Blog Post

Intune Customer Success
6 MIN READ

Troubleshooting managed installer deployments in Microsoft Intune

Intune_Support_Team's avatar
Aug 05, 2024

By: Luke Ramsdale – Sr. Customer Escalation Engineer | Microsoft Intune

 

In Microsoft Intune, admins can deploy application control policies to Windows devices to help prevent unauthorized applications from running. They deploy these policies using the Windows ApplicationControl CSP, however, to deploy Win32 apps via Intune after deploying these policies, you need to add the Intune management extension as a managed installer. Once you configure the Intune management extension as a managed installer, the apps that are subsequently deployed via Intune are tagged by the installer and identified as safe applications.

 

Note: Enabling the Intune management extension for managed installer is an Intune tenant-wide configuration, so it targets all Windows devices at once.

 

For more information on using application control policies and configuring Intune management extension as a managed installer review:

Monitoring the configuration of managed installer

Once you configure the Intune management extension, you can track the progress of the configuration using the App Control for Business blade by navigating to the Microsoft Intune admin center > Endpoint security > App Control for Business (Preview) > Managed installer. The overview shows the success and error state.

 

A screenshot of the Managed installer overview in the Microsoft Intune admin center.

 

You can then drill in further by clicking on the managed installer policy where you can see an overview of the deployment.

 

Overview of the Managed installer – Intune management extension configuration in the Microsoft Intune admin center.

 

A detailed view of the deployment status is available in Device status which shows the success and failure for each individual device. You can add an additional column “Last run message” to get a detailed description of the error on the client side.

 

A screenshot of adding additional columns to the Managed installer policy Device status page.

 

The last run message will contain the reason enabling the Intune management extension has failed to be enabled as a managed installer and will mirror what is logged in the AgentExecutor.log on the device.

 

Troubleshooting failures enabling Intune Mangement Extension as managed installer

The mechanism used to enable the Intune management extension as a managed installer is a detection and remediation PowerShell script that leverages the Get-AppLockerPolicy and Set-AppLockerPolicy cmdlets.

 

The Intune management extension executes these PowerShell scripts, and you can be track them using the Agentexecutor.log located in C:\ProgramData\Microsoft\IntuneManagementExtension\Logs. You can remotely collect the Intune management extension logs via the device action “Collect diagnostics” in the Microsoft Intune admin center.

 

 

The AgentExecutor will first run the detection script, detect.ps1. If the Intune management extension needs to be configured as a managed installer, it will then run the SET remediation script remediation.ps1 and subsequently confirm this has worked by running the detection script again. So, a GET, SET, GET leveraging the PowerShell cmdlets mentioned above.

 

Detection (first GET)

All Intune tenants will use the same policy id for the detection and remediation script, d78c1822-e082-491a-b3a7-4a701836481e. The detection process will attempt to do the following once a day:

  • It will call the Get-AppLockerPolicy -Effective -Xml PowerShell cmdlet to get the current policy.
  • Search for the <RuleCollection Type="ManagedInstaller" EnforcementMode="AuditOnly"> XML node.
  • If this XML node is found, then it will attempt to match the publisher, file and version of the current policy with the embedded XML in the script.

You can see the detection process in the AgentExector.log:

A screenshot of the detection process in the AgentExecutor.log.

Here, you can see the detect.ps1 running and returning an exit code of 1 highlighted in yellow. The write output text, highlighted in red, is where the error message is written to.

 

In this example we can see the Intune management extension is not set as managed installer which is expected if the device has just been enrolled or the managed installer feature has just been enabled:

 

Info	detect.ps1	VerifyCompliance returned False
Info	detect.ps1	Check if the registry value is there and remove it if it is there
Info	detect.ps1	Intune management extension is not set as a managed installer
Intune management extension is NOT set as the managed installer.

 

 

You can manually test the detection process by running the following PowerShell command on a device:

 

Get-AppLockerPolicy -Effective -Xml

 

 

This will return the XML that is effective on the device and you can inspect it to see if this includes the Intune management agent.

 

Remediation (SET)

The Agent Executor will now attempt to remediate the device and set the Intune management extension as managed installer.

 

During remediation, the script will:

  • Attempt to start all the relevant services.
  • Call the Set-AppLockerPolicy -Merge PowerShell cmdlet.
  • The script will then wait for 5 minutes for the C:\Windows\System32\AppLocker\ManagedInstaller.AppLocker file to be created or updated.

 

 

In this example the remediation.ps1 exits with code 1 (highlighted in yellow), and the reason is contained in the write output (highlighted in red).

 

The remediate script will attempt to set the AppLocker policy for Intune management extension and merge with any existing policies on the device, there’s a 5-minute timeout window for this operation to complete, during which the script will attempt to set the policy 16 times.

 

Here’s a snippet from the output:

 

remediate.ps1	Calling MergeAppLockerPolicy
MergeAppLockerPolicy	Merging and setting AppLocker policy
MergeAppLockerPolicy	Trying to set app locker policy
remediate.ps1	Calling WaitForPolicyUpdate
WaitForPolicyUpdate	Waiting for policy to be updated
WaitForPolicyUpdate	Waiting a maximum of 300 seconds for the policy to be updated
Error	MergeAppLockerPolicy	Failed 1
At C:\Windows\IMECache\HealthScripts\d78c1822-e082-491a-b3a7-4a701836481e_8\remediate.ps1:108 char:13
+             LogLine -functionName $MyInvocation.MyCommand -logLine "F ...
+             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Write-Error], WriteErrorException
    + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,LogLine
 
MergeAppLockerPolicy	The local policy cannot be obtained. Reason: Error HRESULT 
E_FAIL has been returned from a call to a COM component.

