This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(48, 15%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKD%3C/text%3E%3C/svg%3E)
Hello all,
Question about deploying apps to my users in an Intune environment.
All the devices are Azure AD joined, device config profile is working on the laptops.
I have the Company portal app, and most of the apps are working (even the exe files that i prepped with the intuneprep tool).
Most of the apps could be downloaded and installed.
I configured the device restriction profile to the following:
Installation of trusted apps: allow
Unlock for devs: Block
Only apps from the store: Store is preffered.
They can use the store, look for apps, download them... the store has to be open for them.
Whatsapp app could be installed, HP smart app could be installed...
But not all the apps could be installed by a normal (non admin) user.
For example: when they want to install Adobe acrobat reader, they can download it... but when the app wants to install itself: the elevated rights screen pops up. Only i (global admin) can install the app.
Same story when i push the app in the company portal.
I pushed the LastPass app and firefox app to the company portal: no problem for the users.
I prepped the chrome app, no problem to install...
but not with Adobe for example...
Do i miss something?
config profile? additional config profile for the store?
I don't want to give the admin rights to my users...
so basically:
my users are allowed to use the app store, download/ install apps from the store (but not from internet or other programs that need elevated rights)
The apps in the company portal ( from the store, converted exe or msi,... ) has to be able to install without elevated rights....
Someone an idea?
Do i need to do this by powershell, if yes: can i get an example?
Thanks in advance!!
Kind Regards
Kevin
@kevin deleux Thanks for posting in our Q&A. From your description, did you mean that only Adobe acrobat reader asks for elevated rights and other apps doesn't? If there is anything misunderstanding, please correct me.
From the information you provided, there is no settings to make the app need elevated rights. Based on my understanding, it seems that it is designed by Adobe acrobat reader app itself. Given this situation, it is suggested to use a standard user to download and install the Adobe acrobat reader app from Microsoft store in an unenrolled device and check if it still asks for elevated rights.
Or it is suggested to try to use custom profile to extend your user's privileges and asign this profile to a user group.
Name: Elevated Privileges
OMA-URI: ./User/Vendor/MSFT/Policy/Config/ApplicationManagement/MSIAlwaysInstallWithElevatedPrivileges
DataType:Integer
Value: 1
For more details, we can refer to the following CSP link:
https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-applicationmanagement#applicationmanagement-msialwaysinstallwithelevatedprivileges
Hope it will help.
If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
@kevin deleux I am currently standing by for further update from you and would like to know how things are going. If you have any questions or concerns on the recent information I've provided you, please don't hesitate to let me know.
Hello and thanks for the reply.
No it is not only Adobe, thats just an example. TeamViewer is also asking for higher rights to be installed.
I just want to open the windows store for my users. some trusted apps are ok to install. only exe or msi from the internet or other sources are not allowed.
so i set in the config profile that untrusted software is indeed asking for higher rights.. so they are not allowed to install that. (third party...)
But things like teamviewer, adobe, .... they are in the app store and ok to install. but keeps asking for the admin rights. and don't want to make my users admin ofcourse... they don't need the elevated rights. I'm the only admin, and i have another user with the "helpdesk" rights. but thats another story.
Lastpass for example is not asking for elevated rights. and my users are able to install that app.
Even when i put the software like Adobe or TeamViewer in the business portal, even then is the app asking for higher rights to install that app.
I dont have the time to go arround to my users and give in my credentials to install the software.
So bottom line: the user have to be able to install the windows store apps without permissions aksed.
The other software from other sources like the internet ... they are not allowed to install that.
I tested it again this morning... app (adobe..) is available in store or even in business portal.. but when trying to install with a test account ( normal user in the user group) it is asking for the admin rights.
I'm testing it also with TeamViewer now ( not the store app but an exe i prepped in IntuneWin) ...
Thanks again
Kind regards
Kevin
Just tested it with a custom install of Teamviewer... i prepped a exe tot intune win32
It is installing ok, give an error that the app is not installed. But i see the app on the home screen of the user. and the app is indeed working...
Is this a bug in Intune?
Tried again for Adobe, not working and asking elevated rights...
I found this link... i'm going to try this. https://allthingscloud.blog/install-adobe-reader-dc-using-microsoft-intune-win32-application-deployment/
Thanks
I found a work around...
I used Chocolatey package to deploy all of my packages...
but it would be nice to know if there is an solution to my question.
@kevin deleux Did you mean that the Teamviewer app is installed in the device, but it shows error in the intune portal? If yes, it is needed to check the IntuneManagementExtension log under "C:\ProgramData\Microsoft\IntuneManagementExtension\Logs" to find if there is any cause. We can refer to the following link:
https://www.anoopcnair.com/intune-win32-app-troubleshooting/
Note: Non-Microsoft link, just for the reference.
For Adobe, please try to set "System" to install behavior in win32 app settings. User context refers to only a particular user. System context refers to all users of a Windows 10 device.
https://learn.microsoft.com/en-us/mem/intune/apps/apps-win32-add#step-2-program
Yes when i deploy it as a win32 app it's not installing and it gives an error. even when it is working just fine.
I can't find anything useful in the logs, but i looked at another app (Gdata endpoint client), it is installing, it is working, its showing the host in the endpoint manager on our server ( so i know it is working) but in Intune it is giving errors.
When i checked the logs for that, it says that my discover rule is not correct, so i changed that... i will look in to it tomorrow.
Teamviewer (example)
when i deploy it as an prepped win32 app it is installing fine, works... but gives errors in Intune (can't find anything useful in the logs)
When i deploy it as an windows store app: it is downloading, and then asks elevated rights, which the users don't have. (see my rules in my question), users are only allowed to install apps from the store.... where teamviewer is coming from...
When i deploy it with the chocolatey package... working fine.
And what Adobe concerns: i deployed it as "system" but it is not installing... did my work around with chocolatey package: working now...
@kevin deleux I have tried to deploy Adobe as a win32 app in my lab. It is successful. Here is the settings I configured:
Please understand that for such kind of issue, it is needed more logs and background information based on your specific environment to analyze the whole process to find the root cause. With Q&A limitation, Q&A is not the best channel for such log analysis case. It is better to create an online support ticket to handle this issue more effectively. It is free. Here is the online support link and hope it helpful.
https://learn.microsoft.com/en-us/mem/get-support
Thanks for understanding and hope everything goes well with you.