In this post, you will learn how to remove Intune Management Extension as Managed Installer. Setting a managed installer is a tenant-wide configuration for all your managed Windows devices.
You can stop configuring the Intune Management Extension as a managed installer for your tenant. This requires you to turn off the managed installer policy. After the policy is turned off, you can use additional cleanup actions.
Starting in Intune June Update 2306, you can use Application Control in the public preview. Allows you to configure a policy that allows trusted apps to run on managed devices and a policy to set the Intune Management Extension as a tenant-wide managed installer.
By implementing Intune Application Control policy, you gain the ability to prevent the execution of potentially harmful applications proactively. Let’s check how you can create Intune Application Control policy and configure the Intune Management Extension as a managed installer on Windows devices.
- Intune Architecture And Sample Architecture Diagram Explained
- Intune Supported Device Platforms And Custom Baselines Options
Turn off Intune Management Extension Policy from Intune
The following configuration is required to stop adding the Intune Management Extension as a managed installer to your devices and remove Intune management extension.
- Sign in to the Microsoft Intune Admin Center https://Intune.microsoft.com/.
- Navigate to the Endpoint security, and Click on Application control.
In the Managed installer tab, Once you add the Managed installer, The policy is ready in the service when Intune displays a managed installer policy with the name Managed installer – Intune Management Extension with the status of Active.
Here you need to select the Managed installer – Intune Management Extension policy to navigate to the properties pane.
In the Properties, You may find the Settings. Click on the Edit policy to change the Set managed installer to Off.
To Opt-out for managed installer, Toggle the switch to Off to Set managed installer. ON will grant Microsoft permission to configure Intune Management Extension as a managed installer (an authourized source for application deployment) on applicable devices.
OFF will pause any scheduled policy to set the Intune Management Extension as a managed installer on applicable devices. Existing policies already deployed to devices will change when configuring to OFF. If removing existing policies is required, a cleanup script may be used.
As you set managed installer to Off and click on Save, A popup will appear with the confirmation message.
If you grant permission to Microsoft to configure Intune Management Extension as a managed installer, all apps installed from this source can be configured as trusted in your Application control policy. You can click on Yes, and proceed to Save.
Once you remove the managed installer, you can validate the status in the Managed installer tab; The policy status shows Not deployed. I have seen here, the status change would take some time to effect.
New devices won’t be configured with the Intune Management Extension as a managed installer. This doesn’t remove the Intune Management Extension as managed installer from devices that have already been configured to use it.
Remove Intune Management Extension as a managed installer on Devices
As an optional cleanup step, you can run a script to remove the Intune Management Extension as a managed installer on already installed devices. This is optional as these configurations do not affect devices unless you use application control policies referencing the managed installer.
- Download the CatCleanIMEOnly.ps1 PowerShell script.
- Run this script on devices that have set the Intune Management Extension as a managed installer. This script removes only the Intune Management Extension as a managed installer.
Note! To automate the script execution, you may also use the PowerShell Script option in Intune to target the managed devices.
Once you have executed the scripts manually, Please restart the Intune Management Extension service for the changes to take effect immediately.
Overall, Turning off the policy prevents subsequent apps from being tagged with the managed installer. Apps that were previously installed and tagged remain tagged.
Author
About Author – Jitesh, Microsoft MVP, has over six years of working experience in the IT Industry. He writes and shares his experiences related to Microsoft device management technologies and IT Infrastructure management. His primary focus is Windows 10/11 Deployment solution with Configuration Manager, Microsoft Deployment Toolkit (MDT), and Microsoft Intune.