deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-24 14:53:44 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

updates

Browse Source
This commit is contained in:
Paolo Matarazzo
2023-03-02 14:24:45 -05:00
parent 59dd22d53b
commit 05e6ad1207
4 changed files with 53 additions and 132 deletions
Download Patch File Download Diff File Expand all files Collapse all files

104
education/windows/tutorial-managed-installer/checklists.md
View File

@ -1,49 +1,16 @@
---
title: Consideration before deploying apps with Managed Installer
description: Learn how to Consideration before deploying apps with Managed Installer
ms.date: 02/24/2023
title: Checklists for managed installer
description: Differnet checklists for managed installer
ms.date: 03/02/2023
ms.topic: checklist
appliesto:
-<a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11 SE, version 22H2 and later</a>
---
# <X> checklist <or> <X> checklist for <technology or product>
TODO: Add your H1.
# Checklists for managed installer
<!-- 2. Introductory paragraphs ---------------------------------------------------------
Required: Provide a brief introduction that describes the task that
this checklist supports.
Emphasize general industry terms (such as "serverless," which are better for SEO) more
than Microsoft-branded terms or acronyms (such as "Azure Functions" or "ACR").
Try to include terms people typically search for and avoid using *only* Microsoft terms.
If the checklist describes prerequisites, explain what task they are for, but avoid
linking to the task here.
The reader shouldn't leave the checklist until completed.
If the checklist supports a periodic task, give a brief idea of how often the task
should be done.
-->
Follow these checklists to ensure that your Windows 11 SE devices are set up with a managed installer and that app deployment completed correctly.
<!--## Device setup (TAP only)
These checks must be done once per device.
> [!div class="checklist"]
>
> - AppLocker policy deployed
> - Policy shows as applied in Event Viewer
> - Detection script was successful
>
> - WDAC supplemental policy deployed
> - Use `citool -lp` to dump policies
> - Event viewer shows policy being applied
-->
This article contains a list of checklists related to the tasks in the Managed installer tutorial.
These checklists help to ensure that your Windows 11 SE devices are set up with a managed installer and that app deployment completed correctly.
## Deploy an application via Intune
@ -74,62 +41,3 @@ These checks must be done once per device.
> - Only applied to an updater or installer
> - Merge option used
> - Policy created in Intune and assigned to the correct groups
[Add your introductory paragraphs]
TODO: Add your introductory paragraphs
This checklist provides a convenient way to access information you may need to support [X] when using [Microsoft product].
<!--
- Avoid any indication of the time it takes to complete the checklist, because there's
already the "x minutes to read" at the top and making a second suggestion can be
contradictory. (The standard line is probably misleading, but that's a matter for
site design.)
- If your article includes several sections of checklists, consider an overview list
that links to the sections in the article. Use this approach sparingly, because it
encourages the reader to look at items out of order.
-->
<!-- 3. Checklist sections --------------------------------------------------------------
Required: Organize your items into one or more lists.
Each item can be a task to complete or a requirement that must be met.
Use a single H2 with a list or table or create more than one H2 each with a list
or table.
If you use more than one list, divide the items into groups that make sense.
-->
## <Checklist>
TODO: Add one or more lists.
<!-- 4. Link to additional information.
Optional: Present a section with more information about the tasks or prerequisites in
the list.
-->
## More information
TODO: Add optional section with more details.
<!-- 5. Next steps ----------------------------------------------------------------------
Required: Your checklist should always have a Next steps H2 that points to the next task
after completing the checklist.
The next task might be an installation task that requires the checklist.
For a single link, you can use the Next steps button.
For multiple next steps, use a short list with links and maybe a brief explanation.
-->
## Next steps
Advance to the next article to learn how to create...
> [!div class="nextstepaction"]
> [Next steps button](contribute-get-started-mvc.md)

