Email: helpdesk@telkomuniversity.ac.id

This Portal for internal use only!

All Categories

All Categories

Search

0 Wishlist

Cart

Categories
More Categories Less Categories

iconTicket Service Desk

All Categories

All Categories

Search

0 Wishlist

Cart

Menu
Home/Microsoft/Troubleshooting managed installer deployments in Microsoft Intune

Troubleshooting managed installer deployments in Microsoft Intune

/ 2024-08-06
Troubleshooting managed installer deployments in Microsoft Intune
Microsoft

By: Luke Ramsdale – Sr. Customer Escalation Engineer | Microsoft Intune

 

In Microsoft Intune, admins can deploy application control policies to Windows devices to help prevent unauthorized applications from running. They deploy these policies using the Windows ApplicationControl CSP, however, to deploy Win32 apps via Intune after deploying these policies, you need to add the Intune management extension as a managed installer. Once you configure the Intune management extension as a managed installer, the apps that are subsequently deployed via Intune are tagged by the installer and identified as safe applications.

 

Note: Enabling the Intune management extension for managed installer is an Intune tenant-wide configuration, so it targets all Windows devices at once.

 

For more information on using application control policies and configuring Intune management extension as a managed installer review:

Manage approved apps for Windows devices with App Control for Business policy and Managed Installers in Intune.

Monitoring the configuration of managed installer

Once you configure the Intune management extension, you can track the progress of the configuration using the App Control for Business blade by navigating to the Microsoft Intune admin center > Endpoint security > App Control for Business (Preview) > Managed installer. The overview shows the success and error state.

 

A screenshot of the Managed installer overview in the Microsoft Intune admin center.

 

You can then drill in further by clicking on the managed installer policy where you can see an overview of the deployment.

 

Overview of the Managed installer – Intune management extension configuration in the Microsoft Intune admin center.

 

A detailed view of the deployment status is available in Device status which shows the success and failure for each individual device. You can add an additional column “Last run message” to get a detailed description of the error on the client side.

 

A screenshot of adding additional columns to the Managed installer policy Device status page.

 

The last run message will contain the reason enabling the Intune management extension has failed to be enabled as a managed installer and will mirror what is logged in the AgentExecutor.log on the device.

 

Troubleshooting failures enabling Intune Mangement Extension as managed installer

The mechanism used to enable the Intune management extension as a managed installer is a detection and remediation PowerShell script that leverages the Get-AppLockerPolicy and Set-AppLockerPolicy cmdlets.

 

The Intune management extension executes these PowerShell scripts, and you can be track them using the Agentexecutor.log located in C:ProgramDataMicrosoftIntuneManagementExtensionLogs. You can remotely collect the Intune management extension logs via the device action “Collect diagnostics” in the Microsoft Intune admin center.

 

 

The AgentExecutor will first run the detection script, detect.ps1. If the Intune management extension needs to be configured as a managed installer, it will then run the SET remediation script remediation.ps1 and subsequently confirm this has worked by running the detection script again. So, a GET, SET, GET leveraging the PowerShell cmdlets mentioned above.

 

Detection (first GET)

All Intune tenants will use the same policy id for the detection and remediation script, d78c1822-e082-491a-b3a7-4a701836481e. The detection process will attempt to do the following once a day:

It will call the Get-AppLockerPolicy -Effective -Xml PowerShell cmdlet to get the current policy.
Search for the <RuleCollection Type=”ManagedInstaller” EnforcementMode=”AuditOnly”> XML node.
If this XML node is found, then it will attempt to match the publisher, file and version of the current policy with the embedded XML in the script.

You can see the detection process in the AgentExector.log:

A screenshot of the detection process in the AgentExecutor.log.

Here, you can see the detect.ps1 running and returning an exit code of 1 highlighted in yellow. The write output text, highlighted in red, is where the error message is written to.

 

In this example we can see the Intune management extension is not set as managed installer which is expected if the device has just been enrolled or the managed installer feature has just been enabled:

 

Info detect.ps1 VerifyCompliance returned False
Info detect.ps1 Check if the registry value is there and remove it if it is there
Info detect.ps1 Intune management extension is not set as a managed installer
Intune management extension is NOT set as the managed installer.

 

 

You can manually test the detection process by running the following PowerShell command on a device:

 

Get-AppLockerPolicy -Effective -Xml

 

 

This will return the XML that is effective on the device and you can inspect it to see if this includes the Intune management agent.

 

Remediation (SET)

The Agent Executor will now attempt to remediate the device and set the Intune management extension as managed installer.

 

During remediation, the script will:

Attempt to start all the relevant services.
Call the Set-AppLockerPolicy -Merge PowerShell cmdlet.
The script will then wait for 5 minutes for the C:WindowsSystem32AppLockerManagedInstaller.AppLocker file to be created or updated.

 

 

In this example the remediation.ps1 exits with code 1 (highlighted in yellow), and the reason is contained in the write output (highlighted in red).

