deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-15 18:33:43 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

updates

Browse Source
This commit is contained in:
Paolo Matarazzo
2023-03-06 11:03:01 -05:00
parent af7238d9b8
commit 6c49c6db41
7 changed files with 109 additions and 32 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
education/windows/tutorial-deploy-apps-winse/deploy-apps.md
View File

@ -11,7 +11,7 @@ appliesto:
:::image type="content" source="./images/deploy-app.png" alt-text="Diagram showing the three tutorial steps, highlighting the app deployment step." border="false":::
The process to deploy applications to Windows SE devices via Microsoft Intune is the same used for non-SE devices.\
The process to deploy applications to Windows SE devices via Microsoft Intune is the same used for non-SE devices. Applications must be defined in Intune, and then assigned to the correct groups.\
However, on Windows SE devices, apps may successfully install, but they need validation to be certain that they're functional.
The following table provides an overview of the applications types that can be deployed to Windows devices via Intune, and considerations about the installation on Windows SE:
@ -19,24 +19,22 @@ The following table provides an overview of the applications types that can be d
|**Installer/App type**|**Installer extensions**|**Available installation methods via Intune**|**Considerations for Windows 11 SE**|
|-|-|-|-|
|[Win32][WIN-1]|`.exe`<br>`.msi`|- Intune Management Extension (IME)<br> - Microsoft Store integration|⚠️ There are known limitations that might prevent a specific app from being installed.|
|[Universal Windows Platform (UWP)][UWP-1]|`.appx`<br>`.appxbundle`<br>`.msix`<br>|- For private apps: line-of-business apps<br>- For public apps: Microsoft Store integration|⚠️ LOB apps require a supplemental policy.<br><br>⛔ It's currently unsupported to use the Microsoft Store to deploy UWP apps on Windows SE.|
|[Universal Windows Platform (UWP)][WIN-2]|`.appx`<br>`.appxbundle`<br>`.msix`<br>|- For private apps: line-of-business apps<br>- For public apps: Microsoft Store integration|⚠️ LOB apps require a supplemental policy.<br><br>⛔ It's currently unsupported to use the Microsoft Store to deploy UWP apps on Windows SE.|
|[Progressive Web Apps (PWAs)][EDGE-2] |`.msix`|- Settings catalog policies<br>- Microsoft Store integration|✅ Use settings catalog policies.<br><br>⛔ It's currently unsupported to use the Microsoft Store to deploy PWAs.|
|Web links| n/a |- Windows web links|✅ Web links are supported.|
> [!IMPORTANT]
> Although you'll be able to install apps on Windows 11 SE devices via Intune, some apps may not perform well on these devices due those apps' minimum spec requirements.
>
> Before deploying apps, first check which apps will be targeting your Windows 11 SE devices, and ensure that they meet the requirements. Ensure that apps which were previously blocked from installing or running are no longer unintentionally being provisioned once the managed installer policies are introduced.
> Before deploying apps, first check which apps will be targeting your Windows 11 SE devices, and ensure that they meet the requirements.
## Win32 apps
The addition of Win32 applications to Intune consists of repackaging the apps and defining the commands to silently install them. The process is described in the article [Add, assign, and monitor a Win32 app in Microsoft Intune][MEM-1].
> [!IMPORTANT]
> There are known limitations that might prevent a specific app from being installed. For more information, see the next section [validate applications](validate-apps.md).
> Ensure that apps which were previously blocked from installing or running are no longer unintentionally being provisioned once the managed installer policies are introduced.
> [!NOTE]
> While Win32 apps can be deployed through the Microsoft Store integration with Intune, it's currently an unsupported deployment method for Windows 11 SE.
There are known limitations that might prevent applications from being installed or executed. For more information, see the next section [validate applications](validate-apps.md).
## UWP apps
@ -83,5 +81,5 @@ Advance to the next article to learn how to validate the applications deployed t
[MEM-2]: /mem/intune/apps/lob-apps-windows
[MEM-3]: /mem/intune/configuration/settings-catalog
[MEM-4]: /mem/intune/apps/web-app
[UWP-1]: /windows/uwp/get-started/universal-application-platform-guide
[WIN-1]: /windows/win32
[WIN-2]: /windows/uwp/get-started/universal-application-platform-guide

89
education/windows/tutorial-deploy-apps-winse/deploy-policies.md Normal file
View File

