Test-MtIntuneAppControl
SYNOPSIS
Ensure at least one Intune App Control for Business policy is configured.
SYNTAX
Test-MtIntuneAppControl [-ProgressAction <ActionPreference>] [<CommonParameters>]
DESCRIPTION
Checks Intune Endpoint Security Application Control policies (configurationPolicies API) for App Control for Business (formerly WDAC) configurations.
App Control for Business restricts which applications and drivers are allowed to run on Windows devices, using code integrity policies to block untrusted executables. This is one of the most effective defenses against malware, ransomware, and unauthorized software.
Key settings evaluated:
- BuildOptions: Whether built-in controls are selected or a custom XML policy is uploaded
- PolicyXml: For uploaded policies, whether an XML policy payload is actually present
- AuditMode: Whether the policy is in audit mode (logging only) or enforce mode
- TrustAppsFromManagedInstaller: Whether apps deployed via Intune/SCCM are automatically trusted
- TrustAppsWithGoodReputation: Whether ISG (Intelligent Security Graph) reputation is used
Pass criteria: The test passes if at least one App Control for Business policy is enforcing (not audit-only) AND has either built-in controls selected or an uploaded XML policy with a non-empty payload.
Audit-only policies and upload-mode policies with no XML payload are reported but do not satisfy the pass criterion, because they do not block untrusted executables.
EXAMPLES
EXAMPLE 1
Test-MtIntuneAppControl
Returns true if at least one App Control for Business policy is configured in enforce mode.
PARAMETERS
-ProgressAction
{{ Fill ProgressAction Description }}
Type: ActionPreference
Parameter Sets: (All)
Aliases: proga
Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
CommonParameters
This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.