Allowing a blocked app from Intune policy

Elie K 545 Reputation points
2023-09-28T02:48:19.8766667+00:00

Hi Everyone,

Looking for some help. We are working with a company to help roll our Autopilot. There was some disagreement on what should be blocked. At one point Chrome was blocked. Unfortunately, this block was put in before I could remove some machines from the testing group and applied to a colleagues machine. Now Trying to open chrome gets the standard 'this app has been blocked by windows defender'. I have removed the machine and user from any test groups so the policies don't apply. However there is nothing to tell the policy it is no longer required on that machine and Chrome is still blocked. I don't want to have to reset the users profile to allow Chrome again. Is there anyway I can unblock chrome on the machine.

Machine is no longer an Intune machine, just your standard domain joined machine.

Thanks everyone.

Microsoft Intune
Microsoft Intune
A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.
5,052 questions
0 comments No comments
{count} votes

Accepted answer
  1. Crystal-MSFT 48,581 Reputation points Microsoft Vendor
    2023-09-28T05:44:29.07+00:00

    @Elie K, Thanks for posting in Q&A. From your description, I know the device is not managed by Intune. But the Chrome was still blocked. In General, Intune settings are based on the Windows configuration service provider (CSPs). The behavior depends on the CSP. Some CSPs remove the setting, and some CSPs keep the setting, also called tattooing. It seems the setting is tattooing.

    https://learn.microsoft.com/en-us/mem/intune/configuration/device-profile-troubleshoot#a-profile-is-deleted-or-no-longer-applicable

    In general, we will first replace the existing policy with a new version of the policy that will "Allow *", like the rules in the example policy at %windir%\schemas\CodeIntegrity\ExamplePolicies\AllowAll.xml. Once the updated policy is deployed, then delete the policy from the Intune portal.

    https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/deployment/deploy-wdac-policies-using-intune#remove-wdac-policies-on-windows-10-1903

    But as now, the device is already not managed. You can try the methods in the following link to remove the policy:

    https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/deployment/disable-wdac-policies

    Hope the above information can help.


    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.