > AppLocker > Package App Rules. 
Block Apps with Intune - local security policy
  • Right click on “Package App Rules” and select “Create New Rule.” Hit “Next” in the dialog box. 
  • Select “Deny” as the action and hit “Next.” 
Block Apps with Intune - permissions - deny
  • Keep the default option selected. Click the “Select” button, choose “TikTok” from the list, and press “OK.” 
Create packaged app rules

Block Apps with Intune - select TikTok
  • Once “TikTok” is selected, adjust the slider from “Package Version” to “Package Name” to specify that the policy should block all versions of TikTok. 
Package version - Package name
  • Click “Next” several times, name your policy, provide a description, and then click “Create” to finalize your “Block” Policy. 
  • Right click on “Package App Rules” again and select “Create Default Rules” to ensure that the policy does not block any unintended applications. 
Block Apps with Intune - deny everyone

Completing the AppLocker Configuration 

  • Now that rules are created, Right click on “Applocker” on left blade and select “Properties.”  
  • Check “Configured” under Packaged App Rules, select “Enforce Rules,” and hit OK. 
Block Apps with Intune - AppLocker properties

Exporting the AppLocker Policy 

  • Right click on “AppLocker” on the left blade again and select “Export Policy.” Save the XML file to your desktop. We will need this file later in the Intune section. 
  • Open the XML file. You will notice that the rule configuration starts with <RuleCollection> and ends with </RuleCollection>. Copy this highlighted text within your XML file to your clipboard. 
XML copy paste

Section 2: Implementing the Block Policy in Intune

  • Login to  
  • Navigate to Devices > Configuration Profiles
  • Click on Create Profile and choose New Policy. Select Windows 10 and later for platform. 
  • Profile type should be Templates with Custom as the Template name. Hit create. 
Block Apps with Intune - Intune - create policy
  • Give your policy a name and description that reflects its purpose, e.g., “Block Tiktok,” and Hit Next. 
  • Under “Configuration settings”, click on “Add” next to OMA-URI settings. 
  • Name the setting, provide a description, select “String” as the “Data Type,” and paste the content from the XML file into the “Value” section. 
  • For “OMA-URI,” use the following string: ./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/apps/StoreApps/Policy 
Block Apps with Intune - OMA-URI
For more information on Applocker CSPs, refer to this article AppLocker CSP – Windows Client Management | Microsoft Learn 
  • Click “Save” and continue to assign the Intune group where you want to apply this profile. Follow the prompts to finish creating the profile. 

Section 3: Monitor and Manage App Blocking with Intune

After deploying the policy, monitor its impact through the View reports button. Once the policy is successfully applied on devices, TikTok will be blocked on the Microsoft Store. 

Block Apps with Intune - view reports

app blocked succesfully

Appendix: Extending App Blocking to Other File Types 

Just like blocking Microsoft Store apps, we can also block unapproved exe, msi, and script files using AppLocker and Intune. The process remains largely the same, with only two changes required: 

  • In Section 1, steps 5 and 10, instead of clicking on “Packaged app rules,” we will right click on Executable rules (for exe) and Windows Installer Rules (for msi). 
  • The OMA-URI will also change as mentioned below. 
    • For exe files: ./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/apps/EXE/Policy 
    • For msi: ./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/apps/MSI/Policy 

Conclusion: Enhancing Security and Compliance with Intune

By utilizing Microsoft Intune and AppLocker, organizations can effectively block unauthorized apps, enhancing security and ensuring compliance. This guide demonstrates a straightforward method to manage applications and maintain control over your IT environment. As you adapt and refine your endpoint management strategies, Intune’s capabilities support a secure, productive, and compliant workplace. Continuous monitoring and updating of these policies are essential to address the evolving challenges that inevitably arise.  

Check out additional Intune content here.

            Back to Top