Intune Policy Size Limit Considerations

In this article, we will discuss the existing limits on Intune Policy as it relates to Win32 application assignments. With these limits in mind, we can better plan the deployment of Intune Applications and Updates.

Identify If You are Hitting Policy Size Limit

For most of our customers, the policy size limit will not be an issue. The policy for the Win32 applications in Intune includes the PowerShell Detection and Requirement scripts for the application. The more applications you have assigned to any given device, the larger that policy will be

The most immediate affect of exceeding the policy limit is the client will stop processing application policies from Intune.

To quickly identify if you are running into policy size limits you can check the two logs below.

  • %programdata%\Microsoft\IntuneManagementExtension\Logs\_IntuneManagementExtension.log
  • %programdata%\Microsoft\IntuneManagementExtension\Logs\_IntuneManagementExtension.lo_

 

Within these logs, you can look for a line that starts with the below snippet.

[Win32App] Failed to get the app policy from service, exception is System.ArgumentException: Error during serialization or deserialization using the JSON JavaScriptSerializer. The length of the string exceeds the value set on the maxJsonLength property…

It is likely a large Base64 encoded JSON payload will be shown as well, such as below.

JSON log snippet

More InformationNote: If you are hitting the policy limit the client will not be able to process application assignments. 

Reducing Policy Size

There are a few options to consider when you need to reduce the total policy size your clients receive from Intune. 

Applications vs. Updates

The largest part of any given Win32 application’s policy is the scripts associated with it. For the Win32 Applications, this will be the Detection Script. For the Updates that the Publisher creates there will be a Detection Script and a Requirement Script. Because the Updates have two scripts they will inherently consume more space in the policy payload. 

Code Signing

Within the Publisher the option to ‘Digitally sign the detection method script…’ is provided as shown below.

When a script is digitally signed it will add approximately 10kb to the total script size. This does not seem like a lot, but for Intune Policy this is a very significant amount of overhead. Keeping in mind that Intune Updates will have policy containing two scripts when these are signed the policy per-app increases by approximately 20kb. 

More InformationNote: In our testing, a device was able to have 80-90 Intune Updates assigned without hitting the policy limit while having code signing enabled. With code signing disabled a device could have our entire catalog over 300 applications assigned as Intune Updates without hitting the policy size limit.

Number of Assignments

With code signing, and the type of Win32 Application in mind the final consideration is the number of assignments. The larger the number of assignments to any given device the larger the policy will be for that device when it requests it from Intune

The business will need to determine their security requirements around code signing, and what applications they desire to update. The Publisher does have an Intune Scan Tool that can assist in identifying products that exist on your Intune managed devices, but it does have limitations based on what is available via Microsoft Graph such as only MSI based applications being inventoried. 

Alongside identifying what software your devices have, you can leverage tools like Microsoft Defender Advanced Threat Protection to identify known vulnerabilities and CVEs on your devices. This can provide a good pointer to applications which should be updated.