Fixing Intune Hybrid Deployment: User Locked Out of Apps with “Blocked by System Administrator”

By /
Troubleshooting Intune Hybrid Deployment: Why a Single User Is Locked Out of Apps

Migrating from on-premises management to a Hybrid Intune deployment can be complex. Most users transition smoothly, but occasionally one or two devices or accounts run into issues.

A common example: ten users are successfully enrolled and running with Intune, but one user suddenly finds they can’t open any non-Microsoft apps or even access the Company Portal. Instead, they see this error:

“This app has been blocked by your system administrator.”

This blog explains the likely cause, how to investigate, and the steps to fix it.

The Scenario

  • Environment: Company moving from on-premises management to Hybrid Intune.
  • Deployment method: Windows Autopilot.
  • Users affected: One user out of ten.
  • Device compliance: Verified and compliant with all Intune policies.
  • Symptoms: Non-Microsoft apps and Company Portal are blocked.

Since all other users with the same policies and group memberships work fine, this suggests the problem is policy-specific or environment-specific rather than a global configuration error.

Why This Happens

The key suspect here is AppLocker, a Windows feature often managed via Group Policy or Intune.

1. AppLocker GPOs in Hybrid Environments

In a hybrid setup, on-premises Group Policy Objects (GPOs) may still apply alongside Intune policies. If an AppLocker rule is configured on-premises and not migrated or updated in Intune, it could be restricting access for certain users.

Even if all users are in the same groups, subtle differences (like GPO scope or timing of policy application) can cause inconsistent results.

2. App Path Rules and Install Locations

AppLocker rules typically define which folders or file paths are allowed.

  • Apps installed in Program Files are usually permitted.
  • Apps installed in user profile folders (e.g., C:\Users\username\AppData\Local) may be blocked unless explicitly whitelisted.

If Autopilot installed apps differently for this user, AppLocker might see them as untrusted.

3. Local Group Membership Differences

If the user is missing a local group membership (e.g., Users, Administrators, Device Owners), they may not meet the conditions that AppLocker checks against.

How to Investigate

Step 1: Check Applied Policies

Run this on the affected device:

gpresult /h report.html

Open the report and compare the applied policies between the affected user and a working user. Look for AppLocker policies in particular.

Step 2: Review AppLocker Event Logs

Go to Event Viewer on the affected device:

Applications and Services Logs > Microsoft > Windows > AppLocker > EXE and DLL

Look for:

  • Event ID 8003 – Blocked app.
  • Event ID 8004 – Allowed app.

This will tell you exactly which apps and paths are being blocked.

Step 3: Compare Local Groups

Run:

net localgroup

Check if the affected user has the same local group memberships as other users (e.g., Administrators, Users, Device Owners).

Step 4: Test with a Temporary Policy

If AppLocker is the confirmed culprit, create a temporary Intune AppLocker policy that:

  • Expands allowed paths.
  • Disables blocking enforcement (Audit-only mode).
    Assign it only to the affected device/user for validation.

How to Fix the Problem

  1. Update AppLocker Rules
    • Allow apps installed under Program Files and WindowsApps.
    • Add explicit rules for apps that install under AppData.
  2. Standardize App Install Locations
    • Configure Autopilot and Intune deployments so apps install in the same location for all users.
  3. Phase Out Legacy GPOs
    • Migrate AppLocker settings from GPO to Intune where possible.
    • Disable conflicting on-premises policies to avoid hybrid overlap.
  4. Use Audit Mode First
    • Switch AppLocker policies to Audit mode before full enforcement.
    • This prevents lockouts while still logging blocked activity.

Final Thoughts

This issue isn’t a device compliance problem — it’s almost always AppLocker blocking executables based on how policies and paths are applied.

By:

  • Reviewing event logs,
  • Comparing policy results,
  • Checking local group memberships, and
  • Adjusting AppLocker rules,

you can resolve the issue and ensure consistency across all hybrid Intune users.

LinkedInCopyPinterestRedditTelegram

Related Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Powered by
Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None
Powered by
Scroll to Top