Secure Windows Devices with Intune Application Control Policy Managed Installers

Let’s learn how you can create Intune Application Control policy, and configure the Intune Management Extension as a managed installer on Windows devices. Microsoft Intune offers Application Control policies that help mitigate the risk of undesired apps running on managed Windows devices.

You might notice almost every day, new malicious files and apps regularly emerge, posing a significant risk when executed on devices within your organization. Managing and preventing such threats can be challenging.

By implementing Intune Application Control policy, you gain the ability to prevent the execution of potentially harmful applications proactively. These policies provide granular control and allow you to define rules and restrictions on which apps can run on your managed devices.

Starting with Intune June Update, you can use a new endpoint security policy category, Application Control, in the public preview. The endpoint security Application Control policy includes the following:

Patch My PC
  • Policy to set the Intune Management Extension as a tenant-wide managed installer.
  • Application Control policies that are an implementation of Defender Application Control (WDAC). Allows you to configure a policy that allows trusted apps to run on managed devices.

With Intune’s endpoint security Application control, you can use policy to the Intune Management Extension as a managed installer on your managed Windows devices. After you enable a managed installer, all subsequent applications you deploy to Windows devices through Intune are marked with the managed installer tag.

The tag identifies that the app was installed by a known source and can be trusted. To get started, You need to follow the Prerequisites for checking the device eligibility and the role required for setting up and managing Application Control policies.

Adaptiva

Add Intune Management Extension as Managed Installer

The following steps guide you through adding the Intune Management Extension as a managed installer for your tenant. Intune supports a single managed installer policy.

To enable the use of a managed installer, ensure that user accounts are assigned the role of Global Administrator or Intune Service Administrator. These roles have the necessary privileges to manage and configure managed installers.

In the Microsoft Intune admin center, Navigate to the Endpoint security > Application control (Preview). Here you can see the two tabs, Application Control and Managed Installer.

Manage approved apps for Windows devices with Intune Application Control policy Managed Installers Fig.1
Manage approved apps for Windows devices with Intune Application Control policy Managed Installers Fig.1

In the Application control node, select the Managed installer tab, and to begin configuring the Intune Management Extension as a Managed Installer on all applicable enrolled devices in the tenant, select “Add”.

Manage approved apps for Windows devices with Intune Application Control policy Managed Installers Fig.2
Manage approved apps for Windows devices with Intune Application Control policy Managed Installers Fig.2

The Add managed installer pane opens. Select Add and then Yes to confirm the addition of the Intune Management Extension as a managed installer.

Suppose you grant permission to Microsoft to configure Intune Management Extension as a managed installer. In that case, all apps installed from this source can be configured as trusted in your Application control policy.

Manage approved apps for Windows devices with Intune Application Control policy Managed Installers Fig.3
Manage approved apps for Windows devices with Intune Application Control policy Managed Installers Fig.3

Once you added the Managed installer, you may need to wait up to a few minutes before the new policy is added to your tenant. You can select Refresh to update the admin center periodically until it’s available.

The policy is ready in the service when Intune displays a managed installer policy with the name Managed installer – Intune Management Extension with the status of Active. From the client side, you may need to wait up to an hour for the policy to start getting delivered.

Manage approved apps for Windows devices with Intune Application Control policy Managed Installers Fig.4
Manage approved apps for Windows devices with Intune Application Control policy Managed Installers Fig.4

Create an Application Control Policy

To create Intune Application Control policy, follow these steps in the Intune admin center. Navigate to the section Endpoint Security > Application control and click on the Application control tab.

For managing Intune Application Control policy, user accounts must possess the Security Baseline permissions for Delete, Read, Assign, Create, and Update. These permissions are required to manage and administer Application Control policies within the system effectively.

Here, look for an option to create a new policy and click on it. On the Basics tab, you need to provide a name for the policy to help identify it later and a description which is optional. Once you are done, Click on Next.

Manage approved apps for Windows devices with Intune Application Control policy Managed Installers Fig.5
Manage approved apps for Windows devices with Intune Application Control policy Managed Installers Fig.5

On Configuration settings, choose a Configuration settings format. Select Enter XML data to type or paste an XML property list that contains your Application Control policy. Select Use built-in controls to choose from toggles exposed in this Application Control policy.

  • Enter xml data – With this option, you must provide custom XML properties to define your Application Control policy. If you select this option but don’t add XML properties to the policy, it acts as Not configured.
  • Built-in controls – With the built-in controls, you can easily approve all apps that are installed by a managed installer and allow the trust of Windows components and store apps
Manage approved apps for Windows devices with Intune Application Control policy Managed Installers Fig.6
Manage approved apps for Windows devices with Intune Application Control policy Managed Installers Fig.6

Here, I selected the built-in controls settings format for configuring the following settings. By selecting this option, the policy eliminates the need for custom XML. Instead, you can configure the following settings:

Enable trust of Windows components and store apps – When this setting is Enabled (the default), managed devices can run Windows components and store apps and other apps you might configure as trusted. Apps that aren’t defined as trusted by this policy are blocked from running.

Select Audit only to log all events in local client logs but not block any apps from running. Select Enforce to actively block apps from running in a deployed Application Control base policy.

In the Select additional options for trusting apps, You will have the below options for selection. Here, I will be selecting the trust apps from managed installers.

  • Trust apps with a good reputation – This option allows devices to run reputable apps as defined by the Microsoft Intelligent Security Graph.
  • Trust apps from managed installers – This option allows devices to run the apps deployed by an authorized source, a managed installer. This applies to apps you deploy through Intune after you configure the Intune Management Extension as a managed installer. nts and store apps:
Manage approved apps for Windows devices with Intune Application Control policy Managed Installers Fig.7
Manage approved apps for Windows devices with Intune Application Control policy Managed Installers Fig.7

In the next tab, you will get to select any desired scope tags to apply, then select Next. For Assignments, select the groups that receive the policy, and consider that Intune Application control policy applies to only the device groups. Select Next.

For Review + create, review your settings and then select Create. When you select Create, your changes are saved, and the profile is assigned.

Once the policy is created, a message will appear showing Policy “HTMD App Control Policy” created successfully. You will see the policy is shown in the list.

Manage approved apps for Windows devices with Intune Application Control policy Managed Installers Fig.8
Manage approved apps for Windows devices with Intune Application Control policy Managed Installers Fig.8

Monitor Application Control Policy

Once devices have been assigned Application Control and Managed Installer policies, you can access the policy details within the admin center for viewing.

On the Managed Installer tab, you can view the status, success count, and error details for the Managed Installer – Intune Management Extension policy. By clicking on managed installer, In the Overview tab, you can get information about devices where the Managed installer is successfully set to the Intune Management Extension.

Manage approved apps for Windows devices with Intune Application Control policy Managed Installers Fig.9
Manage approved apps for Windows devices with Intune Application Control policy Managed Installers Fig.9

Within the Application Control tab, you have the ability to view a comprehensive list of your Application Control policies. This list provides basic details, such as whether a policy is assigned and the date of its last modification.

By selecting a specific policy, you can access an expanded view that offers additional report options. Report options for the policy include:

  • Device and user check-in status – Displays the count of devices reporting each available status for this policy.
  • View Report – You can get a list of the devices that received this policy by clicking on view report. Here you can select devices to drill in and view their Application Control policy settings format.
Manage approved apps for Windows devices with Intune Application Control policy Managed Installers Fig.10
Manage approved apps for Windows devices with Intune Application Control policy Managed Installers Fig.10

Author

About Author – JiteshMicrosoft MVP, has over six years of working experience in the IT Industry. He writes and shares his experiences related to Microsoft device management technologies and IT Infrastructure management. His primary focus is Windows 10/11 Deployment solution with Configuration Manager, Microsoft Deployment Toolkit (MDT), and Microsoft Intune.

1 thought on “Secure Windows Devices with Intune Application Control Policy Managed Installers”

  1. Uploading Base XML Policies works for me, but all Supplemental Policies fail with:

    “Failed to create policy, try again later”
    “An error occurred. Request ID:”

    with no further info 🙁

    Reply

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.