Allowednonadminpackagefamilynamerules Jun 2026

: You can keep most users restricted, preventing "shadow IT" or accidental malware from unverified packages.

: Allowed package family names for non-Administrator user Windows app package installation. Mobile Device Management (Intune/MDM) : allowednonadminpackagefamilynamerules

If this policy is disabled or not configured, the system defaults to the standard user account control (UAC) behavior. In this state, any attempt by a non-admin user to install a packaged app that requires administrative rights or modifies protected system directories will be blocked, or the user will be prompted for administrator credentials. Consequently, AllowedNonAdminPackageFamilyNameRules serves as a critical tool for balancing endpoint security with user productivity, allowing IT departments to curate a flexible software environment where essential applications are easily accessible without compromising the integrity of the operating system. : You can keep most users restricted, preventing

: Even if a name is whitelisted here, the installation can still be caught and blocked by other security layers like AppLocker if they are configured to deny that specific publisher. ApplicationManagement Policy CSP - Microsoft Learn In this state, any attempt by a non-admin

The AllowedNonAdminPackageFamilyNameRules policy setting controls which packaged apps can be installed by non-administrator users on a managed device. By default, standard users are often restricted from installing software that requires elevated privileges or affects system-wide settings. This specific policy provides a mechanism for administrators to delegate installation rights for specific, approved applications without granting the user full local administrative access.