How to configure HIPS/Endpoint Security for preventing software installation only without other filtering options? But also to have the option to alolow end users to overcome this block.
To achieve this goal you would have to have the application control/Hips control option enabled under the application control part of EPS.:
Once enabled add a rule under 'Fle protection rules', see below:
To not allow the creation of folders etc under the %programfiles% or %programfiles(x86) folders. In a sense creating a rule that will block normal installations from installing.
Then the end users can then override this with the password idea you had above within the ui here: