Would love to see full Application Control with the option to have a Change/Modify time window to be able to be added by policy.
What this would do is, when enabled, block any newly introduced application from running on the system that has this policy feature enabled. Only applications that are currently on the system/device would be allowed to run and any other attempts to run new or modify existing applications will be denied and an alert sent to admins.
The change/modify would be a separate option after enabling the above to temporarily allow you to modify or change system settings, install patches etc...
Nerds On Site