Let’s discuss Enable Windows Apps Access Tasks to Prioritizing Security and Privacy using Intune. Let Apps Access Tasks policy in Microsoft Intune controls whether Universal Windows Platform (UWP) apps can access tasks on a device.
In this context, tasks refer to a capability that allows apps to read and write information about system-level tasks and processes running on the device. This capability is typically used by apps that need to manage, monitor, or interact with other running applications and services for legitimate purposes.
Organizations use this policy to balance the need for security and data privacy with the operational requirements of specific applications. This policy provides many benefits for organization. Minimizes the risk of sensitive corporate information being leaked.
The policy prevents unauthorized apps (which might be malicious or poorly coded) from accessing a list of running processes or system tasks, which can sometimes reveal confidential operational details. If a malicious actor gains control of an app, they cannot use its permissions to spy on other critical security or business applications running on the device.
Table of Contents
Enable Windows Apps Access Tasks to Prioritizing Security and Privacy using Intune
Windows Apps Access Tasks policy is applicable for different scenarios. Endpoint Security Software,Financial Services Data Privacy etc. In Endpoint Security Software a company uses a UWP-based Endpoint Detection and Response (EDR) agent or a Device Health Attestation app.
This agent’s core function is to continuously monitor all running processes, network connections, and system activities to detect threats.
- Control Windows Apps Access Email to Preventing Data Leakage using Intune
- Control Windows Advertising ID for Enhanced Privacy using Intune
- How to Block App Location Access in Windows using Intune Policy
Configure Policy from Intune Portal
By sign in to Microsoft Intune Admin center you can easily configure Windows Apps Access policy. Sign in with Microsoft Intune Admin center. Go to Devices > Configuration > +Create >+ New Policy.
Profile Creation of Policy
After that, you can Create a Profile for the policy which you want to configure. To create a profile you have to select platform and profile type. Here I selected Windows 10 and later as the Platform and Settings catalog as the profile type. Then click on the Create button.
Filling Basic Details
On the Basic tab you can add Name and Description for the policy for further reference. The Name field is necessary to identify the purpose of the policy and description shows more information. The Name is mandatory and if you like to add description you can add. Click on the Next Button.
Configure the Windows Apps Access Tasks
The Configuration settings page is provided to select the settings to create the policy. The Settings Catalog provides a huge number of settings. To select a settings click on the +Add settings hyperlink. Then you will get Settings Picker. Choose Privacy and select Let Apps Access Tasks. Then I close the Settings Picker.
Available Values for this Policy
There are 3 values avilable for Windows Apps Access Email Settings. You can choose according to your preferences. Here I select Disabled value. The below table shows all valuea avialble for this policy.
| Value | Details |
|---|---|
| User is in control | If you choose the “User is in control” option, employees in your organization can decide whether Windows apps can access tasks by using Settings > Privacy on the device. |
| Fore Allow | If you choose the “Force Allow” option, Windows apps are allowed to access tasks and employees in your organization can’t change it. |
| Force Deny | If you choose the “Force Deny” option, Windows apps aren’t allowed to access tasks and employees in your organization can’t change it. |
| Disable or don’t configure | If you disable or don’t configure this policy setting, employees in your organization can decide whether Windows apps can access tasks by using Settings > Privacy on the device. |
Scope Tags
By using scope tags you can restrict the visiblity of Windows Apps Access Email Settings. It is helps to organize resources as well. Here I would like to skip this section, because it is not mandatory. Click on the Next button.
Assignment Tab for Selecting Group
To assign the policy to specific groups, you can use the Assignment Tab. Here I click, +Add groups option under Included groups. I choose a group from the list of groups and click on the Select button. Again, I click on the Select button to continue.
Final Step of Policy Creation
To complete the policy creation you can review all the policy details on the Review + create tab. It helps to avoid mistakes and successfully configure the policy. After varifying all the details click on the Create Button. After creating the policy you will get success message.
