mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-06-26 07:43:36 +00:00
completed overview doc
This commit is contained in:
Paolo Matarazzo
@ -1,69 +1,72 @@
|
|||||||
---
|
---
|
||||||
title: Consideration before deploying apps with Managed Installer
|
title: Deploy applications to Windows 11 SE with Intune
|
||||||
description: Learn how to Consideration before deploying apps with Managed Installer
|
description: Learn how to deploy application to Windows 11 SE devices with Intune as a managed installer.
|
||||||
ms.date: 02/24/2023
|
ms.date: 02/28/2023
|
||||||
ms.topic: tutorial
|
ms.topic: tutorial
|
||||||
appliesto:
|
appliesto:
|
||||||
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11 SE, version 22H2 and later</a>
|
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11 SE, version 22H2 and later</a>
|
||||||
---
|
---
|
||||||
|
|
||||||
# Deploy apps to Windows 11 SE with Managed Installer
|
# Deploy applications to Windows 11 SE with managed installer
|
||||||
|
|
||||||
Currently, Windows 11 SE prevents the installation of 3<sup>rd</sup> party applications, unless the application is in an [approved list][EDU-1] or the IT admin consults with Microsoft.
|
Windows 11 SE prevents the installation of third party applications, unless the application is in an [approved list][EDU-1] or the IT admin consults with Microsoft.\
|
||||||
|
Starting with Windows 11 SE, version 22H2, you can deploy any applications to Windows 11 SE devices via Intune, without having to contact Microsoft. This is possible because Microsoft has enabled the *Intune Management Extension (IME)* as a *WDAC managed installer*.
|
||||||
|
|
||||||
Microsoft is changing the 3<sup>rd</sup> party application installation process by enabling the **Intune Management Extension (IME)** as a *managed installer*. What that means, is that you will be able to install 3<sup>rd</sup> party applications on Windows 11 SE devices via Intune, without having to contact Microsoft.
|
In this tutorial, you'll learn how to set up Windows 11 SE devices with the IME as a managed installer, and how to validate the applications deployed via Intune.
|
||||||
|
|
||||||
The documentation in this GitHub repository covers how to set up Windows 11 SE devices with the IME as a managed installer, and deploy apps via Intune to those devices.
|
## Introduction
|
||||||
|
|
||||||
|
Windows 11 SE prevents the installation and execution of third party applications with a security feature called *Windows Defender Application Control (WDAC)*.\
|
||||||
|
On Windows 11 SE, WDAC applies an *allowlist policy* called *E-Mode*. The E-Mode policy ensures that unwanted apps don't run or get installed.
|
||||||
|
|
||||||
|
When Windows 11 SE was initially released, Microsoft allowed specific application by using [WDAC supplemental policies][WIN-1], with an [allowlist process][EDU-1] done on an app-by-app basis.
|
||||||
|
|
||||||
|
Starting in Windows 11 SE, version 22H2, Microsoft enabled the IME as a managed installer. Applications deployed through Microsoft Intune will be automatically allowed on Windows 11 SE, removing the allowlist process requirement.
|
||||||
|
|
||||||
|
> [!NOTE]
|
||||||
|
> End-users of Windows 11 SE devices still cannot install and use arbitrary applications without being blocked. Only IT admins can control what apps are allowed.
|
||||||
|
|
||||||
|
Some applications may experience difficulties running due to their type or due to the complexity of how they're installed and executed. In these cases, the IT admin may need to write more policies to enable the applications.\
|
||||||
|
IT admins can write and deploy their own WDAC supplemental policies through Microsoft Intune, to allow third party application to run.
|
||||||
|
|
||||||
## Goals
|
## Goals
|
||||||
|
|
||||||
In this tutorial you will learn:
|
In this tutorial you'll learn:
|
||||||
|
|
||||||
> [!div class="checklist"]
|
> [!div class="checklist"]
|
||||||
> - what applications can be installed on a Windows 11 SE device when managed installer policies are enabled
|
> - Which applications can be installed on a Windows 11 SE device when managed installer policies are enabled
|
||||||
> - How to install an application to a Windows 11 SE device
|
> - How to install an application to a Windows 11 SE device
|
||||||
> - How to validate that an application is installed and runs successfully
|
> - How to validate that an application is installed and runs successfully
|
||||||
> - How to write additional policies to enable incompatible applications
|
> - How to write additional policies to enable incompatible applications
|
||||||
> - How to troubleshoot problems related to application installation
|
> - How to troubleshoot problems related to application installation
|
||||||
|
|
||||||
## Introduction
|
|
||||||
|
|
||||||
Windows 11 SE prevents the installation and execution of 3<sup>rd</sup> party applications with a technology called **Windows Defender Application Control (WDAC)**.\
|
|
||||||
WDAC applies an allow-list policy called *E-Mode*, which ensures that unwanted apps do not run or get installed. With the use of [WDAC supplemental policies][WIN-1] Microsoft allows specific 3<sup>rd</sup> party applications to run at the request of IT admins. The [whitelist process][EDU-1] is done on a one-by-one basis, and the turnaround time to request an application to be allowed and have the supplemental policy deployed can be lengthy.
