How to Control Access to Microsoft Store LOB and Developer-Signed Apps Using Intune

In this article, we'll explore how to control the installation of trusted Line-of-Business (LOB) and developer-signed applications through the Microsoft Store using Microsoft Intune.

The setting in focus is “Allow All Trusted Apps”, part of the ApplicationManagement Policy CSP. This configuration allows administrators to define whether users can install apps from trusted sources outside the official Microsoft Store.

When enabled, this policy permits the installation of internal business applications (LOB apps) or developer-signed apps that are packaged like Microsoft Store apps. For the app to be installed successfully, the signing certificate must be trusted by the device. If the certificate is valid and recognized, the installation proceeds without restrictions.

Disabling or leaving this setting unconfigured will block the installation of these trusted external apps—even if they mimic standard Microsoft Store packages. This could prevent users from installing business-critical internal tools or test apps in enterprise environments.

To allow internal or developer apps, ensure this setting is explicitly enabled and that devices trust the corresponding code-signing certificates.

The Strategic Value of Internal Line-of-Business Applications

Internal company applications—also known as Private Apps or Line-of-Business (LOB) apps—are essential for improving operational efficiency and supporting tailored business needs. These apps deliver specific tools that help employees perform their tasks more effectively, often integrating directly with internal systems and workflows.

Customized to reflect the organization’s branding and operational structure, LOB apps allow companies to maintain control, consistency, and security in their digital environments—making them a strategic asset in modern enterprise IT.

Policy CSP Details – ApplicationManagement

The Policy Configuration Service Provider (CSP) in Windows 10 and 11 offers a flexible framework for managing configuration policies across devices. It enables IT administrators to enforce standardized settings that align with organizational requirements, ensuring consistency, compliance, and control across the endpoint ecosystem.

Description Framework Properties in Intune

Microsoft Intune’s Settings Catalog includes Description Framework Properties for each policy setting. These descriptions clarify:

• What the setting controls

• The type of input it expects

• Its function and behavior

• And the default configuration value

This structured metadata simplifies policy configuration and helps administrators apply settings accurately—even in complex environments.

When configuring a setting in Intune’s Settings Catalog, the Allowed Values represent the only available options for selection. These values define how the setting will behave on the targeted device. The table below outlines the allowed values for the 'Allow All Trusted Apps' policy.

How to Control Access to Microsoft Store LOB and Developer-Signed Apps Using Intune

To begin deploying a policy in Intune, sign in to the Microsoft Intune admin center. Then navigate to:

1. In the left-hand menu, select Devices

2. Click on Windows Devices under the “By platform” section

3. Select Configuration

4. Click + New Policy to begin configuring your policy

5. Under Platform, select Windows 10 and later

6. For Profile type, choose Settings catalog

7. Click Create to proceed

Basics

The Basics step is essential for defining the core details of your policy. In this section, you’ll provide a meaningful Name and Description to help identify the policy later.

• Policy Name: Manage Trusted LOB and Developer-Signed Apps

• Description: This policy controls whether users can install trusted Line-of-Business (LOB) or developer-signed applications that are packaged like Microsoft Store apps but come from external sources.

• Platform: Windows 10 and later (pre-selected)

Providing a clear name and concise description will make it easier to manage and maintain your configuration profiles over time.

Configuration Settings 

Now, let’s move on to Configuration Settings. This is a key step where you will define the specific behaviors and options this policy will enforce. Click Add Settings to bring up the Settings Picker.

Configuring the “Allow All Trusted Apps” Policy in Intune

Step 1: In the Settings Catalog, use the search bar to type Microsoft App Store

Step 2: From the search results, select Allow All Trusted Apps

Step 3: Click Next or close the Settings picker — the selected policy will now appear under Configuration Settings

Step 4: By default, the setting will show as Not configured. Click the dropdown and choose the option that matches your organization’s needs:

• ✅ Explicit allow unlock (1): Allows trusted LOB or developer-signed apps to be installed

• ❌ Explicit deny (0): Blocks these apps from being installed

In this example, we select Explicit deny (0) to prevent the installation of non-store trusted apps.

