Deploy policies to enable applications
Once the policies are created, you must deploy them to the Windows SE devices.
AppLocker policies can be deployed via Intune. This article describes how to deploy AppLocker policies to enable apps execution on Windows SE devices.
Deploy AppLocker policies
Intune doesn't currently offer the option to modify AppLocker policies. The deployment of AppLocker policies can be done using PowerShell scripts deployed via Intune.
You can create a PowerShell script that stores the contents of the policy in a variable, then use the Set-AppLockerPolicy
PowerShell command to merge it. Here's a sample function for the task:
function MergeAppLockerPolicy([string]$policyXml)
{
$policyFile = '.\AppLockerPolicy.xml'
$policyXml | Out-File $policyFile
Write-Host "Merging and setting AppLocker policy"
Set-AppLockerPolicy -XmlPolicy $policyFile -Merge -ErrorAction SilentlyContinue
Remove-Item $policyFile
}
Warning
Intune deploys a script with the AppLocker policy to set Intune Management Extension as a managed installer on all Windows 11 SE devices enrolled into an Intune EDU tenant. If you want to deploy your own AppLocker policy to set another Managed Installer (in addition to Intune), be sure to use the -Merge
parameter with Set-AppLockerPolicy
. The -Merge
parameter ensures that your policy plays well with Intune's AppLocker policy. Without using the -Merge
parameter, it will result in issues with apps not getting tagged properly and their ability to run on impacted devices. To learn more about AppLocker Merge policy, see Merge AppLocker policies.
Once finished, you can deploy the script via Intune. For more information, see Add PowerShell scripts to Windows devices in Microsoft Intune.
Troubleshoot AppLocker policies
For information how to validate and troubleshoot AppLocker policies, see AppLocker policy validation
Next steps
Advance to the next article to learn about important considerations when deploying apps and policies to Windows SE devices.