Tech Community Live: Microsoft Intune
Oct 01 2024, 07:30 AM - 11:30 AM (PDT)
Microsoft Tech Community

How to disable Smart App control through Intune for all the laptops in my organisation

Copper Contributor

All the laptops on Windows 10 pro are working through Autopilot and intune policies. But all the new laptops with Windows 11 pro has Smart App control on Evaluation that doesn't allow the Autopilot to run all policies. The error comes up - "This app has been blocked by your system administrator".

 

We eventually start disabling the Smart App control manually and connecting with domain. It a very long process. We need to deploy all laptops through auto-pilot and for that need Intune policy to disable Smart app control in the start of setting up laptop.

Please assist

2 Replies

@Sourav_Jindal 

 

  

Hi this is indeed a known new feature. You can read more about it here: https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-...

 

This part is a little unclear:

 

"Smart App Control is only available on clean installation of Windows 11 version 22H2 or later, and starts in evaluation mode. Smart App Control is automatically turned off for enterprise managed devices unless the user has turned it on first."

 amart App Control is automatically turned off for enterprise managed devices", You would expect it be turned off when the device is Entra Joined.

 

But this part is more interesting for you: "To turn off Smart App Control across your organization's endpoints, you can set the VerifiedAndReputablePolicyState (DWORD) registry value under HKLM\SYSTEM\CurrentControlSet\Control\CI\Policy"

 

Just create a Powershell script, you could use Proactive Remediation script also and set the key to 0 that will solve your issue.

 

------

Please click Mark as Best Response & Like if my post helped you to solve your issue.

This will help others to find the correct solution easily. It also closes the item.

If the post was useful in other ways, please consider giving it Like.

 

 

@Sourav_Jindal

@SebastiaanSmits 

 

I tried the above solution, and i didn't work. 

We need to set HKLM\SYSTEM\CurrentControlSet\Control\CI\Protected to 0, but it doesn't work even through intune.