Key Takeaways
- This policy helps control software security in Windows Package Manager.
- When the policy is enabled, users can install apps even if SHA256 validation fails.
- When the policy is disabled, only fully verified and secure apps can be installed.
- Intune makes it easy for IT to manage this setting on all devices.
Hey, let’s discuss about How to Control SHA256 Validation in Windows Package Manager using Intune. This policy controls whether users can turn off SHA256 security checks in Windows Package Manager. SHA256 is a safety check that makes sure an app or package is not changed or damaged before installation.
This policy is important because it protects devices from unsafe or modified software. If SHA256 validation is skipped, there is a higher chance of installing harmful apps. By managing this policy, organizations can keep devices secure and ensure only trusted software is installed.
When this policy allows overrides, users can install apps even if the SHA256 check fails. When the policy blocks overrides, users cannot change the setting and SHA256 validation is always enforced. This gives IT teams full control over software security on managed devices.
In an office environment, IT admins can block SHA256 overrides so employees cannot install unsafe software. For example, in a company handling sensitive data, this helps prevent malware and keeps company information safe.
Table of Contents
What are Advantages of Enabling this Policy using Intune?
Enabling this policy gives IT administrators more flexibility and control when managing software installations. It allows trusted users or teams to install required applications even when SHA256 validation fails, which is useful in testing, development, or special business scenarios.
1. Allows installation of custom or internal applications
2. Helps development and testing teams work without delays
3. Reduces dependency on manual workarounds
4. Provides flexibility while still being managed by IT
5. Useful for lab, pilot, and non-production environments
How to Control SHA256 Validation in Windows Package Manager using Intune
In a development or testing environment, admins may allow SHA256 overrides. For example, developers testing internal or custom apps may need flexibility. This policy allows that flexibility while still being managed centrally using Intune.
- Secure Windows Devices with Intune Application Control Policy Managed Installers
- Prevent Internet Explorer Security Prompt for Windows Installer Scripts using Intune
- How to Access macOS DMG Applications with App ID Publisher and Version in Intune Copilot Explorer
Create a Profile
To start configuring this policy, open Microsoft Intune admin center. Go to Devices > Configuration From Policies, click on the + Create button and select +New Policy. To create a policy you have to specify profile type and Platform. From this window you can select that.
| Platform | Profile Type |
|---|---|
| Windows 10 and later | Settings Catalog |
Basic Step
Basic tab, helps you to add the Name(App Installer Hash Override) and Description(Enable App Installer Hash Override) for the policy that you want to create. The Name is the Mandatory file, and you must enter the Name here. The Description is optional. Click Next to continue.
Configuration Settings
he Configuration tab is very crucial it helps you to select a specific setting. On the Configuration tab, click on the +Add settings hyperlink, and then you will get the Settings Picker. From the Settings Picker, you can choose settings quickly by browse by category or Search bar.
- Category – Administrative Templates Windows Components Desktop App Installer
- Setting – Enable App Installer Hash Override
Once you have selected App installer hash override and closed the Settings picker. You will see it on the Configuration page. Here we have only two settings: Enable or Disable. By default, it will be set to Disable. Click Next to Continue.
Enable App Installer Hash Override Policy
If we Enable or configure this policy, you can enable the app installer hash override policy by toggling the switch from left to right. Then, you can click the Next button to proceed.
Scope Tag
In Intune, Scope Tags are used to control who can view and modify a policy. The scope tag is not mandatory, so you can skip this section. It functions as a tool for organisation and access management, but assigning it is optional. Click Next if they’re not required for your setup.
Assignments
In the Assignments tab, you choose the users or devices that will receive the policy by clicking Add Group under Include Group, select the group that you want to target (HTMD – Test Poliy) and then click Next to continue.
Final Step
At the final Review + Create step, we see a summary of all configured settings for the new profile; after reviewing the details and making any necessary changes by clicking Previous. We click Create to finish, and a notification confirms that the “App Installer Hash Override created successfully”.
Device and User Check-in Status
To view a policy’s status, go to Devices > Configuration in the Intune portal, select the policy (App installer hash override), and check that the status shows Succeeded (1). Use manual sync in the Company Portal to speed up the process.
How to Remove Assigned Group from this Policy
After creating the policy, if you want to remove the specific group that you previously selected, you can easily do that. First, go to Devices > Configuration policies. In the Configuration policy section, search and select the policy. In the Assignment section, you will find an Edit option and click on it. Then, click the Remove option.
For detailed information, you can refer to our previous post – Learn How to Delete or Remove App Assignment from Intune using by Step-by-Step Guide.
How to Delete this Policy from Intune
If you want to delete this policy for any reason, you can easily do so. First, search for the policy name in the configuration section. When you find the policy name, you will see a 3-dot menu next to it. Click on the 3 dots, then click the Delete button.
For detailed information, you can refer to our previous post – How to Delete Allow Clipboard History Policy in Intune Step by Step Guide.
Need Further Assistance or Have Technical Questions?
Join the LinkedIn Page and Telegram group to get the latest step-by-step guides and news updates. Join our Meetup Page to participate in User group meetings. Also, Join the WhatsApp Community to get the latest news on Microsoft Technologies. We are there on Reddit as well.
Author
Anoop C Nair has been Microsoft MVP from 2015 onwards for 10 consecutive years! He is a Workplace Solution Architect with more than 22+ years of experience in Workplace technologies. He is also a Blogger, Speaker, and Local User Group Community leader. His primary focus is on Device Management technologies like SCCM and Intune. He writes about technologies like Intune, SCCM, Windows, Cloud PC, Windows, Entra, Microsoft Security, Career, etc.