From c3dfbef5e35a4742f68eb3aa6dbddf3971478f2b Mon Sep 17 00:00:00 2001
From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
Date: Mon, 6 Mar 2023 16:16:07 -0500
Subject: [PATCH] updates
---
.../create-policies.md | 65 +++++++------------
.../tutorial-deploy-apps-winse/deploy-apps.md | 7 +-
.../tutorial-deploy-apps-winse/index.md | 4 +-
.../validate-apps.md | 16 +++--
4 files changed, 37 insertions(+), 55 deletions(-)
diff --git a/education/windows/tutorial-deploy-apps-winse/create-policies.md b/education/windows/tutorial-deploy-apps-winse/create-policies.md
index ef2f9ceec1..f97dfce8f8 100644
--- a/education/windows/tutorial-deploy-apps-winse/create-policies.md
+++ b/education/windows/tutorial-deploy-apps-winse/create-policies.md
@@ -1,13 +1,13 @@
---
-title: Create additional policies for applications
-description: Learn how to create additional policies for applications.
+title: Create policies to enable applications
+description: Learn how to create policies to enable the installation and execution of apps on Windows SE.
ms.date: 03/06/2023
ms.topic: tutorial
appliesto:
- ✅ Windows 11 SE, version 22H2 and later
---
-# Create additional policies for applications
+# Create policies to enable applications
:::image type="content" source="./images/create-policies.png" alt-text="Diagram showing the three tutorial steps, highlighting the policy creation step." border="false":::
@@ -17,7 +17,7 @@ The following table details the two policy types to allow apps to run:
| **Policy type** | **How it works** | **When should I use this policy?** | **Security risk** |
|---|---|---|---|
-| WDAC supplemental policy | Allows apps meeting the rule criteria to run | For executables that are blocked by the E-Mode policy. The blocked executable are visible from the Event Viewer in the [CodeIntegrity events](./troubleshoot.md)) | Low |
+| WDAC supplemental policy | Allows apps meeting the rule criteria to run | For executables that are blocked by the E-Mode policy. The blocked executables are visible from the Event Viewer in the [CodeIntegrity events](./troubleshoot.md) | Low |
| AppLocker policy | Sets an app to be considered as a managed installer | Only for executables that do installations or updates which are blocked by the E-Mode policy | High |
> [!NOTE]
@@ -27,7 +27,7 @@ The following table details the two policy types to allow apps to run:
You can create WDAC supplemental policies and then deploy them through Intune.
-To allow apps to install and run, you must write supplemental policies targeting the correct base policy. The base policy that you must target has a PolicyID of `{82443E1E-8A39-4B4A-96A8-F40DDC00B9F3}`.
+To allow apps to install and run, you must write *supplemental policies* targeting the correct base policy. The base policy that you must target has a PolicyID of `{82443E1E-8A39-4B4A-96A8-F40DDC00B9F3}`.
### Create a supplemental policy for Win32 apps
@@ -58,13 +58,13 @@ There are different ways to write a supplemental policy. The suggested method is
4. Convert the policy created in the previous step to a supplemental policy, specifying the E mode audit policy you created in the first step as its *Base*.
```PowerShell
- Set-CiPolicyIdInfo -FilePath -BasePolicyToSupplementPath
+ Set-CiPolicyIdInfo -FilePath "" -BasePolicyToSupplementPath ""
```
5. From an elevated PowerShell session, run the following command to activate the policy:
```cmd
- citool.exe -up <"Path to the .cip file">
+ citool.exe -up ''
```
6. Clear the two event logs:
@@ -74,7 +74,7 @@ There are different ways to write a supplemental policy. The suggested method is
8. Once you have a policy that works for your app, reset the supplemental policy's Base policy to the official Windows 11 SE BasePolicyId. From an elevated PowerShell session, run the following command:
```PowerShell
-Set-CiPolicyIdInfo - FilePath <"Path to .xml from step 3"> -SupplementsBasePolicyId "{82443E1E-8A39-4B4A-96A8-F40DDC00B9F3}"
+Set-CiPolicyIdInfo -FilePath "" -SupplementsBasePolicyId "{82443E1E-8A39-4B4A-96A8-F40DDC00B9F3}"
```
> [!NOTE]
@@ -90,25 +90,24 @@ For additional information:
- Supplemental Policy creation: [Creating a new Supplemental Policy with the Wizard][WIN-2]
- [WDAC Policy Wizard][EXT-1]
-### Write a supplemental policy for UWP LOB apps
+### Create a supplemental policy for UWP LOB apps
UWP apps don't work out-of-box due to the Windows 11 SE E-Mode policy. You can create and deploy a supplemental policy using these steps:
1. On a **non-Windows SE device**, download, install, and launch the [WDAC Policy Wizard][EXT-1]
-1. After launching choose **Policy Creator** > **create a Supplemental policy**
-1. Choose a policy name and policy file location
-1. To set a Base policy that the supplemental policy will apply to, the WDAC Wizard includes a template policy called **WinSEPolicy.xml based** on Windows 11 SE E-Mode:
- - Open the WDAC Wizard and select Policy Editor
- - In the Policy Path to Edit field, browse for %ProgramFiles%\WindowsApps\Microsoft.WDAC and select the file called WinSEPolicy.xml. Click the Next button.
