Skip to main content
Version: 2.1.0

Test-MtIntuneManagedInstallerRules

SYNOPSIS

Ensure at least one Intune App Control for Business policy has Managed Installer enabled.

SYNTAX

Test-MtIntuneManagedInstallerRules [-ProgressAction <ActionPreference>] [<CommonParameters>]

DESCRIPTION

Checks Intune Endpoint Security Application Control policies (configurationPolicies API) for the "Trust apps from managed installer" setting.

When Managed Installer is enabled in an App Control for Business policy, applications deployed through Intune (or SCCM) are automatically trusted and allowed to run without needing explicit allow rules. This simplifies App Control deployment by ensuring IT-managed software isn't blocked.

Without Managed Installer:

  • Every application must have an explicit allow rule in the policy
  • LOB apps deployed via Intune may be blocked unexpectedly
  • Help desk tickets increase due to false positives

With Managed Installer:

  • Apps deployed through Intune are automatically whitelisted
  • Only user-installed or sideloaded apps are subject to policy restrictions
  • Reduces false positives while maintaining security

The test passes if at least one App Control policy is in enforce mode (audit mode disabled) AND has the "Trust apps from managed installer" setting enabled AND has an active control (built-in controls selected OR a non-empty uploaded XML payload). Managed Installer enabled on an audit-only policy, or on an enforce-mode upload policy with an empty XML payload, does not actively trust deployed apps because the underlying App Control policy is not blocking anything. This mirrors the active-control gate used by MT.1179.

EXAMPLES

EXAMPLE 1

Test-MtIntuneManagedInstallerRules

Returns true if at least one enforcing App Control policy has Managed Installer enabled and an active control.

PARAMETERS

-ProgressAction

{{ Fill ProgressAction Description }}

Type: ActionPreference
Parameter Sets: (All)
Aliases: proga

Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

CommonParameters

This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.

INPUTS

OUTPUTS

System.Boolean

NOTES

https://maester.dev/docs/commands/Test-MtIntuneManagedInstallerRules