3.4.9 Control and monitor user-installed software.

Users can install software in organizational systems if provided the necessary privileges. To maintain control over the software installed, organizations identify permitted and prohibited actions regarding software installation through policies. Permitted software installations include updates and security patches to existing software and applications from organization-approved “app stores.” Prohibited software installations may include software with unknown or suspect pedigrees or software that organizations consider potentially malicious. The policies organizations select governing user-installed software may be organization-developed or provided by some external entity. Policy enforcement methods include procedural methods, automated methods, or both.

Actionable Items:  Functionally the quickest way to accomplish this is to turn off installation for anyone except authorized administrators and use a 3rd party software to monitor any changes that may occur.

You can purchase an installable GPO with installation instructions here