Deploy policies to enable applications

Once the policies are created, you must deploy them to the Windows SE devices.
AppLocker policies can be deployed via Intune. This article describes how to deploy AppLocker policies to enable apps execution on Windows SE devices.

Deploy AppLocker policies

Intune doesn't currently offer the option to modify AppLocker policies. The deployment of AppLocker policies can be done using PowerShell scripts deployed via Intune.

You can create a PowerShell script that stores the contents of the policy in a variable, then use the Set-AppLockerPolicy PowerShell command to merge it. Here's a sample function for the task:

function MergeAppLockerPolicy([string]$policyXml)
{
  $policyFile = '.\AppLockerPolicy.xml'
  $policyXml | Out-File $policyFile
  Write-Host "Merging and setting AppLocker policy"
  Set-AppLockerPolicy -XmlPolicy $policyFile -Merge -ErrorAction SilentlyContinue
  Remove-Item $policyFile
}

Warning

Intune deploys a script with the AppLocker policy to set Intune Management Extension as a managed installer on all Windows 11 SE devices enrolled into an Intune EDU tenant. If you want to deploy your own AppLocker policy to set another Managed Installer (in addition to Intune), be sure to use the -Merge parameter with Set-AppLockerPolicy. The -Merge parameter ensures that your policy plays well with Intune's AppLocker policy. Without using the -Merge parameter, it will result in issues with apps not getting tagged properly and their ability to run on impacted devices. To learn more about AppLocker Merge policy, see Merge AppLocker policies.

Once finished, you can deploy the script via Intune. For more information, see Add PowerShell scripts to Windows devices in Microsoft Intune.

Troubleshoot AppLocker policies

For information how to validate and troubleshoot AppLocker policies, see AppLocker policy validation

Next steps

Advance to the next article to learn about important considerations when deploying apps and policies to Windows SE devices.