By: Luke Ramsdale – Sr. Customer Escalation Engineer | Microsoft Intune
In Microsoft Intune, admins can deploy application control policies to Windows devices to help prevent unauthorized applications from running. They deploy these policies using the Windows ApplicationControl CSP, however, to deploy Win32 apps via Intune after deploying these policies, you need to add the Intune management extension as a managed installer. Once you configure the Intune management extension as a managed installer, the apps that are subsequently deployed via Intune are tagged by the installer and identified as safe applications.
Note: Enabling the Intune management extension for managed installer is an Intune tenant-wide configuration, so it targets all Windows devices at once.
For more information on using application control policies and configuring Intune management extension as a managed installer review:
Manage approved apps for Windows devices with App Control for Business policy and Managed Installers in Intune.
Once you configure the Intune management extension, you can track the progress of the configuration using the App Control for Business blade by navigating to the Microsoft Intune admin center > Endpoint security > App Control for Business (Preview) > Managed installer. The overview shows the success and error state.
You can then drill in further by clicking on the managed installer policy where you can see an overview of the deployment.
A detailed view of the deployment status is available in Device status which shows the success and failure for each individual device. You can add an additional column “Last run message” to get a detailed description of the error on the client side.
The last run message will contain the reason enabling the Intune management extension has failed to be enabled as a managed installer and will mirror what is logged in the AgentExecutor.log on the device.
The mechanism used to enable the Intune management extension as a managed installer is a detection and remediation PowerShell script that leverages the Get-AppLockerPolicy and Set-AppLockerPolicy cmdlets.
The Intune management extension executes these PowerShell scripts, and you can be track them using the Agentexecutor.log located in C:\ProgramData\Microsoft\IntuneManagementExtension\Logs. You can remotely collect the Intune management extension logs via the device action “Collect diagnostics” in the Microsoft Intune admin center.
The AgentExecutor will first run the detection script, detect.ps1. If the Intune management extension needs to be configured as a managed installer, it will then run the SET remediation script remediation.ps1 and subsequently confirm this has worked by running the detection script again. So, a GET, SET, GET leveraging the PowerShell cmdlets mentioned above.
All Intune tenants will use the same policy id for the detection and remediation script, d78c1822-e082-491a-b3a7-4a701836481e. The detection process will attempt to do the following once a day:
You can see the detection process in the AgentExector.log:
Here, you can see the detect.ps1 running and returning an exit code of 1 highlighted in yellow. The write output text, highlighted in red, is where the error message is written to.
In this example we can see the Intune management extension is not set as managed installer which is expected if the device has just been enrolled or the managed installer feature has just been enabled:
Info detect.ps1 VerifyCompliance returned False
Info detect.ps1 Check if the registry value is there and remove it if it is there
Info detect.ps1 Intune management extension is not set as a managed installer
Intune management extension is NOT set as the managed installer.
You can manually test the detection process by running the following PowerShell command on a device:
Get-AppLockerPolicy -Effective -Xml
This will return the XML that is effective on the device and you can inspect it to see if this includes the Intune management agent.
Remediation (SET)
The Agent Executor will now attempt to remediate the device and set the Intune management extension as managed installer.
During remediation, the script will:
In this example the remediation.ps1 exits with code 1 (highlighted in yellow), and the reason is contained in the write output (highlighted in red).
The remediate script will attempt to set the AppLocker policy for Intune management extension and merge with any existing policies on the device, there’s a 5-minute timeout window for this operation to complete, during which the script will attempt to set the policy 16 times.
Here’s a snippet from the output:
remediate.ps1 Calling MergeAppLockerPolicy
MergeAppLockerPolicy Merging and setting AppLocker policy
MergeAppLockerPolicy Trying to set app locker policy
remediate.ps1 Calling WaitForPolicyUpdate
WaitForPolicyUpdate Waiting for policy to be updated
WaitForPolicyUpdate Waiting a maximum of 300 seconds for the policy to be updated
Error MergeAppLockerPolicy Failed 1
At C:\Windows\IMECache\HealthScripts\d78c1822-e082-491a-b3a7-4a701836481e_8\remediate.ps1:108 char:13
+ LogLine -functionName $MyInvocation.MyCommand -logLine "F ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Write-Error], WriteErrorException
+ FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,LogLine
MergeAppLockerPolicy The local policy cannot be obtained. Reason: Error HRESULT
E_FAIL has been returned from a call to a COM component.
In this case, there has been an issue running the Set-ApplockerPolicy -XMLPolicy. To try and isolate this issue further, try running the Set-AppLockerPolicy cmdlet within PowerShell manually. To do this, follow these steps:
On the device download psexec from: PsExec - Sysinternals
Run the following command to launch PowerShell in the system context from the command line:
psexec -i -d -s C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Type: whoami to confirm the user is system
Run the following PowerShell cmdlet to backup the existing policy:
Get-AppLockerPolicy -Effective -Xml | Out-File -FilePath "c:\applocker_policy.xml"
Create a text file and paste in the following:
<AppLockerPolicy Version="1" />
Rename the text file to policy.xml and save this on the local drive
Run the following Powershell cmdlet
Set-AppLockerPolicy -XMLPolicy "C:\policy.xml"
Note: This will delete the existing AppLocker policy as described in the following article. If the managed installer is not disabled in the Intune admin center the script will attempt to run again 24 hours later.
When deploying managed installer for Microsoft Entra hybrid joined devices, please consider the following limitations:
If you’re using or wanting to use application control policies and encounter any issues with configuring Intune management extension as a managed installer, hopefully the troubleshooting steps and guidance in this post helps you diagnose and resolve them quickly.
If you have a question or feedback, leave a comment below or reach out on X @IntuneSuppTeam.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.