Let’s discuss How to Allow or Block Trusted LOB or Developer-Signed Apps in Microsoft Store using Intune Policy. In Intune, the setting Allow All Trusted Apps is part of the ApplicationManagement Policy CSP. This setting lets you control whether users can install apps from sources outside the official Microsoft Store.
The Allow All Trusted Apps policy controls the installation of trusted apps that are packaged like Microsoft Store apps but come from sources other than the store itself, such as internal business apps (Line of Business apps- LOB) or developer-signed apps.
Enabling this setting lets you install internal company apps (LOB) or apps signed by developers. For this to work, your computer needs to be able to trust the security certificate used to sign the app. If the app is from a trusted source and your computer can confirm it, you can install it.
If you disable or not configure this policy, you would not be able to install internal company apps (LOB apps) or apps that developers have signed, even if they’re packaged like regular Microsoft Store apps. This setting needs to be enabled if you want to allow these types of installations.
Table of Contents
Why are Internal Company Apps (Private Apps or LOBs) Considered Crucial for Organizations?
Internal company apps (Private Apps or LOBs) are really important for businesses to work better and faster. They give employees the specific tools they need to do their jobs efficiently.
These apps can be customized with the company’s branding and designed to fit exactly how each organization works.
Policy CSP Details – ApplicationManagement
The Policy Configuration Service Provider (CSP) within Windows 10 and Windows 11 provides a framework for enterprises to establish and apply organizational policies. This capability is fundamental for enforcing consistent configurations across the environment.
Description Framework Properties
The Description Framework Properties in Microsoft Intune’s Settings Catalog are like helpful labels and explanations for each setting. They tell you what the setting is, what kind of information it needs, what it does, and what it’s set to automatically. This makes it easy to understand and use each setting correctly.
| Property Name | Property Value |
|---|---|
| Format | int |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 65535 |
Allowed Values
When you configure a setting in Intune’s Settings Catalog, the Allowed Values are the only options you can pick. These options determine what the setting does on a device. The following table shows the Allowed Values of the Allow All Trusted Apps policy.
| Value | Description |
|---|---|
| 0 | Explicit deny. |
| 1 | Explicit allow unlock. |
| 65535 (Default) | Not configured. |
./Device/Vendor/MSFT/Policy/Config/ApplicationManagement/AllowAllTrustedApps
- How to Create Intune Settings Catalog Policy
- Deploy KeePass Using Intune LOB App Guide
- How To Deploy Putty Windows Line-Of-Business App Using Intune
How to Allow or Block Trusted LOB or Developer-Signed Apps in Microsoft Store using Intune Policy
To get started with deploying a policy in Intune, first sign in to the Microsoft Intune admin center. From there, go to Devices > Configuration profiles > Create profile. Next, click Create. In the Create a Profile window, select Windows 10 and later as the Platform.
- For the Profile type, choose Settings catalog. Finally, click the Create button to continue.
Basics
The Basics step is crucial for setting up your policy. Here, you will provide fundamental information. First, give your policy a clear Name so you can easily find it later. Then, add a brief Description explaining what the policy does. The Platform is already set, so you don’t need to do anything there.
- Here, my policy name is Allow All Trusted Apps.
- Description: You can control the installation of trusted business or developer-signed Microsoft Store apps with this policy
- Platform: Windows (Default)
Configuration Settings
Now, let’s move on to Configuration Settings. This is a key step where you will define the specific behaviors and options this policy will enforce. Click Add Settings to bring up the Settings Picker. In the search bar, type in Microsoft App Store, and then select Allow All Trusted Apps from the search results.
After picking Allow All Trusted Apps and closing the Settings Picker, you’ll see it on the Configuration Settings page. Initially, it will say Not configured. Click the dropdown and choose either Explicit allow unlock or Explicit deny to set it according to what your organization needs.
Choosing between Explicit allow unlock and Explicit deny lets you clearly decide if trusted apps can or cannot unlock certain features. Here, I choose, Explicit deny (0) to configure this policy. Click Next to move on.
Scope Tags
In Intune, Scope Tags are there to help you manage who can see and edit this policy. They help keep things organized and manage who has access. However, it is optional, so you can hit Next if you don’t need to assign them.
Assignments
The Assignments tab is where you choose who gets the policy. To do this, under Include Groups, click Add Groups. You’ll see a list of your available groups. Just pick the group you want this policy to apply to. Once you have selected it, the group will show up in your assignments. Then click Next to proceed.
- Here, I select Test_HTMD_Policy as my group.
Review + Create
You have reached the final step, Review + Create. This window gives you a complete overview of your new profile. It is a summary of everything you have set up in the previous steps. You can easily review every detail and, if needed, click Previous to return to any earlier section and make changes.
- Once you are satisfied with everything, just click Create to finalize your profile.
- After clicking the Create button, you will receive a notification that the Policy Allow All Trusted Apps has been created successfully.
Device and User Check-in Status
You can check the policy in the Intune Portal. It usually takes about 8 hours to create a policy. If it’s taking too long, use the manual syncing option (Sync) in the Company Portal app on your device. After syncing, check the status again.
- Go to Devices, then Configuration.
- Click on the policy to view its details.
- For instance, here the Allow All Trusted Apps policy status is succeeded(1).
Client Side Verification
You can use the Event Viewer on the client device to check if the policy has been applied. To navigate through the Event Viewer, follow this path.
Applications and Services Logs > Microsoft > Windows > Device Management > Enterprise Diagnostic Provider > Admin.
Now, you will see a list of policies. Use the Filter Current Log option on the right to find the one you want to check. Look for Intune event 813. This means a text setting has been applied to a Windows 10 or 11 device, and it will show you exactly what that text setting is.
MDM PolicyManager: Set policy int, Policy: (AllowAllTrustedApps), Area: (ApplicationManagement), EnrollmentID requesting merge: (B1E9301C-8666-412A-BA2F-3BF8A55BFA62), Current User: (Device), Int: (0x0), Enrollment Type: (0x6), Scope: (0x0).
How to Remove Group of Allow All Trusted Apps Policy
Removing an Intune policy involves a few simple steps: First, go to the Configuration area and open the policy. Next, in the Assignment tab, click Edit. Finally, click the Remove button to delete the policy assignment.
For detailed information, you can refer to our previous post – Learn How to Delete or Remove App Assignment from Intune using by Step-by-Step Guide.
How to Delete Allow All Trusted Apps Policy from Intune Portal
To remove the Allow All Trusted Apps policy in Intune, follow the following simple steps. For more information, you can refer to our previous post – How to Delete Allow Clipboard History Policy in Intune Step by Step Guide.
- Go to Devices > Configurations.
- In the Policy list, use the search bar to find Allow All Trusted Apps.
- Once you see the policy, click the three dots (…) next to it.
- Select Delete from the menu to remove the policy.
Need Further Assistance or Have Technical Questions?
Join the LinkedIn Page and Telegram group to get the latest step-by-step guides and news updates. Join our Meetup Page to participate in User group meetings. Also, Join the WhatsApp Community to get the latest news on Microsoft Technologies. We are there on Reddit as well.
Author
Anoop C Nair has been Microsoft MVP for 10 consecutive years from 2015 onwards. He is a Workplace Solution Architect with more than 22+ years of experience in Workplace technologies. He is a Blogger, Speaker, and Local User Group Community leader. His primary focus is on Device Management technologies like SCCM and Intune. He writes about technologies like Intune, SCCM, Windows, Cloud PC, Windows, Entra, Microsoft Security, Career, etc.