Monitoring Status
The Monitoring Status page shows whether the policy has succeeded or not. To quickly configure the policy and take advantage of the policy sync, the device on the Company Portal, Open the Intune Portal. Go to Devices > Configuration > Search for the Policy. Here, the policy shows as successful.
Client Side Verification with Event Viewer
If you get success message, that doesn’t means you will get the policy advanatges. To varify the policy successfully configured to client device check the Event Viwer. Filter for Event ID 813: This will help you quickly find the relevant logs.
Open Event Viewer: Go to Start > Event Viewer. Navigate to Logs: In the left pane, go to Application and Services Logs > Microsoft > Windows > DeviceManagement-Enterprise-Diagnostics-Provider > Admin.
MDM PolicyManager: Set policy int, Policy: (LetAppsRunlnBackground), Area: (Privacy),
EnrollmentID requesting merge: (EB427D85-802F-46D9-A3E2-D5B414587F63), Current User:
(Device), Scope: (0x1).
Removing the Assigned Group from Windows Apps Access Tasks
If you want to remove the Assigned group from the policy, it is possible from Intune Portal. To do this open the Policy on Intune Portal and Edit the Assignments tab and Remove the Policy.
To get more detailed information, you can refer to our previous post – Learn How to Delete or Remove App Assignment from Intune using by Step-by-Step Guide.
How to Delete Windows Apps Access Tasks
You can easily delete the Policy from Intune Portal From the Configuration section you can delete the policy. It will completely remove from the client devices.
For detailed information, you can refer to our previous post – How to Delete Allow Clipboard History Policy in Intune Step by Step Guide.
Windows CSP Details
If an app is open when this Group Policy object is applied on a device, employees must restart the app or device for the policy changes to be applied to the app.
| Property name | Property value |
|---|---|
| Format | int |
| Access Type | Add, Delete, Get, Replace |
| Allowed Values | Range: [0-2] |
| Default Value | 0 |
Description Framework Properties
The Description framework properties of Windows Advertising Id Policy shows the Property name Property value. The below table shows more details.
| Name | Value |
|---|---|
| Name | LetAppsAccessTasks |
| Friendly Name | Let Windows apps access Tasks |
| Element Name | Default for all apps. |
| Location | Computer Configuration |
| Path | Windows Components > App Privacy |
| Registry Key Name | Software\Policies\Microsoft\Windows\AppPrivacy |
| ADMX File Name | AppPrivacy.admx |
OMA URI Settings
It can be easily configured throug CSP. You can create OMA URI Settings by Sign in Intune Portal. Devices > Configuration. Click on Create to start a new policy. Choose the platform as Windows 10 or later. For the Profile type, select Templates, then choose Custom. Provide a name for the policy, such as Enable Windows Apps Access Tasks and add a description if needed.
- Click on + Add under OMA-URI Settings to configure the specific setting.
- To Configure the OMA-URI Setting Enter Name and Description
- Enter the following OMA-URI path:
- ./Device/Vendor/MSFT/Policy/Config/Privacy/LetAppsAccessEmail
- Enter the value
- 1 Force allow.
- 0(Default) User in control.
- 2 Force deny
- After entering the above details, click the Save button.
Need Further Assistance or Have Technical Questions?
Join the LinkedIn Page and Telegram group to get the step-by-step guides and news updates. Join our Meetup Page to participate in User group meetings. Also, Join the WhatsApp Community to get the latest news on Microsoft Technologies. We are there on Reddit as well.
Author
Anoop C Nair has been Microsoft MVP for 10 consecutive years from 2015 onwards. He is a Workplace Solution Architect with more than 22+ years of experience in Workplace technologies. He is a Blogger, Speaker, and Local User Group Community leader. His primary focus is on Device Management technologies like SCCM and Intune. He writes about technologies like Intune, SCCM, Windows, Cloud PC, Entra, Microsoft Security, Career, etc.