44
education/windows/tutorial-managed-installer/considerations.md
View File

@ -1,44 +1,56 @@
---
title: Consideration before deploying apps with Managed Installer
description: Learn how to Consideration before deploying apps with Managed Installer
title: Additional considerations before deploying apps with managed installer
description: Learn about additional aspects to consider before deploying apps with managed installer.
ms.date: 02/24/2023
ms.topic: tutorial
appliesto:
-<a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11 SE, version 22H2 and later</a>
---
# Additional considerations before deploying apps with Managed Installer
This article describes additional aspects to consider before deploying apps with managed installer.
## Autopilot and Enrollment Status Page
Autopilot and the Enrollment Status Page are compatible with Windows 11 SE. However, due to the E-Mode policy, devices can be blocked from completing enrollment if:
1. You have the enrollment status page to block device use until required apps are installed.
2. You are deploying an app that is blocked by the existing E-Mode policy, not installable via a managed installer (without additional policies), and not allowed by any supplemental policies or AppLocker policies.
1. You are deploying an app that is blocked by the existing E-Mode policy, not installable via a managed installer (without additional policies), and not allowed by any supplemental policies or AppLocker policies.
An example of this is if you deployed an app via the Store for Education, but have not written a supplemental policy to allow that app's PackageFamilyName.
In summary, if you choose to block device use on the installation of apps, you must ensure that apps are also not blocked from installation.
![](./images/autopilot.png)
### ESP mitigations
To ensure that you don't run into installation or enrollment blocks, you can do the following in accordance with your internal policies:
1. Ensure that all apps are unblocked from installation. Apps must be compatible with the Windows 11 SE managed installer flow, and if they are not compatible out-of-box, they either have a supplemental policy or AppLocker policy written for them.
If you need help writing a policy, see <section>.
2. Do not deploy apps that you have not validated. See here for more information.
3. Set your Enrollment Status Page configuration to not block device use based on required apps.
See more on:
- Autopilot: [Overview of Windows Autopilot | Microsoft Learn][MEM-1]
- Enrollment [Status Page: Windows Autopilot Enrollment Status Page | Microsoft Learn][MEM-2]
To learn more about Windows Autopilot, see [Overview of Windows Autopilot][MEM-1].
To learn more about the Enrollment Status Page, [Windows Autopilot Enrollment Status Page][MEM-2].
## Existing apps deployed in Intune
If you have Windows 11 SE machines that already have apps deployed through Intune, these apps will not get retroactively tagged with the mark of the "managed installer". This is to avoid making any security assumptions for these apps. You may need to redeploy these apps through Intune to get properly tagged with Managed Installer and allowed to run.
See [Windows 10 app deployment by using Microsoft Intune | Microsoft Docs][MEM-3] for more details on how to deploy Windows 10 apps through Microsoft Intune.
## Potential impact to events collected by any Log Analytics integrations
Log Analytics is a tool in the Azure Portal which customers may be using to collect data from AppLocker policy events. With this private preview, AppLocker policy will automatically be deployed on Win11 SE devices enrolled into an Intune EDU tenant. This will result in an increase in events generated by AppLocker policy (see [here][WIN-1]). If your organization is using Log Analytics, our recommendation is to please review your Log Analytics setup to:
- Understand your Log Analytics setup and ensure there is an appropriate data collection cap in place to avoid unexpected billing costs
If you have Windows 11 SE devices that already have apps deployed through Intune, these apps will not get retroactively tagged with the *managed installer* mark. The reason is to avoid making any security assumptions for these apps. You may need to redeploy the apps through Intune to get them properly tagged with managed installer and allowed to run.
## Potential impact to events collected by Log Analytics integrations
Log Analytics is a tool in the Azure Portal used to collect data from AppLocker policy events. Windows 11 SE device enrolled in an Intune Education tenant will automatically receive an AppLocker policy. The result is an increase in events generated by the AppLocker policy.
If your organization is using Log Analytics, it's recommended to review your Log Analytics setup to:
- Ensure there is an appropriate data collection cap in place to avoid unexpected billing costs
- Turn off the collection of AppLocker events in Log Analytics (Error, Warning, Information) with the exception of MSI and Script logs
---
For more information, see [here][WIN-1]
[MEM-1]: https://learn.microsoft.com/mem/autopilot/windows-autopilot
[MEM-2]: https://learn.microsoft.com/mem/autopilot/enrollment-status
[MEM-3]: https://docs.microsoft.com/mem/intune/apps/apps-windows-10-app-deploy
[MEM-1]: /mem/autopilot/windows-autopilot
[MEM-2]: /mem/autopilot/enrollment-status
[MEM-3]: /mem/intune/apps/apps-windows-10-app-deploy
[WIN-1]: https://learn.microsoft.com/windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker
[WIN-1]: /windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker

33
education/windows/tutorial-managed-installer/create-supplemental-policies.md → education/windows/tutorial-managed-installer/create-policies.md
View File