-1. On Policy Rules, click the Next button.
-1. On Signing Rules, click Add Custom Rule.
-1. In the custom rules wizard, choose:
- - Rule scope: Usermode Rule only
- - Rule action: Allow
- - Rule type: Packaged App
- - Package Name: Package name of app
-1. This can be retrieved via PowerShell (add sample here)
- - If the app is not installed on your current PC, check the "Use Custom Package Family" box.
+1. Open the **WDAC Wizard** and select **Policy Creator > Supplemental policy**
+ - Choose a **Policy Name** and **Policy File Location**
+ - In the **Base Policy** path to, browse for *%ProgramFiles%\WindowsApps\Microsoft.WDAC\** and select the file called *WinSEPolicy.xml*. Select **Next**
+ - In **Policy Rules**, select **Next**
+ - In **Signing Rules**, select **Add Custom Rule** and choose:
+ - **Rule scope**: **Usermode Rule**
+ - **Rule action**: **Allow**
+ - **Rule type**: **Packaged App**
+ - **Package Name**: specify the package name of app. This can be retrieved via PowerShell using the following command:
+ ```PowerShell
+ Get-AppxPackage -Name <"App Name"> | Select PackageFullName
+ ```
+ If the app is not installed on your current PC, check the "Use Custom Package Family" box.
1. Click the Create button to the right of the Package Name. You should see the package added into the box below.
1. Click the Create Rule button.
1. Back in the WDAC Policy Wizard, click the Next button.
@@ -146,31 +145,13 @@ If you want to allow apps to run by setting their installers as managed installe
- [Edit an AppLocker policy][WIN-5]
- [Allow apps deployed with a WDAC managed installer][WIN-6]
-- [Microsoft WDAC Wizard][EXT-1]
## Next steps
-Before moving on to the next section, ensure that you've completed the following tasks.
-
-For a WDAC supplemental policy:
-
-> [!div class="checklist"]
-> - Signed .cip .p7b file with Device Guard
-> - Targets Base policy: `82443e1e-8a39-4b4a-96a8-f40ddc00b9f3`
-> - Policy created in Intune and assigned to the correct groups
-> - Policy applied in Event Viewer
-
-For an AppLocker policy
-
-> [!div class="checklist"]
-> - Only applied to an updater or installer
-> - Merge option used
-> - Policy created in Intune and assigned to the correct groups
-
Advance to the next article to learn how to deploy the WDAC supplemental policies or AppLocker policies to Windows 11 SE devices.
> [!div class="nextstepaction"]
-> [Next: troubleshoot >](troubleshoot.md)
+> [Next: deploy policies >](deploy-policies.md)
[WIN-1]: /windows/security/threat-protection/windows-defender-application-control/types-of-devices
[WIN-2]: /windows/security/threat-protection/windows-defender-application-control/wdac-wizard-create-supplemental-policy
diff --git a/education/windows/tutorial-deploy-apps-winse/deploy-apps.md b/education/windows/tutorial-deploy-apps-winse/deploy-apps.md
index 9c19eaf24f..3fda71c0d0 100644
--- a/education/windows/tutorial-deploy-apps-winse/deploy-apps.md
+++ b/education/windows/tutorial-deploy-apps-winse/deploy-apps.md
@@ -19,9 +19,9 @@ The following table provides an overview of the applications types that can be d
|**Installer/App type**|**Installer extensions**|**Available installation methods via Intune**|**Considerations for Windows 11 SE**|
|-|-|-|-|
|[Win32][WIN-1]|`.exe`
`.msi`|- Intune Management Extension (IME)
- Microsoft Store integration|⚠️ There are known limitations that might prevent a specific app from being installed.|
-|[Universal Windows Platform (UWP)][WIN-2]|`.appx`
`.appxbundle`
`.msix`
|- For private apps: line-of-business apps
- For public apps: Microsoft Store integration|⚠️ LOB apps require a supplemental policy.
⛔ It's currently unsupported to use the Microsoft Store to deploy UWP apps on Windows SE.|
+|[Universal Windows Platform (UWP)][WIN-2]|`.appx`
`.appxbundle`
`.msix`
|- For private apps: line-of-business (LOB) apps
- For public apps: Microsoft Store integration|⚠️ LOB apps require a supplemental policy.
⛔ It's currently unsupported to use the Microsoft Store to deploy UWP apps.|
|[Progressive Web Apps (PWAs)][EDGE-2] |`.msix`|- Settings catalog policies
- Microsoft Store integration|✅ Use settings catalog policies.
