From 7c4c32bfc1acee248a99aebb50c5c947e26ee4c6 Mon Sep 17 00:00:00 2001
From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
Date: Fri, 7 Apr 2023 12:32:47 -0400
Subject: [PATCH] hidden WDAC references

---
 .../tutorial-deploy-apps-winse/considerations.md   |  4 ++--
 .../tutorial-deploy-apps-winse/create-policies.md  | 14 +++++++++++++-
 .../tutorial-deploy-apps-winse/deploy-apps.md      | 14 ++++++++------
 .../tutorial-deploy-apps-winse/deploy-policies.md  | 13 +++++++++++--
 .../tutorial-deploy-apps-winse/validate-apps.md    |  4 +++-
 5 files changed, 37 insertions(+), 12 deletions(-)

diff --git a/education/windows/tutorial-deploy-apps-winse/considerations.md b/education/windows/tutorial-deploy-apps-winse/considerations.md
index 2f7d76cc1e..646d36ae79 100644
--- a/education/windows/tutorial-deploy-apps-winse/considerations.md
+++ b/education/windows/tutorial-deploy-apps-winse/considerations.md
@@ -21,8 +21,8 @@ The Enrollment Status Page (ESP) is compatible with Windows 11 SE. However, due
 
 1. You have the ESP configured to block device use until required apps are installed, and
 2. You deploy an app that is blocked by the Windows 11 SE base policy, not installable via a managed installer (without more policies), and not allowed by any supplemental policies or AppLocker policies
-
-For example, if you deploy a UWP LOB app but haven't deployed a supplemental policy to allow the app, ESP will fail.
+<!--
+For example, if you deploy a UWP LOB app but haven't deployed a supplemental policy to allow the app, ESP will fail.-->
 
 If you choose to block device use on the installation of apps, you must ensure that apps are also not blocked from installation.
 
diff --git a/education/windows/tutorial-deploy-apps-winse/create-policies.md b/education/windows/tutorial-deploy-apps-winse/create-policies.md
index df18c5c8e3..0ae09cc739 100644
--- a/education/windows/tutorial-deploy-apps-winse/create-policies.md
+++ b/education/windows/tutorial-deploy-apps-winse/create-policies.md
@@ -11,6 +11,9 @@ appliesto:
 
 :::image type="content" source="./images/create-policies.png" alt-text="Diagram showing the three tutorial steps, highlighting the policy creation step." border="false":::
 
+You can create AppLocker policies to allow apps that are [semi-compatible](./validate-apps.md#semi-compatible-apps) or [incompatible](./validate-apps.md#incompatible-apps) with the managed installer to run.
+
+<!--
 You can create policies to allow applications that are [semi-compatible](./validate-apps.md#semi-compatible-apps) or [incompatible](./validate-apps.md#incompatible-apps) with the managed installer.
 
 The following table details the two policy types to allow apps to run:
@@ -23,6 +26,7 @@ The following table details the two policy types to allow apps to run:
 > [!NOTE]
 > The specifics of the policy you will need to create vary from app to app. Public documentation can help you determine which rules would be useful for your app.
 
+
 ## WDAC supplemental policies
 
 A *supplemental policy* can expand only one base policy, but multiple supplemental policies can expand the same base policy. When you use supplemental policies, the apps allowed by the base or its supplemental policies will be allowed to execute.\
@@ -146,13 +150,18 @@ For additional information:
 Additional AppLocker policies work by configuring other apps to be *managed installers*. However, since anything downloaded or installed by a managed installer is trusted to run, it creates a significant security risk. For example, if the executable for a third-party browser is set as a managed installer, anything downloaded from that browser will be allowed to run.\
 Using a WDAC supplemental policy instead, allows you to have more control over what is allowed to run without the risk of those permissions propagating unintentionally.
 