@ -0,0 +1,89 @@
---
title: Sign and deploy policies for applications
description: Learn how to sign and deploy the policies for applications.
ms.date: 03/03/2023
ms.topic: tutorial
appliesto:
-<a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11 SE, version 22H2 and later</a>
---
# Deploy policies for applications
This tutorial shows you how to deploy policies for applications.
## Sign and deploy WDAC supplemental policies
### Sign WDAC policies
Follow the instructions below when you want to sign and deploy your WDAC supplemental policy.
- Create a supplemental policy with the instructions found above
- Sign the policy
- Deploy the signed policy file via Intune
### Deploy WDAC policies
Policies can be deployed via Intune using a custom OMA-URI.
> [!TIP]
> To prevent these policies from being applied to non-Windows SE devices, you can create and target a group with only Windows 11 SE devices in it, or use assignment filters.
[Deploy WDAC policies using Mobile Device Management][WIN-4]
### Troubleshoot WDAC policies
For information how to troubleshoot WDAC supplemental policies, see [WDAC supplemental policy validation](./troubleshoot.md#wdac-supplemental-policy-validation)
### Deploy AppLocker policies
Intune doesn't currently offer the option to modify AppLocker policies. The deployment of AppLocker policies can be done using PowerShell scripts deployed via Intune.
You can create a PowerShell script that stores the contents of the policy in a variable, then use the Set-AppLockerPolicy command to merge it in. Here's a sample function that does that:
```PowerShell
function MergeAppLockerPolicy([string]$policyXml)
{
$policyFile = '.\AppLockerPolicy.xml'
$policyXml | Out-File $policyFile
Write-Host "Merging and setting AppLocker policy"
Set-AppLockerPolicy -XmlPolicy $policyFile -Merge -ErrorAction SilentlyContinue
Remove-Item $policyFile
}
```
> **Warning**
>
> Intune deploys a script with the AppLocker policy to set Intune Management Extension as a managed installer on all Windows 11 SE devices enrolled into an Intune EDU tenant. If an EDU customer wishes to deploy their own AppLocker policy to set another Managed Installer (in addition to Intune), please be sure to ensure the `-Merge` parameter is used with `Set-AppLockerPolicy`. This will ensure that it plays well with Intune's AppLocker policy. Without using the `-Merge` parameter when deploying to Windows 11 SE devices, it will result in issues with apps getting tagged properly and their ability to run on impacted devices. Learn more about AppLocker Merge policy: Merge AppLocker policies by using [Set-ApplockerPolicy (Windows) | Microsoft Learn][WIN-7]
Once finished, you can deploy the script via Intune. For more information, see [Add PowerShell scripts to Windows devices in Microsoft Intune][MEM-1].
### Troubleshoot AppLocker policies
For information how to troubleshoot AppLocker policies, see [WDAC supplemental policy validation](./troubleshoot.md#applocker---msi-and-script)
## Next steps
Before moving on to the next section, ensure that you've completed the following tasks.
For a WDAC supplemental policy:
> [!div class="checklist"]
> - Signed .cip .p7b file with Device Guard
> - Targets Base policy: `82443e1e-8a39-4b4a-96a8-f40ddc00b9f3`
> - Policy created in Intune and assigned to the correct groups
> - Policy applied in Event Viewer
For an AppLocker policy
> [!div class="checklist"]
> - Only applied to an updater or installer
> - Merge option used
> - Policy created in Intune and assigned to the correct groups
Advance to the next article to learn how to troubleshoot common errors when deploying apps with managed installer.
> [!div class="nextstepaction"]
> [Next: deploy policies >](deploy-policies.md)