 

 

In this case, there has been an issue running the Set-ApplockerPolicy -XMLPolicy. To try and isolate this issue further, try running the Set-AppLockerPolicy cmdlet within PowerShell manually. To do this, follow these steps:

 

  1. On the device download psexec from: PsExec - Sysinternals

  2. Run the following command to launch PowerShell in the system context from the command line:

    psexec -i -d -s C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  3. Type: whoami to confirm the user is system

  4. Run the following PowerShell cmdlet to backup the existing policy:

    Get-AppLockerPolicy -Effective -Xml | Out-File -FilePath "c:\applocker_policy.xml"
  5. Create a text file and paste in the following:

    <AppLockerPolicy Version="1" />
  6. Rename the text file to policy.xml and save this on the local drive

  7. Run the following Powershell cmdlet

    Set-AppLockerPolicy -XMLPolicy "C:\policy.xml"

     

    Note: This will delete the existing AppLocker policy as described in the following article. If the managed installer is not disabled in the Intune admin center the script will attempt to run again 24 hours later.

    • If Step 7 fails using the basic XML file, then it is likely that there are some permissions issues which can be investigated further using procmon.
    • If Step 7 works without any issue, then it is likely that there’s a problem with merging with the existing AppLocker policy, try running Step 7 again but use the applocker_policy.xml created in Step 4 to see if there’s an error related to the XML formatting.

 

Support for managed installer in Hybrid scenarios

When deploying managed installer for Microsoft Entra hybrid joined devices, please consider the following limitations:

  1. The Set-ApplockerPolicy cmdlet used in the remediation.ps1 has a dependency on group policy updating on domain joined devices, if the device is not connected to the domain or if there are delays when updating group policy then this could cause this cmdlet to fail, and managed installer will not be enabled for the Intune management extension.

  2. The group policy update dependency for enabling the Intune management extension as a managed installer impacts Windows Autopilot deployments for Entra hybrid joined devices in the following scenarios:
    • If you use a Win32 application to configure a VPN during Autopilot for Entra hybrid joined devices and have enabled Intune management extension as a managed installer then the VPN application will never be installed, it won’t have connectivity to the domain which will prevent the Intune management extension from being enabled as a managed installer. The Win32 app will fail to install because it’s not tagged as safe, and the Intune management extension won’t be enabled as a managed installer because there’s no domain connectivity.

      Simply, without the domain connectivity the remediation script will fail and without Intune management extension being enabled as a managed installer the VPN application will never install.

    • If the device has line of sight to a domain controller during Autopilot and there are delays updating group policy, then this can also prevent the Set-AppLockerPolicy from completing and cause the configuration of the Intune management extension as a managed installer to fail. This will cause any Win32 applications to fail that are deployed during the Autopilot Enrollment Status Page (ESP) phases.

      This is documented in: “What considerations should I have for Entra Hybrid Join (HAADJ) devices within my organization that want to use Managed Installer?

 

If you’re using or wanting to use application control policies and encounter any issues with configuring Intune management extension as a managed installer, hopefully the troubleshooting steps and guidance in this post helps you diagnose and resolve them quickly.

 

If you have a question or feedback, leave a comment below or reach out on X @IntuneSuppTeam.

Updated Aug 05, 2024
Version 3.0
  • T551282's avatar
    T551282
    Copper Contributor

    Previously the managed installer feature was not really compatible with autopilot because there was no way to ensure that the applocker remediation script would run (also a reboot required?) before WDAC took effect and started blocking app installs during autopilot.

    Can you confirm if this is still the case and if so is there is a roadmap to fix this?

     

    IMO, until this is fixed, I can't really get excited about managed installer.

  • T551282's avatar
    T551282
    Copper Contributor

    Hi Jason,  I am still getting WDAC blocking installs during autopilot.

     

    My test:
    - enable managed installer via intune gui
    - configure app control, 
    Enable App Control for Business policy to trust Windows components and Store apps:
    Enforce
    Select additional rules for trusting apps: Trust apps from managed installers

    - assign Adobe Acrobat Reader DC ms store app (new)

    (then perform wipe and autopilot build)

    During autopilot, the app install is blocked.

     

     

    When I did troubleshooting previously, MS support said that either the applocker policy which delivers the managed installer feature needs a reboot before it takes effect or there was no way to guarantee that the applocker policy applied before WDAC took effect.  Either way, managed installer wasn't really going to work with autopilot.

    Can you confirm if a reboot is needed for the applocker policy to take effect?  (or better yet, duplicate my test)

  • thalesrdias's avatar
    thalesrdias
    Copper Contributor

    Besides the troubleshooting steps mentioned here I found a scenario where a corrupted/empty  registry.pol (C:\Windows\System32\GroupPolicy\Machine) file was preventing the enablement of managed installer in hundreds of systems, after creating a proactive remediation to fix the registry.pol we successfully enabled Intune managed installer