🧩 Fixing “Your Administrator Has Blocked This App” After Applying Intune Defender Baselines
Many IT admins deploy Microsoft Defender policies through Intune Security Baselines to improve endpoint protection. However, some users then report being unable to install or run local software, seeing this frustrating message:
“Your administrator has blocked this app because it might harm your device.”
Even after adjusting SmartScreen or Defender settings, the issue often remains. So what’s really happening? Let’s break it down.
🔍 Understanding What’s Going On
This issue isn’t always caused by Microsoft Defender SmartScreen or Attack Surface Reduction (ASR) rules. In many cases, the real culprit is AppLocker, a Windows feature that controls which applications users can run.
When you apply Intune Security Baselines, certain AppLocker policies can automatically deploy in the background. These policies can silently block apps from running—especially those downloaded from the internet or installed from user directories like Downloads or Desktop.
So even if SmartScreen is turned off, AppLocker may still prevent users from launching local installers or unsigned executables.
🧠 How to Confirm It’s AppLocker
If you suspect AppLocker is behind the problem, here’s how to check:
- On an affected computer, open Event Viewer.
- Navigate to:
Applications and Services Logs → Microsoft → Windows → AppLocker → EXE and DLL - Look for Event ID 8003 or 8004.
These events mean AppLocker blocked a file. The log entry usually includes the full file path and the policy name that caused the block.
If you see repeated entries for common software or installers in user folders, that’s your confirmation: the AppLocker policy from your Intune baseline is doing the blocking.
⚙️ Fixing the Problem
Option 1: Review and Adjust AppLocker Policy
- Go to the Intune admin center → Endpoint security → Attack surface reduction → App control for business.
- Review the rules applied to executables, scripts, and packaged apps.
- Loosen overly strict settings to allow trusted paths or signed applications.
- Re-deploy the updated policy to affected devices.
This approach lets you retain protection while still allowing legitimate apps to run.
Option 2: Use Smarter, Community-Based Baselines
Instead of applying Microsoft’s default Defender or Windows Security baselines as-is, consider using more flexible, community-reviewed baselines like OpenIntuneBaselines or CIS (Center for Internet Security) standards.
These frameworks give you greater control and visibility over what’s being applied, helping you avoid “silent” restrictions that break local app installs.
They also allow easier testing and customization before deployment—so you can fine-tune security without interfering with day-to-day operations.
Option 3: Double-Check ASR Rules
If you also use the Microsoft Defender for Endpoint Baseline, verify whether an ASR (Attack Surface Reduction) rule is contributing to the issue.
Go to:
Intune Admin Center → Endpoint Security → Attack Surface Reduction → Rules
Check the rule titled:
“Block executable files from running unless they meet a prevalence, age, or trusted list criterion.”
Disable or modify it if it’s too aggressive for your environment.
🧾 Quick Reference Table
| Problem | Likely Cause | Solution |
|---|---|---|
| Users can’t install or run downloaded apps | AppLocker policy blocking executables | Check and relax AppLocker rules |
| SmartScreen settings don’t fix it | SmartScreen isn’t the issue | Review AppLocker and ASR configurations |
| Defender baseline too restrictive | Built-in baseline applies strict rules | Switch to OpenIntuneBaselines or CIS templates |
💡 Best Practice
Before pushing any baseline to production, always:
- Test it on a small group of devices.
- Review applied configurations in Intune Security Baselines.
- Monitor Event Viewer for blocked actions.
- Maintain a rollback plan using custom configuration profiles.
These steps help ensure your baselines protect users without disrupting productivity.
✅ Summary
If your users suddenly can’t install apps after applying Intune Defender baselines, the cause probably isn’t Defender—it’s AppLocker.
Review your AppLocker event logs, adjust restrictive rules, and consider custom or community-based baselines to strike the right balance between security and usability.
