Intune: windows store apps asking for elevated rights.

kevin deleux 36 Reputation points
2022-01-20T19:25:08.513+00:00

Hello all,

Question about deploying apps to my users in an Intune environment.
All the devices are Azure AD joined, device config profile is working on the laptops.
I have the Company portal app, and most of the apps are working (even the exe files that i prepped with the intuneprep tool).
Most of the apps could be downloaded and installed.

I configured the device restriction profile to the following:
Installation of trusted apps: allow
Unlock for devs: Block
Only apps from the store: Store is preffered.

They can use the store, look for apps, download them... the store has to be open for them.
Whatsapp app could be installed, HP smart app could be installed...
But not all the apps could be installed by a normal (non admin) user.
For example: when they want to install Adobe acrobat reader, they can download it... but when the app wants to install itself: the elevated rights screen pops up. Only i (global admin) can install the app.
Same story when i push the app in the company portal.
I pushed the LastPass app and firefox app to the company portal: no problem for the users.
I prepped the chrome app, no problem to install...
but not with Adobe for example...

Do i miss something?
config profile? additional config profile for the store?
I don't want to give the admin rights to my users...

so basically:
my users are allowed to use the app store, download/ install apps from the store (but not from internet or other programs that need elevated rights)
The apps in the company portal ( from the store, converted exe or msi,... ) has to be able to install without elevated rights....

Someone an idea?
Do i need to do this by powershell, if yes: can i get an example?

Thanks in advance!!
Kind Regards
Kevin

Microsoft Intune Configuration
Microsoft Intune Configuration
Microsoft Intune: A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.Configuration: The process of arranging or setting up computer systems, hardware, or software.
1,774 questions
Microsoft Intune Application management
Microsoft Intune Application management
Microsoft Intune: A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.Application management: The process of creating, configuring, managing, and monitoring applications.
907 questions
0 comments No comments
{count} votes

4 answers

Sort by: Most helpful
  1. Lu Dai-MSFT 28,366 Reputation points
    2022-01-21T02:11:34.777+00:00

    @kevin deleux Thanks for posting in our Q&A. From your description, did you mean that only Adobe acrobat reader asks for elevated rights and other apps doesn't? If there is anything misunderstanding, please correct me.

    From the information you provided, there is no settings to make the app need elevated rights. Based on my understanding, it seems that it is designed by Adobe acrobat reader app itself. Given this situation, it is suggested to use a standard user to download and install the Adobe acrobat reader app from Microsoft store in an unenrolled device and check if it still asks for elevated rights.

    Or it is suggested to try to use custom profile to extend your user's privileges and asign this profile to a user group.
    Name: Elevated Privileges
    OMA-URI: ./User/Vendor/MSFT/Policy/Config/ApplicationManagement/MSIAlwaysInstallWithElevatedPrivileges
    DataType:Integer
    Value: 1
    For more details, we can refer to the following CSP link:
    https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-applicationmanagement#applicationmanagement-msialwaysinstallwithelevatedprivileges

    Hope it will help.


    If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


  2. kevin deleux 36 Reputation points
    2022-01-24T08:07:07.09+00:00

    Hello and thanks for the reply.

    No it is not only Adobe, thats just an example. TeamViewer is also asking for higher rights to be installed.
    I just want to open the windows store for my users. some trusted apps are ok to install. only exe or msi from the internet or other sources are not allowed.
    so i set in the config profile that untrusted software is indeed asking for higher rights.. so they are not allowed to install that. (third party...)
    But things like teamviewer, adobe, .... they are in the app store and ok to install. but keeps asking for the admin rights. and don't want to make my users admin ofcourse... they don't need the elevated rights. I'm the only admin, and i have another user with the "helpdesk" rights. but thats another story.
    Lastpass for example is not asking for elevated rights. and my users are able to install that app.
    Even when i put the software like Adobe or TeamViewer in the business portal, even then is the app asking for higher rights to install that app.
    I dont have the time to go arround to my users and give in my credentials to install the software.

    So bottom line: the user have to be able to install the windows store apps without permissions aksed.
    The other software from other sources like the internet ... they are not allowed to install that.

    I tested it again this morning... app (adobe..) is available in store or even in business portal.. but when trying to install with a test account ( normal user in the user group) it is asking for the admin rights.
    I'm testing it also with TeamViewer now ( not the store app but an exe i prepped in IntuneWin) ...

    Thanks again
    Kind regards
    Kevin


  3. kevin deleux 36 Reputation points
    2022-01-24T13:12:29.523+00:00

    I found a work around...
    I used Chocolatey package to deploy all of my packages...

    but it would be nice to know if there is an solution to my question.


  4. kevin deleux 36 Reputation points
    2022-01-25T19:29:56.327+00:00

    Yes when i deploy it as a win32 app it's not installing and it gives an error. even when it is working just fine.
    I can't find anything useful in the logs, but i looked at another app (Gdata endpoint client), it is installing, it is working, its showing the host in the endpoint manager on our server ( so i know it is working) but in Intune it is giving errors.
    When i checked the logs for that, it says that my discover rule is not correct, so i changed that... i will look in to it tomorrow.

    Teamviewer (example)
    when i deploy it as an prepped win32 app it is installing fine, works... but gives errors in Intune (can't find anything useful in the logs)
    When i deploy it as an windows store app: it is downloading, and then asks elevated rights, which the users don't have. (see my rules in my question), users are only allowed to install apps from the store.... where teamviewer is coming from...
    When i deploy it with the chocolatey package... working fine.

    And what Adobe concerns: i deployed it as "system" but it is not installing... did my work around with chocolatey package: working now...