When this policy is enabled, the administrator defines a list of Package Family Names (PFNs) that are exempt from the standard user installation restrictions. A Package Family Name is a unique identifier derived from the app’s package manifest, typically consisting of a name and a publisher ID. By whitelisting these specific PFNs, an organization ensures that users can install necessary line-of-business apps or approved tools directly from the Microsoft Store or sideloaded sources, streamlining the workflow while maintaining security boundaries. This granular control prevents the installation of unauthorized or potentially malicious software, as only the explicitly defined package families are permitted to run in the user context without administrative elevation.
Admins typically set these rules through two main management avenues: : allowednonadminpackagefamilynamerules
: If an app's family name is on this list, a standard user can install it even if the general block-policy is active. When this policy is enabled, the administrator defines
However, sometimes a specific app—like a critical internal business tool or a trusted utility—needs to be installed by users without granting them full administrative rights. This is where the comes in: This is where the comes in: In modern
In modern enterprise environments, "least privilege" is a standard goal. However, blocking all non-admin installs often results in increased helpdesk tickets for routine app updates. By using this policy, organizations can:
You can find the setting at the following Group Policy Search path: > Administrative Templates > Windows Components > App Package Deployment > Allowed package family names for non-Administrator user Windows app package installation . 2. Using Intune (MDM)