In this post, I will demonstrate the steps to remove Managed Installer for App Control for Business (ACfB). A Managed Installer (MI) is a feature of ACfB that lets you automatically allow applications installed by a designated software distribution solution, such as Configuration Manager or Intune.
When you Enable Intune Managed Extension as Managed Installer, all apps, scripts, and Win32 packages deployed through Intune using the IME are treated as trusted by App Control for Business. This reduces admin effort to manually allow application that are deployed via Intune. To know more about, how a managed installer work, refer to the link: How does managed installer work?
App Control for Business feature is now reached general availability, introducing several enhancements, including the ability to scope the deployment of managed installer to a group. Therefore, it’s now easier to manage the installer, including disabling it and removing it from the device.
For a Step-by-step guide to Setup App control for business via Intune, refer to my other post: App Control for Business Intune Setup Guide.
Contents
Disable Intune Management Extension (IME) as Managed installer
If you previously created a tenant-wide policy to configure the managed installer, you can edit that policy and set Enable Intune Management Extension as Managed Installer to Disabled. This change will not remove the Intune Management Extension as a managed installer on existing devices; it will only prevent new devices from being configured with IME as the managed installer.
- Sign in to the Intune admin center > Endpoint security > App Control for Business.
- Click on Managed installer tab and click on the policy which is enabling IME as managed installer.
- Click on Properties and Edit the settings, Set Enable Intune Managed Extension as Managed Installer to Disabled.
Remove Intune management Extension (IME) as Managed Installer
We disabled the Managed Installer policy in the previous step. This change only affects new devices. Existing devices that were already configured with the Intune Management Extension (IME) as a Managed Installer will remain in that state. You can optionally clean up this configuration by running the CatCleanIMEOnly.ps1 PowerShell script.
The script can be run manually on individual devices or deployed at scale using Intune. For guidance on deploying PowerShell scripts through Intune, see my post: How To Deploy A PowerShell Script Using Intune.
Once the script runs successfully, IME is removed as a Managed Installer from the target devices. No further action is required. However, if you manually rerun the CatCleanIMEOnly.ps1 script on a device where it has already executed, the console will display: Intune management extension is not set as a managed installer, no action.
Delete Manage Installer Policy on Intune
As we have already set Enable Intune Managed Extension as Managed Installer to Disabled state, you can either keep the policy on the console or delete it. Go to the Managed Installer tab, click on three dots on the right and select Delete.
Conclusion
In this post, we learnt the steps to disable and delete a Managed installer policy. Optionally, you can use a PowerShell script provided by Microsoft to clean up Managed Installer configuration on the device. After that, if required, A new Managed installer policy can be created which is scoped to a specific group of devices.
