deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-15 18:33:43 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

removed wdac references

Browse Source
This commit is contained in:
Paolo Matarazzo
2023-04-10 09:06:49 -04:00
parent 7c4c32bfc1
commit d9d12c0e0d
2 changed files with 14 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
education/windows/tutorial-deploy-apps-winse/create-policies.md
View File

@ -153,7 +153,7 @@ Using a WDAC supplemental policy instead, allows you to have more control over w
To allow apps to run by setting their installers as managed installers, follow the guidance here:
-->
Additional AppLocker policies work by configuring other apps to be *managed installers*. However, since anything downloaded or installed by a managed installer is trusted to run, it creates a significant security risk. For example, if the executable for a third-party browser is set as a managed installer, anything downloaded from that browser will be allowed to run.\
Additional AppLocker policies work by configuring other apps to be *managed installers*. However, since anything downloaded or installed by a managed installer is trusted to run, it creates a significant security risk. For example, if the executable for a third-party browser is set as a managed installer, anything downloaded from that browser will be allowed to run.
To allow apps to run by setting their installers as managed installers, follow the guidance here:

14
education/windows/tutorial-deploy-apps-winse/troubleshoot.md
View File

@ -11,12 +11,22 @@ appliesto:
The following table lists common app deployment issues on Windows 11 SE, and options to resolve them:
| **Problem** | **Potential solution** |
|---|---|
| **App hasn't installed** | <li>Check the type of app:<ul><li>Win32 apps should be able to install with no problem</li><li>UWP LOB apps apps aren't supported</li></ul></li><li>It's possible the app is trying to execute a blocked binary. Check the AppLocker and CodeIntegrity logs in the Event Viewer and verify if any executables related to the app are blocked. If so, you'll need to write a supplemental policy to support the app</li><li> Check the Intune Management Extension logs to see if there was an attempt to install your app</li>|
| **App has problems when running** | It's possible the app is trying to execute a blocked binary<br> Check the **AppLocker** and **CodeIntegrity** logs in Event Viewer to see if any executables related to the app are being blocked. If so, you'll need to write a supplemental policy to support the app. |
| **My supplemental policy hasn't deployed** |<li>Your XML policy is malformed. Double-check to see if all markup is tagged correctly</li><li>Check that your policy is correctly applied|
<!--
The following table lists common app deployment issues on Windows 11 SE, and options to resolve them:
| **Problem** | **Potential solution** |
|---|---|
| **App hasn't installed** | <li>Check the type of app:<ul><li>Win32 apps should be able to install with no problem</li><li>UWP LOB apps require writing an additional supplemental policy</li><li>Microsoft Sore apps aren't supported</li></ul></li><li>Check that the managed installer policies are deployed correctly</li><li>It's possible the app is trying to execute a blocked binary. Check the AppLocker and CodeIntegrity logs in the Event Viewer and verify if any executables related to the app are blocked. If so, you'll need to write a supplemental policy to support the app</li><li> Check the Intune Management Extension logs to see if there was an attempt to install your app</li>|
| **App has problems when running** | It's possible the app is trying to execute a blocked binary<br> Check the **AppLocker** and **CodeIntegrity** logs in Event Viewer to see if any executables related to the app are being blocked. If so, you'll need to write a supplemental policy to support the app. |
| **My supplemental policy hasn't deployed** |<li>Your XML policy is malformed. Double-check to see if all markup is tagged correctly</li><li>Check that your policy is correctly applied|
## WDAC Supplemental policy validation
Use the Event Viewer to see if a supplemental policy is deployed correctly. These rules apply to both the policy that allows managed installers and any supplemental policies that you deploy.
@ -62,12 +72,14 @@ Use the Event Viewer to see if a supplemental policy is deployed correctly. Thes
Alternatively you can use `cidiag.exe /stop`, which copies all potentially relevant logs and policy files to a folder. The command also parses the critical events from the **CodeIntegrity** and **AppLocker** logs to a text file.
-->
## AppLocker policy validation
> [!NOTE]
> The validation process described below requires the deployment of a PowerShell script from Intune to the Windows SE devices. This script will be used to query the AppLocker policy and validate that the policy is configured correctly. The script will also be used to validate the AppLocker service status.
You can query the existing AppLocker policy via PowerShell running from a device.
You can query the existing AppLocker policy via PowerShell.
```PowerShell
get-applockerpolicy -xml -effective