Step 5: Click Next to proceed to the Assignments section

Scope Tags

In Intune, Scope Tags are there to help you manage who can see and edit this policy. They help keep things organized and manage who has access. However, it is optional, so you can hit Next if you don’t need to assign them.

Assignments

The Assignments section is where you define which users or devices will receive the policy.

Step 1: Under Include Groups, click + Add Groups

Step 2: A list of available groups will appear. Select the group(s) to which this policy should apply

In this example, we select: GRP - MS365Education - Test Computers

Once selected, the group will be listed under Included Groups.

Step 3: Click Next to continue to the Review + Create step.

✅ Review + Create

You’ve reached the final step: Review + Create. This section provides a full summary of your configuration, allowing you to carefully verify all the details before deploying the policy.

Take a moment to review the following:

• 📌 Policy Name – Ensure it’s clear and descriptive

• 👥 Assigned Groups – Confirm the correct user or device groups are selected

• 🏷️ Scope Tags – Verify that any required administrative scope tags are properly applied

• ⚙️ Configuration Settings – Double-check the selected values and behavior of the policy

If anything needs to be adjusted, click Previous to go back and make changes.

Once everything looks correct, click Create to finalize and deploy the profile.

✅ After clicking Create, a confirmation notification will appear, indicating that the Allow All Trusted Apps policy was successfully created.

Device and User Check-in Status

You can check the policy in the Intune Portal. It usually takes about 8 hours to create a policy. If it’s taking too long, use the manual syncing option (Sync) in the Company Portal app on your device. After syncing, check the status again.

• Go to Devices, then Configuration.

• Click on the policy to view its details.

• For instance, here the Allow All Trusted Apps policy status is succeeded(3).

Client-Side Verification

The Allow All Trusted Apps policy is applied by the MDM PolicyManager under the ApplicationManagement area. Once deployed, you can verify its application on a client device using the Event Viewer.

🛠️ How to Verify on the Client:

1. Open Event Viewer on the target Windows device.

2. Navigate to: Applications and Services Logs > Microsoft > Windows > DeviceManagement-Enterprise-Diagnostics-Provider > Admin

3. On the right panel, click Filter Current Log.

4. Look for Event ID 813, which indicates a text-based policy has been applied.

5. Review the event details to confirm that the AllowAllTrustedApps policy appears and reflects the correct configuration.

📋 Example Log Output (Descriptive Format):

In a typical Event ID 813 entry, you should see values like:

• Policy: AllowAllTrustedApps

• Area: ApplicationManagement

• Enrollment ID: B1E9301C-8666-412A-BA2F-3BF8A55BFA62

• Current User: Device

• Int Value: 0x0 (indicates Explicit Deny)

• Enrollment Type: 0x6 (MDM-managed device)

• Scope: 0x0 (device-level application)

💡 Important Tip

⚠️ Note: The Event ID and Enrollment ID requesting merge may vary depending on the device, policy type, and enrollment session. These values are unique to each device and deployment context. Always cross-check the policy name and configuration values for accurate validation.

⚠️ Troubleshooting Tips:

• Ensure the device has recently synced with Intune.

• Verify that the device is correctly assigned to the targeted group.

• Check for conflicting settings in other profiles that may override this configuration.

• Use the Company Portal app or Intune Admin Center to manually trigger a sync.

• For deeper analysis, consult the Microsoft Learn documentation or advanced logging tools.

📚 More Information

To deepen your understanding of configuring and managing the Allow All Trusted Apps policy in Microsoft Intune, refer to the following official Microsoft resources:

• Create a policy using settings catalog in Microsoft Intune

• Device restriction settings for Windows 10/11 in Microsoft Intune

• Configure device restriction settings in Microsoft Intune

• Tasks you can complete using the Settings Catalog in Intune

• Policy CSP - ApplicationManagement

These resources provide detailed guidance for configuring, deploying, and verifying application management policies across managed devices using Microsoft Intune.

Thank you!

🖥️ Ricardo Barbosa

📘 MCT Microsoft Certified Trainer | ☁️ Cloud Architect

🌐 Technology Director - https://altelix.com