In part 1 of my blog, I explained step by step how to get started with application control in a simple way. In this part of my blog, I'm going to discuss how to use the company portal in Intune as a managed installer. The benefit of this is that you don't have to adjust the application control policies every time. There is one limitation though, that is only .EXE files can be installed, .MSI files are not supported.
The managed installer works as follows. When an application (.EXE) is downloaded and/or installed from the company portal, these files are tagged. The "tag" uses an NTFS feature called extended attributes to store that data. The managed installer is an implementation mix of Microsoft AppLocker settings & Windows Defender Application Control.
Read about the managed installer .EXE only: Allow apps deployed with a WDAC managed installer (Windows)
| Application | Microsoft Defender Application Control (WDAC) |
| Weblink |
Microsoft Endpoint Manager admin center |
| Topic | Windows Defender Application Control - Intune |
In this blog
After reading all the Microsoft documentation, I came across an article that it was possible to use managed installers. Unfortunately, the documentation is not very detailed and I had to rely on the Internet to figure it out myself. I even read on a blog that managed installer only works in conjunction with SCCM. So this is not the case, otherwise I would not write this blog.
| WDAC Policy - Configure Policy Template | Windows Defender Application Control Wizard |
| Powershell Script - Managed installer |
Local Machine PowerShell |
| Intune Configuration - Intune PowerShell | Local Machine PowerShell |
| Upload Powershell to Intune | Microsoft Endpoint Manager admin center |
| Windows Event Log - Application Control events | Local Machine |
Managed Installer with Intune
WDAC Policy - Disable Script Enforcement
Windows Defender Application control - App
Since Constrained Language is so limited the script I use to set everything up for the managed installer is blocked. The solution to this is simple: add these scripts (or better, your code signing authority that signed them) to your application control policy. This will allow your approved scripts to run in Full Language mode.
Below is the describe from the Microsoft website.
This option disables script enforcement options. Unsigned PowerShell scripts and interactive PowerShell are no longer restricted to Constrained Language Mode. NOTE: This option is required to run HTA files, and is only supported with the Windows 10 May 2019 Update (1903) and higher. Using it on earlier versions of Windows 10 is not supported and may have unintended results.
WDAC Policy - Managed installer
Windows Defender Application control - App
This option needs little explanation. Without turning this option on, the managed installer will not work.
Below is the describe from the Microsoft website.
Use this option to automatically allow applications installed by a software distribution solution, such as Microsoft Endpoint Configuration Manager, that has been defined as a managed installer.
Powershell Script - Managed installer
Local Machine PowerShell
The following components are integrated in this script.
- Line two has a "true "or False statement in it. On False the whole script will run and on True it will only check if the managed installer is compliant.
- Between lines 20 and 65 is the AppLocker managed installer configuration policy.
- The two services that need to be started can be found on lines 146 and 147
Information from the Microsoft Website: Allow apps deployed with a WDAC managed installer (Windows)
Managed Installer with Intune - Create Policy
Intune Configuration - Intune PowerShell
PowerShell
Following the steps below you can add this PowerShell script to Intune
- Login to Microsoft endpoint Manager and create an "PowerShell scripts"
- Upload PowerShell script. And leave all other options on "No" see image if necessary
- Important! Application control works immediately if it is included in the policy. In order for the managed installer to work, a full reboot of the device is required after the script is executed!
Information from the Microsoft Website: Allow apps deployed with a WDAC managed installer (Windows)
Windows Event Log - Application Control events
Events
I recommend activating the following event logs if not already done. For the managed installer, event log 3090 is of interest
reg add hklm\system\currentcontrolset\control\ci -v TestFlags -t REG_DWORD -d 0x100reg add hklm\system\currentcontrolset\control\ci -v TestFlags -t REG_DWORD -d 0x300
For all information about the logs, I refer you to Microsoft: Understanding Application Control event IDs (Windows)
See how it Looks
This browser does not support the video element.