deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-15 18:33:43 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

updates based on raised issues

Browse Source
This commit is contained in:
Paolo Matarazzo
2023-03-27 11:02:50 -04:00
parent cd025ed11d
commit 16ff10caab
3 changed files with 12 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
education/windows/tutorial-deploy-apps-winse/considerations.md
View File

@ -13,7 +13,7 @@ This article describes important aspects to consider before deploying apps with
## Existing apps deployed in Intune
If you have Windows 11 SE devices that already have apps deployed through Intune, the apps won't get retroactively tagged with the *managed installer* mark. The reason is to avoid making any security assumptions for these apps. You may need to redeploy the apps through Intune to get them properly tagged with managed installer and allowed to run.
If you have Windows 11 SE devices that already have apps deployed through Intune, the apps won't get retroactively tagged with the *managed installer* mark. You may need to redeploy the apps through Intune to get them properly tagged with managed installer and allowed to run.
## Enrollment Status Page
@ -22,7 +22,7 @@ The Enrollment Status Page (ESP) is compatible with Windows 11 SE. However, due
1. You have the ESP configured to block device use until required apps are installed, and
2. You deploy an app that is blocked by the Windows 11 SE base policy, not installable via a managed installer (without more policies), and not allowed by any supplemental policies or AppLocker policies
For example, if you deploy a UWP LOB app but have deployed a supplemental policy to allow the app, ESP will fail.
For example, if you deploy a UWP LOB app but haven't deployed a supplemental policy to allow the app, ESP will fail.
If you choose to block device use on the installation of apps, you must ensure that apps are also not blocked from installation.
@ -32,7 +32,7 @@ If you choose to block device use on the installation of apps, you must ensure t
To ensure that you don't run into installation or enrollment blocks, you can pick one of the following options, in accordance with your internal policies:
1. Ensure that all apps are unblocked from installation. Apps must be compatible with the Windows 11 SE managed installer flow, and if they aren't compatible out-of-box, they either have the correspondent supplemental policy or AppLocker policy to allow them
1. Ensure that all apps are unblocked from installation. Apps must be compatible with the Windows 11 SE managed installer flow, and if they aren't compatible out-of-box, have the corresponding supplemental policy to allow them
2. Don't deploy apps that you haven't validated
3. Set your Enrollment Status Page configuration to not block device use based on required apps
@ -40,12 +40,12 @@ To learn more about the ESP, see [Set up the Enrollment Status Page][MEM-1].
## Potential impact to events collected by Log Analytics integrations
Log Analytics is a cloud service that can be used to collect data from AppLocker policy events. Windows 11 SE device enrolled in an Intune Education tenant will automatically receive an AppLocker policy. The result is an increase in events generated by the AppLocker policy.
Log Analytics is a cloud service that can be used to collect data from AppLocker policy events. Windows 11 SE devices enrolled in an Intune Education tenant will automatically receive an AppLocker policy. The result is an increase in events generated by the AppLocker policy.
If your organization is using Log Analytics, it's recommended to review your Log Analytics setup to:
- Ensure there's an appropriate data collection cap in place to avoid unexpected billing costs
- Turn off the collection of AppLocker events in Log Analytics (Error, Warning, Information) except for MSI and Script logs
- Turn off the collection of non-error AppLocker events in Log Analytics, except for MSI and Script logs
For more information, see [Use Event Viewer with AppLocker][WIN-1]

4
education/windows/tutorial-deploy-apps-winse/troubleshoot.md
View File

@ -60,12 +60,12 @@ Use the Event Viewer to see if a supplemental policy is deployed correctly. Thes
> [!NOTE]
> **{82443e1e-8a39-4b4a-96a8-f40ddc00b9f3}** is the base policy, which is what restricts most third-party apps from running. If you see another policy ID, it's worth taking note of that.
Alternatively you can use `cidiag.exe /stop`, which parses and copies all the relevant events to a text file.
Alternatively you can use `cidiag.exe /stop`, which copies all potentially relevant logs and policy files to a folder. The command also parses the critical events from the **CodeIntegrity** and **AppLocker** logs to a text file.
## AppLocker policy validation
> [!NOTE]
> The validation process described below requires access to PowerShell, which is not available on Windows SE devices. The process can be used to validate the policy from non-SE devices.
> The validation process described below requires the deployment of a PowerShell script from Intune to the Windows SE devices. This script will be used to query the AppLocker policy and validate that the policy is configured correctly. The script will also be used to validate the AppLocker service status.
You can query the existing AppLocker policy via PowerShell running from a device.

14
education/windows/tutorial-deploy-apps-winse/validate-apps.md
View File

@ -27,7 +27,7 @@ Application validation consists of the following steps:
Application installation depends on two factors:
- When the managed installer policies are applied to the device
- When the managed installer policies are applied to the device. These policies are automatically applied to Windows SE devices when they are enrolled in Intune
- When the apps are deployed to a device
> [!IMPORTANT]
@ -143,15 +143,11 @@ Before moving on to the next section, ensure that you've completed the following
Select one of the following options to learn the next steps:
- If the apps don't work as expected, you must create and deploy WDAC or AppLocker policies to allow the apps to run
> [!div class="nextstepaction"]
> [Next: Create policies>](create-policies.md)
- If the applications you are deploying don't have any issues, you can skip to important considerations when deploying apps and policies
> [!div class="op_single_selector"]
> - [Create policies](create-policies.md)
> - [Important deployment considerations](considerations.md)
> [!div class="nextstepaction"]
> [Next: Create policies>](create-policies.md) [Next: Important deployment considerations>](considerations.md)
> [!div class="nextstepaction"]
> [Next: Important deployment considerations>](considerations.md)
[M365-1]: /microsoft-365/education/deploy/microsoft-store-for-education