+To allow apps to run by setting their installers as managed installers, follow the guidance here:
+-->
+
+Additional AppLocker policies work by configuring other apps to be *managed installers*. However, since anything downloaded or installed by a managed installer is trusted to run, it creates a significant security risk. For example, if the executable for a third-party browser is set as a managed installer, anything downloaded from that browser will be allowed to run.\
+
 To allow apps to run by setting their installers as managed installers, follow the guidance here:
 
 - [Edit an AppLocker policy][WIN-5]
 - [Allow apps deployed with a WDAC managed installer][WIN-6]
 
 ## Next steps
-
+<!-->
 Before moving on to the next section, ensure that you've completed the following tasks.
 
 For a WDAC supplemental policy:
@@ -169,6 +178,9 @@ For an AppLocker policy:
 > - Created the policy with the **Merge** option
 
 Advance to the next article to learn how to deploy the WDAC supplemental policies or AppLocker policies to Windows 11 SE devices.
+-->
+
+Advance to the next article to learn how to deploy the AppLocker policies to Windows 11 SE devices.
 
 > [!div class="nextstepaction"]
 > [Next: deploy policies >](deploy-policies.md)
diff --git a/education/windows/tutorial-deploy-apps-winse/deploy-apps.md b/education/windows/tutorial-deploy-apps-winse/deploy-apps.md
index bf1d1d0679..fa4f3dcc0a 100644
--- a/education/windows/tutorial-deploy-apps-winse/deploy-apps.md
+++ b/education/windows/tutorial-deploy-apps-winse/deploy-apps.md
@@ -19,8 +19,8 @@ The following table provides an overview of the applications types that can be d
 |**Installer/App type**|**Installer extensions**|**Available installation methods via Intune**|**Considerations for Windows 11 SE**|
 |-|-|-|-|
 |[Win32][WIN-1]|`.exe`<br>`.msi`|- Intune Management Extension (IME)<br> - Microsoft Store integration|⚠️ There are known limitations that might prevent an app to install or run.|
-|[Universal Windows Platform (UWP)][WIN-2]|`.appx`<br>`.appxbundle`<br>`.msix`<br>|- For private apps: line-of-business (LOB) apps<br>- For public apps: Microsoft Store integration|⚠️ LOB apps require a supplemental policy.<br><br>⛔ It's currently unsupported to use the Microsoft Store to deploy UWP apps.|
-|[Progressive Web Apps (PWAs)][EDGE-2] |`.msix`|- Settings catalog policies<br>- Microsoft Store integration|✅ Use settings catalog policies.<br><br>⛔ It's currently unsupported to use the Microsoft Store to deploy PWAs.|
+|[Universal Windows Platform (UWP)][WIN-2]|`.appx`<br>`.appxbundle`<br>`.msix`<br>|- For private apps: line-of-business (LOB) apps<br>- For public apps: Microsoft Store integration|⛔ It's currently unsupported to deploy UWP apps.<!--⚠️ LOB apps require a supplemental policy.<br><br>⛔ It's currently unsupported to use the Microsoft Store to deploy UWP apps.-->|
+|[Progressive Web Apps (PWAs)][EDGE-2] |`.msix`|- Settings catalog policies<br>- Microsoft Store integration|✅ PWAs are supported.<!--<br><br>⛔ It's currently unsupported to use the Microsoft Store to deploy PWAs.-->|
 |Web links| n/a |- Windows web links|✅ Web links are supported. |
 
 > [!IMPORTANT]
@@ -38,7 +38,9 @@ There are known limitations that might prevent applications to install or execut
 
 ## UWP apps
 
-### Line of business apps
+It's currently unsupported to deploy UWP apps.
+
+<!--### Line of business apps
 
 For private, line-of-business (LOB) UWP apps, [deploy as line-of-business apps][MEM-2]
 
@@ -48,12 +50,12 @@ For private, line-of-business (LOB) UWP apps, [deploy as line-of-business apps][
 ### Microsoft Store apps
 
 Public UWP apps available in the Microsoft Store aren't currently supported for Windows 11 SE.
-
+-->
 ## PWA apps
 
-PWAs can be deployed using the [Force-installed web Apps][EDGE-1] option via [settings catalog policies][MEM-3].
+PWAs can be deployed using the [Force-installed web Apps][EDGE-1] option via [settings catalog policies][MEM-3], or using the Microsoft Store integration with Intune.
 
