If anyone can install anything on a work laptop, you have already failed this control

Here's a scenario that plays out often enough to be a pattern, not a one-off: someone downloads a free PDF converter to get round a minor annoyance with a work document. It's a small, sensible-seeming decision, made without thinking twice, because their work laptop has never stopped them installing anything before. The tool does what it claims, and it also quietly installs something else alongside it, something nobody asked for and nobody would have approved if they'd been asked. Nothing about this required a sophisticated attack. It just required a laptop where installing software was never restricted in the first place.

Cyber Essentials asks this directly under CE4 Malware Protection: do you restrict what software can be installed on your devices? It's the last of the four self-assessment questions in this control, and in a lot of small businesses it's the one most obviously not in place, because restricting installation rights has never felt urgent enough to set up.

Why unrestricted installation is a bigger risk than it looks

When any user on any device can install anything, every download decision made by every member of staff becomes a potential entry point for malware. Most people aren't being careless when this happens. They're trying to get something done, and a tool that promises to solve a small problem looks harmless enough to install without a second thought, especially when nothing on the device has ever suggested that decision needs scrutiny.

Restricting installation rights doesn't assume staff are reckless. It assumes that given enough people, enough time, and enough small everyday decisions, something will eventually slip through, and that the cost of preventing that is far lower than the cost of cleaning up after it happens.

How this connects to admin account separation

This control sits close to the question of whether administrator accounts are kept separate from standard accounts, since installing new software typically requires elevated permissions in the first place. If every user account already has administrator-level access for convenience, restricting software installation becomes far harder to enforce, because the technical permission to install things freely is already sitting there waiting to be used.

Getting this right usually means addressing both at once: standard accounts that genuinely can't install software without approval, and a clear, separate process for the cases where new software is legitimately needed.

What a working restriction policy actually looks like

The goal isn't zero flexibility. It's a deliberate process instead of an open door. Most businesses land somewhere practical: standard user accounts don't have local admin rights, so installation requires either IT approval or a request through a managed software catalogue where approved tools can be installed without needing full admin access each time.

Most business device management platforms, including Microsoft Intune and similar tools, support this kind of restriction natively, allowing IT to maintain an approved software list while still giving staff a straightforward way to request something new when there's a genuine need. The point isn't to slow people down for the sake of it, it's to make sure every piece of software running on a company device went through some form of deliberate decision, rather than whichever download looked convenient at the time.

Frequently asked questions

Does this mean staff have to ask permission for every single app they want? Not necessarily for everything; many businesses maintain a pre-approved list of common tools that can be installed without individual approval, reserving the request process for anything outside that list.

What about software needed for a specific, one-off task? A lightweight approval process, even a quick message to whoever manages IT, is usually enough; the goal is a deliberate decision being made, not a lengthy bureaucratic process for every request.

Does this restriction apply to personal devices used for work too? If a personal device accesses company data or systems under a bring-your-own-device arrangement, the same principle should extend to it, though enforcement mechanisms will differ from company-owned equipment.

How do we restrict this without IT support or a dedicated device management platform? Even a manual approach works for very small teams: removing local admin rights from standard accounts and having one person retain admin access to install anything new covers the core principle without specialist tools.

Will this slow down legitimate work if someone needs a tool urgently? A well-run approval process should be quick, often same-day, and the small amount of friction is the entire point: it gives someone the chance to catch a problem before it becomes one.

Run a free scan of your domain and your CE Readiness checklist will walk through this and the rest of CE4 Malware Protection, ready before your assessor asks: olimpio.io/free-scan