How to Configure App Control for Business in Intune for Secure Application Management

By /
Configuring App Control for Business in Microsoft Intune

App Control for Business (ACfB) in Intune lets you define and enforce which applications can run on your managed Windows devices. You create allow-lists based on digital signatures, file hashes, reputation, or managed installers. ACfB integrates with Intune’s Endpoint Security and uses the Windows ApplicationControl CSP to block unauthorized software.

Planning Your Policy Strategy

  1. Inventory your apps. Identify common applications and dependencies to include in your “circle of trust.”
  2. Start in audit mode. Deploy your initial policy without enforcement to gather block-event data without disrupting users.
  3. Review and refine. Monitor audit logs, adjust rules for false positives or missing allow entries.
  4. Roll out in stages. Once refined, switch to enforced mode and deploy to pilot groups before broad deployment.

Store your XML policy documents in a central, version-controlled repository for ongoing maintenance.

Base vs. Supplemental Policies

  • Base Policy
    • One per device.
    • Defines core allow/block rules globally.
  • Supplemental Policy
    • Multiple per device.
    • Adds allow rules to address department- or user-specific needs.

Use supplemental policies to grant exceptions without altering the global base policy.

Prerequisites

  • Licenses: Microsoft 365 E3/E5 or equivalent, Microsoft Defender for Endpoint, Intune subscription.
  • OS: Windows 10/11 (Pro, Enterprise, Education).
  • Enrollment: Devices must be Azure AD (or Hybrid) joined and enrolled in Intune.
  • Network: Internet access to *.manage.microsoft.com and related Intune endpoints.
  • Permissions: Intune Administrator role for policy creation; ACfB permissions (Create, Read, Assign, Update, Delete, View Reports).

Step 1: Create a Managed Installer Policy

Mark the Intune Management Extension as a trusted installer so apps you deploy through Intune are automatically allowed.

  1. In the Intune admin center, go to Endpoint security > App Control for Business > Managed installer.
  2. Click Create.
  3. On Basics, name the profile (e.g., “Managed Installer – Intune”).
  4. On Settings, enable Intune Management Extension as Managed Installer.
  5. Assign to device groups and scope tags as needed.
  6. Click Review + create, then Save.

Sync & Monitor

  • Trigger a device sync in the Company Portal or via remote action.
  • In the Managed installer tab, view deployment status; expect up to 30 minutes for delivery.

Step 2: Create the App Control for Business Policy

Your base policy defines which apps are allowed or blocked.

  1. In Intune, navigate to Endpoint security > App Control for Business > Policies, then click Create.
  2. On Basics, name the policy (e.g., “ACfB Base Policy”).
  3. On Configuration settings, choose Built-in controls for an easy GUI or Enter XML data for a custom policy.
    • Audit mode: Enabled by default to log blocks without enforcement.
    • Trust apps from managed installer: Whitelist Intune-deployed apps.
    • Trust apps with good reputation: Whitelist apps recognized by Microsoft’s security graph.
  4. Assign scope tags and device groups.
  5. Click Review + create, then Save.

Sync & Monitor

  • Sync devices as before.
  • In the Policies tab, select your base policy and click View report to see compliance status and audit logs.

Step 3: Refine with Supplemental Policies

  1. Create new policies under Policies and choose Supplemental Policy.
  2. Define additional allow rules for specific departments or line-of-business apps.
  3. Assign only to targeted device groups.

Supplemental policies layer on top of your base policy without modifying it.

End-User Experience

When enforcement is enabled, users attempting to run blocked apps see a notification:

“Your organization used App Control for Business to block this app.”

Administrators can verify policy application by checking the active policy files under:
C:\Windows\System32\CodeIntegrity\CiPolicies\Active

Troubleshooting

  • Check Event Viewer under Applications and Services > Microsoft > Windows > CodeIntegrity > Operational for enforcement events (Event 3077) and policy load events (Event 3089).
  • Review AppLocker logs under Microsoft > Windows > AppLocker > MSI and Script for script and installer blocks.
  • If valid apps are blocked, update your policy in audit mode and redeploy.

By following this process—planning, auditing, refining, and enforcing—you can ensure only trusted applications run on your Windows devices, enhancing security and compliance across your organization.

LinkedInCopyPinterestRedditTelegram

Related Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Powered by
Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None
Powered by
Scroll to Top