⛔ It's currently unsupported to use the Microsoft Store to deploy PWAs.|
-|Web links| n/a |- Windows web links|✅ Web links are supported.|
+|Web links| n/a |- Windows web links|✅ Web links are supported. |
> [!IMPORTANT]
> Although you'll be able to install apps on Windows 11 SE devices via Intune, some apps may not perform well on these devices due those apps' minimum spec requirements.
@@ -31,9 +31,6 @@ The following table provides an overview of the applications types that can be d
The addition of Win32 applications to Intune consists of repackaging the apps and defining the commands to silently install them. The process is described in the article [Add, assign, and monitor a Win32 app in Microsoft Intune][MEM-1].
-> [!IMPORTANT]
-> Ensure that apps which were previously blocked from installing or running are no longer unintentionally being provisioned once the managed installer policies are introduced.
-
There are known limitations that might prevent applications from being installed or executed. For more information, see the next section [validate applications](validate-apps.md).
## UWP apps
diff --git a/education/windows/tutorial-deploy-apps-winse/index.md b/education/windows/tutorial-deploy-apps-winse/index.md
index aaa9ce5784..b114599d27 100644
--- a/education/windows/tutorial-deploy-apps-winse/index.md
+++ b/education/windows/tutorial-deploy-apps-winse/index.md
@@ -16,7 +16,7 @@ This guide describes how to deploy applications to Windows 11 SE devices that ar
Windows 11 SE is designed to provide a simplified and secure experience for students. Windows 11 SE prevents the installation and execution of third party applications with a technology called *Windows Defender Application Control (WDAC)*.
WDAC applies an *allowlist* policy called *E-Mode*, which ensures that unwanted apps don't run or get installed. However, it also prevents IT admins from deploying apps to Windows 11 SE devices, unless they're included in the E-Mode policy.\
-With the use of WDAC *supplemental policies*, Microsoft allows specific third party applications to be installed and executed. The [allowlist process][EDU-1] is done on an app-by-app basis, and the time to request an application to be allowed and have the supplemental policy deployed can be lengthy.
+With the use of WDAC *supplemental policies*, Intune allows specific third party applications to be installed and executed. The [allowlist process][EDU-1] is done on an app-by-app basis, and the time to request an application to be allowed and have the supplemental policy deployed can be lengthy.
Starting with Windows 11 SE, version 22H2, IT admins have more flexibility to deploy applications to Windows 11 SE devices. When a Windows 11 SE device is enrolled in Microsoft Intune, it will automatically receive policies that enable the *Intune Management Extension (IME)* as a *managed installer*.\
As a managed installer, any applications deployed through the IME will be automatically allowed on Windows 11 SE, removing the allowlist process requirement. For more information about managed installer, see [How does a managed installer work?][WIN-2]
@@ -59,7 +59,7 @@ If you don't have an Intune for Education license for your devices yet, refer to
## Next steps
-Advance to the next article to learn which application can be deployed to Windows 11 SE devices, and how to deploy them via Intune.
+Advance to the next article to learn which applications can be deployed to Windows 11 SE devices, and how to deploy them via Intune.
> [!div class="nextstepaction"]
> [Next: deploy apps >](deploy-apps.md)
diff --git a/education/windows/tutorial-deploy-apps-winse/validate-apps.md b/education/windows/tutorial-deploy-apps-winse/validate-apps.md
index 8db744954f..7381d8982a 100644
--- a/education/windows/tutorial-deploy-apps-winse/validate-apps.md
+++ b/education/windows/tutorial-deploy-apps-winse/validate-apps.md
@@ -115,9 +115,9 @@ More detail can be obtained when looking for events indicating blocked executabl
The event logs are:
- **CodeIntegrity > Operational**
-- **AppLocker - MSI and Script**
-
-For more information, see [AppLocker - MSI and Script](troubleshoot.md#applocker---msi-and-script).
+- **AppLocker > MSI and Script**
+
+For more information, see the [Troubleshoot](troubleshoot.md) section.
## Known limitations
@@ -140,10 +140,14 @@ Before moving on to the next section, ensure that you've completed the following
## Next steps
-Advance to the next article to learn how to create and deploy WDAC or AppLocker policies, in case the apps you deployed don't work as expected.
+Select one of the following options to learn the next steps:
-> [!div class="nextstepaction"]
-> [Next: create policies >](create-policies.md)
+- If the apps don't work as expected, you must create and deploy WDAC or AppLocker policies to allow the apps to run
+- If the applications you are deploying don't have any issues, you can skip to considerations for your tenant
+
+> [!div class="op_single_selector"]
+> - [Create policies](create-policies.md)
+> - [Considerations for your tenant](considerations.md)
[M365-1]: /microsoft-365/education/deploy/microsoft-store-for-education