If you want to stop users from installing their own software on managed Windows devices, you can use an Intune policy to remove the “Add New Programs” button from the Add or Remove Programs section in Control Panel. This prevents users from accessing or installing software that hasn’t been approved by IT, helping keep systems more secure and consistent across your organization.
What this policy does
When the “Remove Add New Programs page” policy is enabled, it hides the Add New Programs option from users in the Control Panel. Normally, users can use this page to view and install programs that have been published or assigned to them by the administrator through Group Policy or other software deployment tools.
With this policy applied:
- Users can’t view or install software published by administrators through legacy software deployment.
- The Add New Programs option disappears from the Add or Remove Programs window.
- Only IT-approved or Intune-deployed applications can be installed on the device.
- It helps reduce unnecessary software installations that might cause compatibility or performance issues.
If you leave the policy Not Configured or Disabled, users can still access the published programs page and may install assigned applications.
Why use this policy
Organizations use this policy mainly to control software installations and maintain a secure and standardized environment. Some benefits include:
- Prevents unauthorized software: Stops users from installing tools, games, or apps that aren’t approved by IT.
- Reduces malware risks: Many users unintentionally install malicious or unnecessary software. Restricting installations minimizes exposure.
- Ensures compliance: Helps maintain compliance with your organization’s IT security standards or industry regulations.
- Simplifies device management: Keeps systems lean and reduces the workload on IT teams by preventing cluttered software environments.
- Improves performance: Fewer unapproved programs mean fewer background processes, resulting in better device stability and performance.
This is particularly important for shared or multi-user environments where users might otherwise install software that affects other profiles.
How to configure the policy in Microsoft Intune
You can set this up easily in the Intune Admin Center. Here’s the full step-by-step process:
- Sign in to the Intune Admin Center.
- Go to Devices > Windows > Configuration > Create > New Policy.
- For Platform, select Windows 10 and later.
- Under Profile type, choose Settings catalog.
- Click Create and enter a descriptive name like “Hide Add New Programs page (Security Control)”. Optionally, add a description for documentation.
- Click Next, then under Configuration Settings, select Add Settings.
- In the settings catalog, expand Administrative Templates > Control Panel > Add or Remove Programs.
- Find and select Remove Add New Programs page.
- Set the configuration to Enabled.
- Click Next. You can skip scope tags unless you’re using them for role-based targeting.
- Under Assignments, choose the user or device groups you want this policy to apply to (for example, All Corporate Laptops or Sales Team Devices).
- Click Next, review the summary, and select Create to deploy the policy.
Verification and monitoring
After deployment, you can confirm that the policy is applied using the following methods:
In Intune Admin Center
- Go to Devices > Configuration profiles.
- Select the policy you created.
- Open the Device status or User status tabs to see which endpoints have received and successfully applied the policy.
On the device
- Open Control Panel > Add or Remove Programs.
- The Add New Programs option should no longer appear.
- If you want to verify policy delivery logs, open Event Viewer and navigate to:
Applications and Services Logs > Microsoft > Windows > DeviceManagement-Enterprise-Diagnostics-Provider > AdminLook for entries that confirm successful policy application.
Using PowerShell
Run the following command to check the applied configuration locally:
Get-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Uninstall"
You should see a registry key named NoAddNewProgramsPage with a value of 1, which indicates that the feature is hidden.
How to remove or edit the policy
If you ever need to reverse this change or update it:
- In the Intune Admin Center, go to Devices > Configuration profiles.
- Find your Hide Add New Programs page policy.
- You can either:
- Edit the policy and set the option back to Not Configured, or
- Delete the profile entirely.
- Once updated, Intune will sync changes with managed devices automatically during the next check-in cycle.
Additional considerations
- This policy is part of legacy Control Panel restrictions and doesn’t affect modern app installations through the Microsoft Store or Intune Company Portal.
- For stronger software control, combine this policy with AppLocker, Endpoint Privilege Management (EPM), or Application Control (WDAC) policies.
- Consider applying it alongside User Account Control (UAC) settings to further limit installation privileges.
Summary
By enabling the Remove Add New Programs page policy through Intune, you:
- Block users from installing unauthorized software.
- Simplify system management.
- Improve endpoint security and compliance.
- Maintain a consistent application baseline across all devices.
This setting is a simple but effective step in building a secure and well-managed Windows environment, especially for organizations that rely on Microsoft Intune for device management and policy enforcement.
