MT.1180 - Ensure Managed Installer Rules are configured correctly
Overviewβ
Ensure at least one Intune App Control for Business policy has Managed Installer enabled.
When Managed Installer is enabled in an App Control for Business policy, applications deployed through Intune (or SCCM) are automatically trusted and allowed to run without needing explicit allow rules in the code integrity policy. This dramatically simplifies App Control deployment in enterprise environments.
Without Managed Installer:
- Every application must have an explicit allow rule in the App Control policy
- Line-of-business (LOB) apps deployed via Intune may be blocked unexpectedly
- Help desk tickets increase due to false positives from legitimate software being blocked
- IT teams must maintain complex allow lists that change with every app update
With Managed Installer:
- Apps deployed through Intune are automatically whitelisted at install time
- Only user-installed, sideloaded, or internet-downloaded apps are subject to policy restrictions
- Reduces false positives while maintaining security against unauthorized software
- Simplifies ongoing policy maintenance
The test passes if at least one App Control for Business policy is in Enforce mode (audit mode disabled) AND has Trust apps from managed installer enabled AND has an active control (built-in controls selected OR a non-empty uploaded XML payload). Managed Installer enabled on an audit-only App Control, or on an enforce-mode upload policy with an empty XML payload, does not actively trust deployed apps because the underlying App Control policy is not blocking anything. This mirrors the active-control gate used by MT.1179.
Remediation action:β
- Navigate to Microsoft Intune admin center.
- Go to Endpoint security > Application control.
- Edit an existing App Control for Business policy (or create a new one).
- Under App Control for Business:
- Set Trust apps from managed installer to Enabled.
- Ensure the policy provides an active control by selecting Built-in controls (recommended) or, if you upload a custom XML policy, that the XML payload is not empty.
- Under Audit only, set the toggle to Disabled (or omit the setting) so the policy runs in Enforce mode. Managed Installer on an audit-only policy does not actively trust deployed apps.
- Save and assign the policy to your device groups.
Note: Managed Installer works by tagging files written by the Intune Management Extension (IME) process. The App Control policy then trusts any file that was installed by a tagged managed installer process. This is transparent to end users.
Related linksβ
- Microsoft Intune - Application Control
- Microsoft Learn - Configure Managed Installer in Intune
- Microsoft Learn - Automatically allow apps deployed by a managed installer
- Microsoft Learn - App Control for Business overview
Test Metadataβ
| Field | Value |
|---|---|
| Test ID | MT.1180 |
| Severity | Medium |
| Suite | Maester |
| Category | Intune |
| PowerShell test | Test-MtIntuneManagedInstallerRules |
| Tags | Intune, Maester, MT.1180 |
Sourceβ
- Pester test:
tests/Maester/Intune/Test-MtIntunePlatform.Tests.ps1 - PowerShell source:
powershell/public/maester/intune/Test-MtIntuneManagedInstallerRules.ps1