-PWAs available in the Microsoft Store aren't currently supported for Windows 11 SE.
+<!--PWAs available in the Microsoft Store aren't currently supported for Windows 11 SE.-->
 
 ## Web links
 
diff --git a/education/windows/tutorial-deploy-apps-winse/deploy-policies.md b/education/windows/tutorial-deploy-apps-winse/deploy-policies.md
index 72dd4cc011..1276f26a4a 100644
--- a/education/windows/tutorial-deploy-apps-winse/deploy-policies.md
+++ b/education/windows/tutorial-deploy-apps-winse/deploy-policies.md
@@ -1,15 +1,20 @@
 ---
 title: Deploy policies to enable applications
-description: Learn how to sign WDAC policies and how to deploy WDAC and AppLocker policies to enable apps execution on Windows SE devices.
+description: Learn how to deploy AppLocker policies to enable apps execution on Windows SE devices.
 ms.date: 03/07/2023
 ms.topic: tutorial
 appliesto:
   - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11 SE, version 22H2 and later</a>
 ---
 
+<!--description: Learn how to sign WDAC policies and how to deploy WDAC and AppLocker policies to enable apps execution on Windows SE devices.-->
+
 # Deploy policies to enable applications
 
-Once the policies are created, you must deploy them to the Windows SE devices.
+Once the policies are created, you must deploy them to the Windows SE devices.\
+AppLocker policies can be deployed via Intune. This article describes how to deploy AppLocker policies to enable apps execution on Windows SE devices.
+
+<!--
 WDAC and AppLocker policies can be deployed via Intune, but WDAC policies must be signed before they can be deployed.
 
 This article describes how to sign WDAC policies and how to deploy WDAC and AppLocker policies to enable apps execution on Windows SE devices.
@@ -32,6 +37,8 @@ Policies can be deployed via Intune using a custom OMA-URI.
 
 For information how to validate and troubleshoot WDAC supplemental policies, see [WDAC supplemental policy validation](./troubleshoot.md#wdac-supplemental-policy-validation)
 
+-->
+
 ## Deploy AppLocker policies
 
 Intune doesn't currently offer the option to modify AppLocker policies. The deployment of AppLocker policies can be done using PowerShell scripts deployed via Intune.
@@ -60,6 +67,7 @@ For information how to validate and troubleshoot AppLocker policies, see [AppLoc
 
 ## Next steps
 
+<!--
 Before moving on to the next section, ensure that you've completed the following tasks.
 
 For a WDAC supplemental policy:
@@ -75,6 +83,7 @@ For an AppLocker policy:
 > [!div class="checklist"]
 >
 > - Policy created in Intune and assigned to the correct groups
+-->
 
 Advance to the next article to learn about important considerations when deploying apps and policies to Windows SE devices.
 
diff --git a/education/windows/tutorial-deploy-apps-winse/validate-apps.md b/education/windows/tutorial-deploy-apps-winse/validate-apps.md
index a45c64e2c7..a818e91565 100644
--- a/education/windows/tutorial-deploy-apps-winse/validate-apps.md
+++ b/education/windows/tutorial-deploy-apps-winse/validate-apps.md
@@ -1,7 +1,7 @@
 ---
 title: Validate the applications deployed to Windows SE devices
 description: Learn how to validate the applications deployed to Windows SE devices via Intune.
-ms.date: 03/09/2023
+ms.date: 04/07/2023
 ms.topic: tutorial
 appliesto:
   - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11 SE, version 22H2 and later</a>
@@ -125,8 +125,10 @@ Not all apps are compatible with managed installers, even after installation.
 
 To learn about known limitations with apps deployed via a managed installer, see [Known limitations with managed installer][WIN-1].
 
+<!--
 > [!NOTE]
 > UWP LOB apps aren't installed using the Intune Management Extension and thus aren't tracked by the managed installer heuristic. LOB apps must be authorized separately in your WDAC policy.
+-->
 
 ## Section review