MS-Teams with AppSense Application Manager Agent (Ivanti) is very difficult to deploy

New Contributor



We have in our it-infrastructur the Ivante AppSense / Application-Manager Agent.

To deploy MS-Teams with the AppSense is very difficult, because after every update of MS-Teams we must change the entries for the signatur/keys (exe and some dll's).


Is there a way to make this easier?

Do the signatures always have to change after each update?


We have also OneDrive or DropBox as an exception in the AppSense-Admin, and this local user-applications works fine. We have only with MS-Teams this problems.......


Many thanks in advance for any help & best regards,


5 Replies

@Michael_E can yu not trust the publisher rather than the certificate ?


@Steven Collier 


thanks for your reply.

Publisher is a part of the meta-info and can easily be falsified. Good idea but unfortunately easily compromising.


@Michael_E I don;t think so, this is how we trust using Software Restriction Policies, using the Publishers public key. See

Hi Michael, we have the same issue. Have you found any solution for this?

@Radha1012 @Steven Collier 


Slightly late to the party, but this is an issue I am having with frequent blocking of Teams and found this discussion. After having a play, one option would be to use a Custom rule with a Scripted Condition.


In the Allowed Items you would add the required %LOCALAPPDATA% Teams files (use some meta data if you like too) then you create a Powershell Scripted Condition to verify the authenticode signature(s).


Here is the basics of the Scripted Condition check: 



$cert = Get-AuthenticodeSignature "$($env:LOCALAPPDATA)\Microsoft\Teams\Update.exe"

# Inspect certificate, fail if information is incorrect
if ($cert.Status -ne "Valid") { exit(1) }
# Other if conditions to also fail on...

# Pass



At a basic level this would also require the file to be digitally signed and valid but you could also check the issuer $cert.SignerCertificate.Issuer matches the Microsoft one or any number of additional checks (Increasing security). Instead of just a single file, you could also check a list of files related to Teams.


This would make it harder to replace the original files with malicious ones as it's not a simple as just matching the meta data as you would need to pass the checking of meta data, be digitally signed + any other checks in Powershell.


I used the below dev blog to get more info info on Get-AuthenticodeSignature: