From d69eb8c0715727eb7726d3c0f41d5e5cb2fba7b7 Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Tue, 7 Mar 2023 08:08:53 -0500 Subject: [PATCH] updates --- .../considerations.md | 4 +- .../create-policies.md | 114 +++++++++--------- .../tutorial-deploy-apps-winse/deploy-apps.md | 4 +- .../tutorial-deploy-apps-winse/index.md | 6 +- .../tutorial-deploy-apps-winse/toc.yml | 2 +- .../validate-apps.md | 2 +- 6 files changed, 67 insertions(+), 65 deletions(-) diff --git a/education/windows/tutorial-deploy-apps-winse/considerations.md b/education/windows/tutorial-deploy-apps-winse/considerations.md index bd3a12b22f..133a3c94ce 100644 --- a/education/windows/tutorial-deploy-apps-winse/considerations.md +++ b/education/windows/tutorial-deploy-apps-winse/considerations.md @@ -13,10 +13,10 @@ This article describes additional aspects to consider before deploying apps with ## Autopilot and Enrollment Status Page -Autopilot and the Enrollment Status Page are compatible with Windows 11 SE. However, due to the E-Mode policy, devices can be blocked from completing enrollment if: +Autopilot and the Enrollment Status Page are compatible with Windows 11 SE. However, due to the E Mode policy, devices can be blocked from completing enrollment if: 1. You have the enrollment status page to block device use until required apps are installed. -1. You are deploying an app that is blocked by the existing E-Mode policy, not installable via a managed installer (without additional policies), and not allowed by any supplemental policies or AppLocker policies. +1. You are deploying an app that is blocked by the existing E Mode policy, not installable via a managed installer (without additional policies), and not allowed by any supplemental policies or AppLocker policies. An example of this is if you deployed an app via the Store for Education, but have not written a supplemental policy to allow that app's PackageFamilyName. In summary, if you choose to block device use on the installation of apps, you must ensure that apps are also not blocked from installation. diff --git a/education/windows/tutorial-deploy-apps-winse/create-policies.md b/education/windows/tutorial-deploy-apps-winse/create-policies.md index d6fbad76ec..b50bf83760 100644 --- a/education/windows/tutorial-deploy-apps-winse/create-policies.md +++ b/education/windows/tutorial-deploy-apps-winse/create-policies.md @@ -1,7 +1,7 @@ --- title: Create policies to enable applications description: Learn how to create policies to enable the installation and execution of apps on Windows SE. -ms.date: 03/06/2023 +ms.date: 03/07/2023 ms.topic: tutorial appliesto: - ✅ Windows 11 SE, version 22H2 and later @@ -17,8 +17,8 @@ The following table details the two policy types to allow apps to run: | **Policy type** | **How it works** | **When should I use this policy?** | **Security risk** | |---|---|---|---| -| WDAC supplemental policy | Allows apps meeting the rule criteria to run | For executables that are blocked by the E-Mode policy. The blocked executables are visible from the Event Viewer in the [CodeIntegrity events](./troubleshoot.md) | Low | -| AppLocker policy | Sets an app to be considered as a managed installer | Only for executables that do installations or updates which are blocked by the E-Mode policy | High | +| WDAC supplemental policy | Allows apps meeting the rule criteria to run | For executables that the E Mode policy blocks. The blocked executables are visible from the Event Viewer in the [CodeIntegrity events](./troubleshoot.md) | Low | +| AppLocker policy | Sets an app to be considered as a managed installer | Only for executables that do installations or updates, that the E Mode policy blocks. | High | > [!NOTE] > The specifics of the policy you will need to create vary from app to app. Public documentation can help you determine which rules would be useful for your app. @@ -29,17 +29,21 @@ You can create WDAC supplemental policies and then deploy them through Intune. To allow apps to install and run, you must write *supplemental policies* targeting the correct base policy. The base policy that you must target has a PolicyID of `{82443E1E-8A39-4B4A-96A8-F40DDC00B9F3}`. +In the following video, Jeffrey Sutherland provides an overview and explains how to create supplemental policies for apps blocked by the E Mode policy. + +> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RWWReO] + ### Create a supplemental policy for Win32 apps -There are different ways to write a supplemental policy. The suggested method is to use [audit events][WIN-3], as they allow to observe the actions that would be blocked by Windows 11 SE. From the audit events, you can create a policy to allow those actions. +There are different ways to write a supplemental policy. The suggested method is to use [audit events][WIN-3], as they list the actions that Windows 11 SE would block. From the audit events, you can create a policy to allow those actions. 1. On a **non-Windows SE device**, download, install, and launch the [WDAC Policy Wizard][EXT-1] -1. Apply an audit mode WDAC Base policy. The WDAC Wizard includes a template policy called *WinSEPolicy.xml* which is based on the **Windows 11 SE E-mode** policy: - - Open the **WDAC Wizard** and select **Policy Editor** - - In the Policy Path to Edit field, browse for *%ProgramFiles%\WindowsApps\Microsoft.WDAC\** and select the file called *WinSEPolicy.xml*. Select **Next** +1. Apply an audit mode WDAC Base policy. The WDAC Wizard includes a template policy called *WinSEPolicy.xml*, which is based on the E Mode policy: + - Open the **WDAC Wizard** and select **Policy Editor** + - In the Policy Path to Edit field, browse for *%ProgramFiles%\WindowsApps\Microsoft.WDAC\** and select the file called *WinSEPolicy.xml*. Select **Next** :::image type="content" source="images/wdac-winsepolicy.png" alt-text="WDAC wizard - creation of a policy targeting the base WinSEPolicy.xml policy"::: - - Toggle the option for **Audit Mode** and complete the Wizard. Note the location of the .cip and .xml files shown on the final page of the wizard - - From an elevated PowerShell session, run the following command to activate the policy: + - Toggle the option for **Audit Mode** and complete the wizard. Note the location of the *.cip* and *.xml* files shown on the final page of the wizard + - From an elevated PowerShell session, run the following command to activate the policy: ```cmd citool.exe -up <"Path to the .cip file"> ``` @@ -51,72 +55,53 @@ There are different ways to write a supplemental policy. The suggested method is - Open the **WDAC Wizard** and select **Policy Editor** - Select **Convert Event Log to a WDAC Policy** then select **Parse Event Log** to parse from the system Event Viewer. Select **Next** - Review each row in the table and choose the type of rule to create. You may want to sort the table by FileName to group duplicate rows together. You need to create a single rule if the values are duplicates - - Complete the wizard to generate the policy. This will be a *Base* policy. Note the location of the .xml shown, as you will use this in the next step. + - Complete the wizard to generate the policy. The policy will be a *Base* policy. Note the location of the *.xml* shown, as you'll use it in the next step. - Check the event log **AppLocker** > **MSI and Script** for any events - - If any events are shown, you can use the **WDAC Wizard** to edit the policy and add additional rules + - If any events are shown, you can use the **WDAC Wizard** to edit the policy and add more rules - Alternatively, you can save all events to *.evtx* file and create a policy from audit events, but browse for the saved *.evtx* file rather than parsing events from the system Event Viewer -4. Convert the policy created in the previous step to a supplemental policy, specifying the E mode audit policy you created in the first step as its *base*. - +4. Convert the policy created in the previous step to a supplemental policy, specifying the E Mode audit policy you created in the first step as its *base*. ```PowerShell - Set-CiPolicyIdInfo -FilePath "" -BasePolicyToSupplementPath "" + Set-CiPolicyIdInfo -FilePath "" -BasePolicyToSupplementPath "" ``` - 5. From an elevated PowerShell session, run the following command to activate the policy: - ```cmd citool.exe -up '' ``` - 6. Clear the two event logs: - **CodeIntegrity** > **Operational** - **AppLocker** > **MSI and Script** 7. Repeat the app testing from step 3. Repeat these steps as needed until no further events are generated. 8. Once you have a policy that works for your app, reset the supplemental policy's Base policy to the official Windows 11 SE BasePolicyId. From an elevated PowerShell session, run the following command: - ```PowerShell Set-CiPolicyIdInfo -FilePath "" -SupplementsBasePolicyId "{82443E1E-8A39-4B4A-96A8-F40DDC00B9F3}" ``` - > [!NOTE] > If you have created multiple supplemental policies for different apps, it's recommended to merge all supplemental policies together before deploying. You can merge policies using the WDAC Wizard. - 9. The creation of the supplemental policy is complete. You must sign and deploy the policy to your devices to take effect. -In the following video, Jeffrey Sutherland explains how to create a supplemental policy for an app that is blocked by the Windows 11 SE E-Mode policy. - -> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RWWReO] - -For additional information: - -- Policy creation: [Policy creation for common WDAC usage scenarios (Windows) - Windows security | Microsoft Docs][WIN-1] -- Supplemental Policy creation: [Creating a new Supplemental Policy with the Wizard][WIN-2] -- [WDAC Policy Wizard][EXT-1] - ### Create a supplemental policy for UWP LOB apps -UWP apps don't work out-of-box due to the Windows 11 SE E-Mode policy. You can create and deploy a supplemental policy using these steps: +UWP apps don't work out-of-box due to the Windows 11 SE E Mode policy. You can create and deploy a supplemental policy using these steps: 1. On a **non-Windows SE device**, download, install, and launch the [WDAC Policy Wizard][EXT-1] 1. Open the **WDAC Wizard** and select **Policy Creator > Supplemental policy** - - Choose a **Policy Name** and **Policy File Location** - - In the **Base Policy** path to, browse for *%ProgramFiles%\WindowsApps\Microsoft.WDAC\** and select the file called *WinSEPolicy.xml*. Select **Next** - - In **Policy Rules**, select **Next** - - In **Signing Rules**, select **Add Custom Rule** and choose: - - **Rule scope**: **Usermode Rule** - - **Rule action**: **Allow** - - **Rule type**: **Packaged App** - - **Package Name**: specify the package name of app. If the app is installed, you can search by name. If the app is not installed, check the *Use Custom Package Family* box and specify the package family name of the app - :::image type="content" source="images/wdac-uwp-policy.png" alt-text="WDAC wizard - selection of an installed UWP app package."::: - - Select the app name - - Select **Create Rule** - - Select **Next** -1. The policy should be created and output a *.xml* and *.cip* files to the policy file location specified earlier -1. The policy is not yet targeting the right *base policy*. Run the following PowerShell command to set the base policy to the Windows 11 SE E-Mode policy: - - ```PowerShell - Set-CiPolicyIdInfo -FilePath "" -SupplementsBasePolicyId "{82443E1E-8A39-4B4A-96A8-F40DDC00B9F3}" - ``` - + - Choose a **Policy Name** and **Policy File Location** + - In the **Base Policy** path to, browse for *%ProgramFiles%\WindowsApps\Microsoft.WDAC\** and select the file called *WinSEPolicy.xml*. Select **Next** + - In **Policy Rules**, select **Next** + - In **Signing Rules**, select **Add Custom Rule** and choose: + - **Rule scope**: **Usermode Rule** + - **Rule action**: **Allow** + - **Rule type**: **Packaged App** + - **Package Name**: specify the package name of app. If the app is installed, you can search by name. If the app isn't installed, check the *Use Custom Package Family* box and specify the package family name of the app + :::image type="content" source="images/wdac-uwp-policy.png" alt-text="WDAC wizard - selection of an installed UWP app package."::: + - Select the app name + - Select **Create Rule** + - Select **Next** +1. The policy should be created and output an *.xml* and *.cip* files to the policy file location specified earlier +1. The policy isn't yet targeting the right *base policy*. Run the following PowerShell command to set the base policy to the Windows 11 SE E Mode policy: + ```PowerShell + Set-CiPolicyIdInfo -FilePath "" -SupplementsBasePolicyId "{82443E1E-8A39-4B4A-96A8-F40DDC00B9F3}" + ``` 1. The creation of the supplemental policy is complete. You must sign and deploy the policy to your devices to take effect. ### Guidelines for authoring WDAC supplemental policy rules @@ -129,26 +114,43 @@ Here are some general guidelines to follow when writing WDAC supplemental polici > [!NOTE] > The *WDAC Wizard* defaults to use all of the properties, if present. In some cases, you may want to combine a subset of the properties to allow multiple files. For example: Publisher + ProductName + Version. -- When a *Publisher* rule is not an option (e.g. when the file is unsigned), use *Hash* as the most restrictive option +- When a *Publisher* rule isn't an option (for example, when the file is unsigned), use *Hash* as the most restrictive option - You might have to opt for a *FileAttribute* rule, but it can be easily spoofed +For additional information: + +- [WDAC Policy Wizard][EXT-1] +- [Policy creation for common WDAC usage scenarios][WIN-1] +- [Create a new supplemental policy with the wizard][WIN-2] + ## AppLocker policies > [!WARNING] > It's recommended to use AppLocker policies for processes that perform **updates** or **install as managed installers** only. The preferred method to allow incompatible applications or other executables to run, is to write **WDAC supplemental policies** instead of modifying AppLocker policies. -Additional AppLocker policies work by setting other apps to be managed installers. +Additional AppLocker policies work by configuring other apps to be *managed installers*. However, since anything downloaded or installed by a managed installer is trusted to run, it creates a significant security risk. For example, if the executable for a third-party browser is set as a managed installer, anything downloaded from that browser will be allowed to run.\ +Using a WDAC supplemental policy instead, allows you to have more control over what is allowed to run without the risk of those permissions propagating unintentionally. -However, since anything downloaded or installed by a managed installer is trusted to run, this creates a significant risk for security. For example, if the executable for a third-party browser (e.g. Chrome or Firefox) is set as a managed installer, anything downloaded from that third-party browser will be allowed to run.\ -Using a WDAC supplemental policy instead allows you to have more control over what is allowed to run without the risk of those permissions propagating unintentionally. - -If you want to allow apps to run by setting their installers as managed installers, follow the guidance here: +To allow apps to run by setting their installers as managed installers, follow the guidance here: - [Edit an AppLocker policy][WIN-5] - [Allow apps deployed with a WDAC managed installer][WIN-6] ## Next steps +Before moving on to the next section, ensure that you've completed the following tasks. + +For a WDAC supplemental policy: + +> [!div class="checklist"] +> - Create a policy, targeting the base policy: **82443e1e-8a39-4b4a-96a8-f40ddc00b9f3** + +For an AppLocker policy: + +> [!div class="checklist"] +> - Only applied to an updater or installer +> - Created the policy with the **Merge** option + Advance to the next article to learn how to deploy the WDAC supplemental policies or AppLocker policies to Windows 11 SE devices. > [!div class="nextstepaction"] diff --git a/education/windows/tutorial-deploy-apps-winse/deploy-apps.md b/education/windows/tutorial-deploy-apps-winse/deploy-apps.md index 3fda71c0d0..e40a98dfd0 100644 --- a/education/windows/tutorial-deploy-apps-winse/deploy-apps.md +++ b/education/windows/tutorial-deploy-apps-winse/deploy-apps.md @@ -18,7 +18,7 @@ The following table provides an overview of the applications types that can be d |**Installer/App type**|**Installer extensions**|**Available installation methods via Intune**|**Considerations for Windows 11 SE**| |-|-|-|-| -|[Win32][WIN-1]|`.exe`
`.msi`|- Intune Management Extension (IME)
- Microsoft Store integration|⚠️ There are known limitations that might prevent a specific app from being installed.| +|[Win32][WIN-1]|`.exe`
`.msi`|- Intune Management Extension (IME)
- Microsoft Store integration|⚠️ There are known limitations that might prevent an app to install or run.| |[Universal Windows Platform (UWP)][WIN-2]|`.appx`
`.appxbundle`
`.msix`
|- For private apps: line-of-business (LOB) apps
- For public apps: Microsoft Store integration|⚠️ LOB apps require a supplemental policy.

⛔ It's currently unsupported to use the Microsoft Store to deploy UWP apps.| |[Progressive Web Apps (PWAs)][EDGE-2] |`.msix`|- Settings catalog policies
- Microsoft Store integration|✅ Use settings catalog policies.

⛔ It's currently unsupported to use the Microsoft Store to deploy PWAs.| |Web links| n/a |- Windows web links|✅ Web links are supported. | @@ -31,7 +31,7 @@ The following table provides an overview of the applications types that can be d The addition of Win32 applications to Intune consists of repackaging the apps and defining the commands to silently install them. The process is described in the article [Add, assign, and monitor a Win32 app in Microsoft Intune][MEM-1]. -There are known limitations that might prevent applications from being installed or executed. For more information, see the next section [validate applications](validate-apps.md). +There are known limitations that might prevent applications to install or execute. For more information, see the next section [validate applications](validate-apps.md). ## UWP apps diff --git a/education/windows/tutorial-deploy-apps-winse/index.md b/education/windows/tutorial-deploy-apps-winse/index.md index b114599d27..0cc85aaade 100644 --- a/education/windows/tutorial-deploy-apps-winse/index.md +++ b/education/windows/tutorial-deploy-apps-winse/index.md @@ -1,7 +1,7 @@ --- title: Deploy applications to Windows 11 SE with Intune description: Learn how to deploy applications to Windows 11 SE with Intune and how to validate the apps. -ms.date: 03/06/2023 +ms.date: 03/07/2023 ms.topic: tutorial appliesto: - ✅ Windows 11 SE, version 22H2 and later @@ -15,10 +15,10 @@ This guide describes how to deploy applications to Windows 11 SE devices that ar Windows 11 SE is designed to provide a simplified and secure experience for students. Windows 11 SE prevents the installation and execution of third party applications with a technology called *Windows Defender Application Control (WDAC)*. -WDAC applies an *allowlist* policy called *E-Mode*, which ensures that unwanted apps don't run or get installed. However, it also prevents IT admins from deploying apps to Windows 11 SE devices, unless they're included in the E-Mode policy.\ +WDAC applies an *allowlist* (Code Integrity) policy called *E Mode*, which ensures that unwanted apps don't run or get installed. However, it also prevents IT admins from deploying apps to Windows 11 SE devices, unless they're included in the E Mode policy.\ With the use of WDAC *supplemental policies*, Intune allows specific third party applications to be installed and executed. The [allowlist process][EDU-1] is done on an app-by-app basis, and the time to request an application to be allowed and have the supplemental policy deployed can be lengthy. -Starting with Windows 11 SE, version 22H2, IT admins have more flexibility to deploy applications to Windows 11 SE devices. When a Windows 11 SE device is enrolled in Microsoft Intune, it will automatically receive policies that enable the *Intune Management Extension (IME)* as a *managed installer*.\ +Starting with Windows 11 SE, version 22H2, IT admins have more flexibility to deploy applications to Windows 11 SE devices. When a Windows 11 SE device is enrolled in an Intune education tenant, it will automatically receive an AppLocker policy that sets the *Intune Management Extension (IME)* as a *managed installer*.\ As a managed installer, any applications deployed through the IME will be automatically allowed on Windows 11 SE, removing the allowlist process requirement. For more information about managed installer, see [How does a managed installer work?][WIN-2] > [!NOTE] diff --git a/education/windows/tutorial-deploy-apps-winse/toc.yml b/education/windows/tutorial-deploy-apps-winse/toc.yml index 7d089471d2..a4a671013c 100644 --- a/education/windows/tutorial-deploy-apps-winse/toc.yml +++ b/education/windows/tutorial-deploy-apps-winse/toc.yml @@ -5,7 +5,7 @@ items: href: deploy-apps.md - name: 2. Validate apps href: validate-apps.md - - name: 3. Create and deploy additional policies + - name: 3. Create and deploy policies to allow apps items: - name: Create policies href: create-policies.md diff --git a/education/windows/tutorial-deploy-apps-winse/validate-apps.md b/education/windows/tutorial-deploy-apps-winse/validate-apps.md index 7381d8982a..f25d8d3b2c 100644 --- a/education/windows/tutorial-deploy-apps-winse/validate-apps.md +++ b/education/windows/tutorial-deploy-apps-winse/validate-apps.md @@ -33,7 +33,7 @@ Application installation depends on two factors: > [!IMPORTANT] > The Intune management extension agent checks every hour (or on service or device restart) for any new Win32 app assignments. -If the E-mode policy doesn't block the application that you're trying to deploy, the process to deploy the app to Windows SE devices should be consistent with non-SE devices. +If the E Mode policy doesn't block the application that you're trying to deploy, the process to deploy the app to Windows SE devices should be consistent with non-SE devices. ## Check for installation