 

The remediate script will attempt to set the AppLocker policy for Intune management extension and merge with any existing policies on the device, there’s a 5-minute timeout window for this operation to complete, during which the script will attempt to set the policy 16 times.

 

Here’s a snippet from the output:

 

remediate.ps1 Calling MergeAppLockerPolicy
MergeAppLockerPolicy Merging and setting AppLocker policy
MergeAppLockerPolicy Trying to set app locker policy
remediate.ps1 Calling WaitForPolicyUpdate
WaitForPolicyUpdate Waiting for policy to be updated
WaitForPolicyUpdate Waiting a maximum of 300 seconds for the policy to be updated
Error MergeAppLockerPolicy Failed 1
At C:WindowsIMECacheHealthScriptsd78c1822-e082-491a-b3a7-4a701836481e_8remediate.ps1:108 char:13
+ LogLine -functionName $MyInvocation.MyCommand -logLine “F …
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Write-Error], WriteErrorException
+ FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,LogLine

MergeAppLockerPolicy The local policy cannot be obtained. Reason: Error HRESULT
E_FAIL has been returned from a call to a COM component.

 

 

In this case, there has been an issue running the Set-ApplockerPolicy -XMLPolicy. To try and isolate this issue further, try running the Set-AppLockerPolicy cmdlet within PowerShell manually. To do this, follow these steps:

 

On the device download psexec from: PsExec – Sysinternals

Run the following command to launch PowerShell in the system context from the command line:

psexec -i -d -s C:WindowsSystem32WindowsPowerShellv1.0powershell.exe

Type: whoami to confirm the user is system

Run the following PowerShell cmdlet to backup the existing policy:

Get-AppLockerPolicy -Effective -Xml | Out-File -FilePath “c:applocker_policy.xml”

Create a text file and paste in the following:

<AppLockerPolicy Version=”1″ />

Rename the text file to policy.xml and save this on the local drive

Run the following Powershell cmdlet

Set-AppLockerPolicy -XMLPolicy “C:policy.xml”

 

Note: This will delete the existing AppLocker policy as described in the following article. If the managed installer is not disabled in the Intune admin center the script will attempt to run again 24 hours later.

If Step 7 fails using the basic XML file, then it is likely that there are some permissions issues which can be investigated further using procmon.
If Step 7 works without any issue, then it is likely that there’s a problem with merging with the existing AppLocker policy, try running Step 7 again but use the applocker_policy.xml created in Step 4 to see if there’s an error related to the XML formatting.

 

Support for managed installer in Hybrid scenarios

When deploying managed installer for Microsoft Entra hybrid joined devices, please consider the following limitations:

The Set-ApplockerPolicy cmdlet used in the remediation.ps1 has a dependency on group policy updating on domain joined devices, if the device is not connected to the domain or if there are delays when updating group policy then this could cause this cmdlet to fail, and managed installer will not be enabled for the Intune management extension.


The group policy update dependency for enabling the Intune management extension as a managed installer impacts Windows Autopilot deployments for Entra hybrid joined devices in the following scenarios:

If you use a Win32 application to configure a VPN during Autopilot for Entra hybrid joined devices and have enabled Intune management extension as a managed installer then the VPN application will never be installed, it won’t have connectivity to the domain which will prevent the Intune management extension from being enabled as a managed installer. The Win32 app will fail to install because it’s not tagged as safe, and the Intune management extension won’t be enabled as a managed installer because there’s no domain connectivity.

Simply, without the domain connectivity the remediation script will fail and without Intune management extension being enabled as a managed installer the VPN application will never install.

If the device has line of sight to a domain controller during Autopilot and there are delays updating group policy, then this can also prevent the Set-AppLockerPolicy from completing and cause the configuration of the Intune management extension as a managed installer to fail. This will cause any Win32 applications to fail that are deployed during the Autopilot Enrollment Status Page (ESP) phases.

This is documented in: “What considerations should I have for Entra Hybrid Join (HAADJ) devices within my organization that want to use Managed Installer?

 

If you’re using or wanting to use application control policies and encounter any issues with configuring Intune management extension as a managed installer, hopefully the troubleshooting steps and guidance in this post helps you diagnose and resolve them quickly.

 

If you have a question or feedback, leave a comment below or reach out on X @IntuneSuppTeam.

​Microsoft Tech Community – Latest Blogs –Read More 

Tags:

Related posts

Microsoft introduces new adapted AI models for industry
2024-11-13

Microsoft introduces new adapted AI models for industry

IDC’s 2024 AI opportunity study: Top five AI trends to watch
2024-11-13

IDC’s 2024 AI opportunity study: Top five AI trends to watch

How real-world businesses are transforming with AI
2024-11-13

How real-world businesses are transforming with AI

Leave a Reply

Your email address will not be published. Required fields are marked *

Adobe
Google for Education
IBM
Matlab
Microsoft
Wordpress
Visual Paradigm
Opensource

Portal Application Package Repository Telkom University, for internal use only, empower civitas academica in study and research.

Information

Contact Us

Copyright © Telkom University. All Rights Reserved. ch