There are many options to accomplish this.
- Have a Software Restriction Policy (SRP)in place, and create a EPM Policy that enforces that policy and block it. This is more needed as many application can install in the context of a standard user.
- Use massages for when people launch software, link and describe the SRP
- Configure JIT Application requests.
Consolidation of tools: Less applications is better, no reason for having 7 different PDF tools.
people have a tendency to think some software is “free” but running over EULA many License agreements changes when the software is used in an enterprise environment, so any new software is calling for a solid review of software running on company provided computers. If not doing so can be costly affair.
Avoid leisure applications thick clients: samples “Spotify, Tidal, WhatsApp” etc. they all come with a risk for no reason. Users should run these on their cell phone and or other personal devices, and not add a risk to the company environment.
Review your policy design using analytics, pre-approve software with Allow- listing making it easier to see newly introduces software.
It is rare that I see a company reach the ultimate allow listing, and can switch the (default) Any application rule to show a “Allow Message “Support Desk)” message again, which is the default under your Low Flexibility workstyle. but getting to that point ensure you do not have anything unknown executed, of course with the exception of rules being misconfigured else where in policy that can be misused.
. 