3
education/windows/tutorial-deploy-apps-winse/images/process.svg
View File

File diff suppressed because one or more lines are too long
Side by Side

Before

Width:  |  Height:  |  Size: 12 KiB

4
education/windows/tutorial-deploy-apps-winse/index.md
View File

@ -9,7 +9,7 @@ appliesto:
# Tutorial: deploy applications to Windows 11 SE with Intune
This guide describes how to deploy applications to Windows 11 SE devices that are managed by Microsoft Intune in an education environment. The guide also describes how to validate the apps and how to create additional policies to allow apps that aren't installable or don't behave as intended.
This guide describes how to deploy applications to Windows 11 SE devices that are managed by Microsoft Intune in an education environment. The guide also describes how to validate the apps and how to create policies to allow apps that aren't installable or don't behave as intended.
## Windows 11 SE and application deployment
@ -18,7 +18,7 @@ Windows 11 SE is designed to provide a simplified and secure experience for stud
WDAC applies an *allowlist* policy called *E-Mode*, which ensures that unwanted apps don't run or get installed. However, it also prevents IT admins from deploying apps to Windows 11 SE devices, unless they're included in the E-Mode policy.\
With the use of WDAC *supplemental policies*, Microsoft allows specific third party applications to be installed and executed. The [allowlist process][EDU-1] is done on an app-by-app basis, and the time to request an application to be allowed and have the supplemental policy deployed can be lengthy.
Starting with Windows 11 SE, version 22H2, IT admins have more flexibility to deploy applications to Windows 11 SE devices. When a Windows 11 SE device is enrolled in Microsoft Intune, it will automatically receive polices that enable the *Intune Management Extension (IME)* as a *managed installer*.\
Starting with Windows 11 SE, version 22H2, IT admins have more flexibility to deploy applications to Windows 11 SE devices. When a Windows 11 SE device is enrolled in Microsoft Intune, it will automatically receive policies that enable the *Intune Management Extension (IME)* as a *managed installer*.\
As a managed installer, any applications deployed through the IME will be automatically allowed on Windows 11 SE, removing the allowlist process requirement. For more information about managed installer, see [How does a managed installer work?][WIN-2]
> [!NOTE]

12
education/windows/tutorial-deploy-apps-winse/sign-deploy-policies.md
View File

@ -1,12 +0,0 @@
---
title: Sign and deploy policies for applications
description: Learn how to sign and deploy the policies for applications.
ms.date: 03/03/2023
ms.topic: tutorial
appliesto:
-<a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11 SE, version 22H2 and later</a>
---
# Sign and deploy additional policies for applications
This tutorial shows you how to sign and deploy additional policies for applications.

4
education/windows/tutorial-deploy-apps-winse/toc.yml
View File

@ -9,8 +9,8 @@ items:
items:
- name: Create policies
href: create-policies.md
- name: Sign and deploy policies
href: sign-deploy-policies.md
- name: Deploy policies
href: deploy-policies.md
- name: Troubleshoot and get help
href: troubleshoot.md
- name: Considerations for your tenant

13
education/windows/tutorial-deploy-apps-winse/validate-apps.md
View File

@ -21,7 +21,7 @@ Application validation consists of the following steps:
1. Inspect the app and take note of any potential problems
> [!NOTE]
> Apps must be validated on a case-by-case basis. A successful installation doesn't mean that the app will run properly. A successful execution of the app, doesn't mean it will *always* run properly. More details about these behaviors are provided below.
> Apps must be validated on a case-by-case basis. A successful installation doesn't mean that the app will run properly. A successful execution of the app, doesn't mean it will *always* run properly.
## Wait for the application to install
@ -63,7 +63,7 @@ To check the installation status of an app from the Intune portal:
> A Win32 application may install correctly, but report to Intune as failed.\
> A Win32 app may also fail to install, but report as installed to Intune.
>
> In both cases, the issue is in the detection rules defined in Intune, which must be configured correctly to detect the installation of the app.
> In both cases, the issue may be in the detection rules defined in Intune, which must be configured correctly to detect the installation of the app.
### Check for installation on the device
@ -87,7 +87,7 @@ Here are things to pay attention to:
- Dialogs may pop up during the app use, indicating that something is blocked
- Multiple apps are installed, especially if one app appears to be a launcher/updater. For example, Adobe Photoshop includes the Adobe Creative Cloud launcher, which updates Photoshop and other apps
- Any messages indicating that the app is doing pre-installation work or downloading more content
- Event logs found in **CodeIntegrity > Operational**, and **AppLocker - MSI and Script**
- Logs in the Event Viewer
### Compatible apps
@ -112,7 +112,12 @@ You may see a dialog indicating **This app won't run on your PC**. Check the ind
### Event Viewer
More detail can be obtained when looking for events indicating blocked executables in the Event Viewer.\
The event logs are **CodeIntegrity > Operational**, and **AppLocker - MSI and Script**. For more information, see [AppLocker - MSI and Script](troubleshoot.md#applocker---msi-and-script).
The event logs are:
- **CodeIntegrity > Operational**
- **AppLocker - MSI and Script**
For more information, see [AppLocker - MSI and Script](troubleshoot.md#applocker---msi-and-script).
## Known limitations