@ -7,17 +7,17 @@ appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11 SE, version 22H2 and later</a>
---
#Create additional policies for applications
# Create additional policies for applications
:::image type="content" source="./images/create-additional-policies.svg" alt-text="Diagram showing the three tutorial steps, highlighting the policy creation step." border="false":::
Additional policies can be written to allow applications that are [semi-compatible](./Validate-applications#compatible-apps) or [incompatible](Validate-applications#incompatible-apps) with the managed installer.
Additional policies can be written to allow applications that are [semi-compatible](./validate-apps#compatible-apps) or [incompatible](validate-appa#incompatible-apps) with the managed installer.
The following table details the two policy types to allow apps to run:
| **Policy type** | **How it works** | **When should I use this policy?** | **Security risk** |
|---|---|---|---|
| WDAC Supplemental policy | Directly allows apps meeting the rule criteria to run | For executables that are blocked by the E-Mode policy (Visible from the Event Viewer in the [CodeIntegrity events](./Troubleshooting#codeintegrity--operational-event-log)) | Low |
| WDAC Supplemental policy | Directly allows apps meeting the rule criteria to run | For executables that are blocked by the E-Mode policy (Visible from the Event Viewer in the [CodeIntegrity events](./troubleshoot#codeintegrity--operational-event-log)) | Low |
| AppLocker policy | Sets an app to be considered as a managed installer | Only for executables that do installations or updates which are blocked by the E-Mode policy | High |
> **Note**
@ -92,8 +92,10 @@ Set-CiPolicyIdInfo - FilePath <"Path to .xml from step 3"> -SupplementsBasePolic
> If you have created multiple supplemental policies for different apps, it's recommended to merge all supplemental policies together before deploying. You can merge policies using the WDAC Wizard.
### Writing a supplemental policy for a UWP Store app
UWP Microsoft Store apps unfortunately do not work out-of-box due to the Windows 11 SE E-Mode policy. A supplemental policy can be created and deployed to allow a Store app to run. UWP Store apps are somewhat simpler to write supplemental policies for.
### Writing a supplemental policy for a UWP LOB app
UWP apps don't work out-of-box due to the Windows 11 SE E-Mode policy. A supplemental policy can be created and deployed to allow a Store app to run.
1. On a non-Windows SE device, download, install, and launch the [WDAC Policy Wizard](https://webapp-wdac-wizard.azurewebsites.net/).
1. After launching choose "Policy Creator", then choose to create a Supplemental policy.
1. Choose a policy name and policy file location.
@ -107,8 +109,7 @@ UWP Microsoft Store apps unfortunately do not work out-of-box due to the Windows
- Rule action: Allow
- Rule type: Packaged App
- Package Name: Package name of app
1. This is available on the app's standard [Microsoft Store page](https://apps.microsoft.com/store/apps) in the "Configuration Manager ID" dialog of the Endpoint Manager link.
1. E.g. LEGOEducation.EV3ClassroomLEGOEducation_by3p0hsm2jzfy is the package name for the [EV3 Classroom LEGO Education](https://educationstore.microsoft.com/en-us/store/details/ev3-classroom-lego-education/9P8SJVZM63SZ) app, which can be found [here](https://apps.microsoft.com/store/detail/spike%E2%84%A2-3-lego%C2%AE-education/9NG9WXQ85LZM).
1. This can be retrieved via PowerShell (add sample here)
- If the app is not installed on your current PC, check the "Use Custom Package Family" box.
1. Click the Create button to the right of the Package Name. You should see the package added into the box below.
1. Click the Create Rule button.
@ -154,7 +155,7 @@ Policies can be deployed via Intune using a custom OMA-URI.
### Troubleshoot WDAC policies
For information how to troubleshoot WDAC supplemental policies, see [WDAC supplemental policy validation](./troubleshooting#wdac-supplemental-policy-validation)
For information how to troubleshoot WDAC supplemental policies, see [WDAC supplemental policy validation](./troubleshoot#wdac-supplemental-policy-validation)
## AppLocker policies
@ -197,17 +198,17 @@ Once finished, you can deploy the script via Intune. For more information, see [
### Troubleshoot AppLocker policies
For information how to troubleshoot AppLocker policies, see [WDAC supplemental policy validation](./troubleshooting#applocker---msi-and-script)
For information how to troubleshoot AppLocker policies, see [WDAC supplemental policy validation](./troubleshoot#applocker---msi-and-script)
---
[WIN-1]: https://learn.microsoft.com/windows/security/threat-protection/windows-defender-application-control/types-of-devices
[WIN-2]: https://learn.microsoft.com/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-create-supplemental-policy
[WIN-3]: https://learn.microsoft.com/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies
[WIN-4]: https://learn.microsoft.com/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-windows-defender-application-control-policies-using-intune
[WIN-5]: https://learn.microsoft.com/windows/security/threat-protection/windows-defender-application-control/applocker/edit-an-applocker-policy
[WIN-6]: https://learn.microsoft.com/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer
[WIN-7]: https://learn.microsoft.com/windows/security/threat-protection/windows-defender-application-control/applocker/merge-applocker-policies-by-using-set-applockerpolicy
[WIN-1]: /windows/security/threat-protection/windows-defender-application-control/types-of-devices
[WIN-2]: /windows/security/threat-protection/windows-defender-application-control/wdac-wizard-create-supplemental-policy
[WIN-3]: /windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies
[WIN-4]: /windows/security/threat-protection/windows-defender-application-control/deployment/deploy-windows-defender-application-control-policies-using-intune
[WIN-5]: /windows/security/threat-protection/windows-defender-application-control/applocker/edit-an-applocker-policy
[WIN-6]: /windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer
[WIN-7]: /windows/security/threat-protection/windows-defender-application-control/applocker/merge-applocker-policies-by-using-set-applockerpolicy
[EXT-1]: https://webapp-wdac-wizard.azurewebsites.net/

4
education/windows/tutorial-managed-installer/toc.yml
View File

@ -5,8 +5,8 @@ items:
href: deploy-apps.md
- name: 2. Validate apps
href: validate-apps.md
- name: 3. Create supplemental policies
href: create-supplemental-policies.md
- name: 3. Create additional policies
href: create-policies.md
- name: Considerations for your tenant
href: considerations.md
- name: Troubleshoot and get help