diff --git a/education/windows/tutorial-deploy-apps-winse/images/create-policies.png b/education/windows/tutorial-deploy-apps-winse/images/create-policies.png index bf84d8fd09..08d3e14003 100644 Binary files a/education/windows/tutorial-deploy-apps-winse/images/create-policies.png and b/education/windows/tutorial-deploy-apps-winse/images/create-policies.png differ diff --git a/education/windows/tutorial-deploy-apps-winse/images/deploy-app.png b/education/windows/tutorial-deploy-apps-winse/images/deploy-app.png index 68b35accdd..cae14e9016 100644 Binary files a/education/windows/tutorial-deploy-apps-winse/images/deploy-app.png and b/education/windows/tutorial-deploy-apps-winse/images/deploy-app.png differ diff --git a/education/windows/tutorial-deploy-apps-winse/images/process.png b/education/windows/tutorial-deploy-apps-winse/images/process.png index a8cc8cdf24..176fc6d3c8 100644 Binary files a/education/windows/tutorial-deploy-apps-winse/images/process.png and b/education/windows/tutorial-deploy-apps-winse/images/process.png differ diff --git a/education/windows/tutorial-deploy-apps-winse/images/validate-app.png b/education/windows/tutorial-deploy-apps-winse/images/validate-app.png index d9bec6e635..d5ca7edccf 100644 Binary files a/education/windows/tutorial-deploy-apps-winse/images/validate-app.png and b/education/windows/tutorial-deploy-apps-winse/images/validate-app.png differ diff --git a/education/windows/tutorial-deploy-apps-winse/index.md b/education/windows/tutorial-deploy-apps-winse/index.md index 0cc85aaade..99326fd01d 100644 --- a/education/windows/tutorial-deploy-apps-winse/index.md +++ b/education/windows/tutorial-deploy-apps-winse/index.md @@ -15,11 +15,13 @@ This guide describes how to deploy applications to Windows 11 SE devices that ar Windows 11 SE is designed to provide a simplified and secure experience for students. Windows 11 SE prevents the installation and execution of third party applications with a technology called *Windows Defender Application Control (WDAC)*. -WDAC applies an *allowlist* (Code Integrity) policy called *E Mode*, which ensures that unwanted apps don't run or get installed. However, it also prevents IT admins from deploying apps to Windows 11 SE devices, unless they're included in the E Mode policy.\ +WDAC applies an *allowlist* policy called *Windows 11 SE base policy*, which ensures that unwanted apps don't run or get installed. However, it also prevents IT admins from deploying apps to Windows 11 SE devices, unless they're included in the E Mode policy. + With the use of WDAC *supplemental policies*, Intune allows specific third party applications to be installed and executed. The [allowlist process][EDU-1] is done on an app-by-app basis, and the time to request an application to be allowed and have the supplemental policy deployed can be lengthy. -Starting with Windows 11 SE, version 22H2, IT admins have more flexibility to deploy applications to Windows 11 SE devices. When a Windows 11 SE device is enrolled in an Intune education tenant, it will automatically receive an AppLocker policy that sets the *Intune Management Extension (IME)* as a *managed installer*.\ -As a managed installer, any applications deployed through the IME will be automatically allowed on Windows 11 SE, removing the allowlist process requirement. For more information about managed installer, see [How does a managed installer work?][WIN-2] +Starting with Windows 11 SE, version 22H2, IT admins have more flexibility to deploy applications to Windows 11 SE devices. When a Windows 11 SE device is enrolled in an Intune education tenant, it will automatically receive an AppLocker policy that sets the *Intune Management Extension (IME)* as a *managed installer*. + +As a managed installer, applications deployed through the IME will be automatically allowed on Windows 11 SE, removing the allowlist process requirement. For more information about managed installer, see [How does a managed installer work?][WIN-2] > [!NOTE] > End-users of Windows 11 SE devices still cannot install and use arbitrary applications without being blocked. Only IT admins can control what apps are allowed. diff --git a/education/windows/tutorial-deploy-apps-winse/validate-apps.md b/education/windows/tutorial-deploy-apps-winse/validate-apps.md index 9c547f2e14..edfed85b9e 100644 --- a/education/windows/tutorial-deploy-apps-winse/validate-apps.md +++ b/education/windows/tutorial-deploy-apps-winse/validate-apps.md @@ -33,7 +33,7 @@ Application installation depends on two factors: > [!IMPORTANT] > The Intune management extension agent checks every hour (or on service or device restart) for any new Win32 app assignments. -If the E Mode policy doesn't block the application that you're trying to deploy, the process to deploy the app to Windows SE devices should be consistent with non-SE devices. +If the Windows 11 SE base policy doesn't block the application that you're trying to deploy, the process to deploy the app to Windows SE devices should be consistent with non-SE devices. ## Check for installation @@ -150,8 +150,8 @@ Select one of the following options to learn the next steps: > - [Important deployment considerations](considerations.md) > [!div class="nextstepaction"] -> [Create policies](create-policies.md) [Important deployment considerations](considerations.md) -> [Important deployment considerations](considerations.md) +> [Next: Create policies>](create-policies.md) [Next: Important deployment considerations>](considerations.md) + [M365-1]: /microsoft-365/education/deploy/microsoft-store-for-education