|
|
||||||
|
|
||||||
Microsoft is changing the 3<sup>rd</sup> party app installation process by enabling the **Intune Management Extension (IME)** as a *managed installer*. As a managed installer, any applications deployed through Microsoft Intune via IME, will be automatically allowed on Windows 11 SE, removing the whitelist process requirement.
|
|
||||||
|
|
||||||
> **Note**
|
|
||||||
>
|
|
||||||
> End-users of Windows 11 SE devices still cannot install and use arbitrary applications without being blocked; only IT admins can control what apps are allowed.
|
|
||||||
|
|
||||||
Some applications may experience difficulties running due to their app type or due to the complexity of how the app is installed and executed. In these cases, the IT admin may need to write additional policies to enable the application. This documentation covers how to set up Windows 11 SE devices with the IME as a managed installer, and deploy apps via Intune to those devices.
|
|
||||||
|
|
||||||
IT admins can write and deploy their own WDAC supplemental policies through Microsoft Intune, to allow 3<sup>rd</sup> party application to run. There won't be any need to work with Microsoft directly.
|
|
||||||
|
|
||||||
## Installation process
|
## Installation process
|
||||||
|
|
||||||
There are four main steps to install an application on Windows 11 SE using the managed installer. Each step will be covered in detail in this tutorial.
|
There are three main steps to install an application on Windows 11 SE using the managed installer. Each step will be covered in detail in the next sections of this tutorial:
|
||||||
|
|
||||||
|
:::image type="content" source="./images/process.svg" alt-text="Diagram showing the three tutorial steps." border="false":::
|
||||||
|
|
||||||
1. **Deploy an application via Microsoft Intune** - Applications are deployed via Microsoft Intune. There are some restrictions on the types of apps that are compatible with managed installers, but this step is the same as it would be for non-Windows 11 SE devices.
|
1. **Deploy an application via Microsoft Intune** - Applications are deployed via Microsoft Intune. There are some restrictions on the types of apps that are compatible with managed installers, but the process is the same used for non-Windows 11 SE devices
|
||||||
1. **Validate the application** - Applications are validated to ensure that they are installed and running successfully. This step is the same as it would be for non-Windows 11 SE devices. Since some applications may be incompatible due to how they are installed, how they execute, or how they update, the known limitations are discussed in a later section of this tutorial.
|
1. **Validate the application** - Applications are validated to ensure that they're installed and running successfully. The process is the same for non-Windows 11 SE devices. Some applications may be incompatible due to how they're installed, how they execute, or how they update. You'll learn about known limitations in a later section of the tutorial
|
||||||
1. **Create additional policies (optional)** - To allow apps that are not installable or do not behave as intended, additional policies can be created and deployed so that these applications can be used.
|
1. **Create additional policies (optional)** - To allow apps that aren't installable or don't behave as intended, more policies can be created and deployed so that these applications can be used
|
||||||
|
|
||||||
All four of these steps are done by the IT administrator. Once the steps are complete, users of Windows 11 SE devices should be able to run the applications that you've deployed via Intune.
|
All these steps are done by the IT administrator. Once the steps are complete, users of Windows 11 SE devices should be able to run the applications that you've deployed via Intune.
|
||||||
|
|
||||||
## Prerequisites
|
## Prerequisites
|
||||||
|
|
||||||
In order to receive policies on your Windows 11 SE device to allow 3rd party app installation controlled by your IT admin, you must have the following:
|
To receive policies on your Windows 11 SE devices, allowing app installation controlled by your IT admin, you must have:
|
||||||
- Windows 11 SE devices with a minimum version of 10.0.22621.819 (22H2, November Update) and later.
|
|
||||||
- Your Windows 11 devices must be connected to a tenant with an Intune for Education license. If you do not have an Intune for Education license for your devices yet, refer to [Microsoft Intune for Education][EXT-1] for access to a free trial version. This license is needed for Managed Installer to successfully deploy apps and supplemental policies via Intune.
|
- Windows 11 SE, version 22H2 and later
|
||||||
|
- Intune for Education licenses. The license requirement is for the managed installer to deploy apps and supplemental policies via Intune
|
||||||
|
|
||||||
|
If you don't have an Intune for Education license for your devices yet, refer to [Microsoft Intune for Education][EXT-1] for access to a free trial version.
|
||||||
|
|
||||||
## Next steps
|
## Next steps
|
||||||
|
|
||||||
Advance to the next article to learn how to create...
|
Advance to the next article to learn which application can be deployed to Windows 11 SE devices, and how to deploy them via Intune.
|
||||||
|
|
||||||
> [!div class="nextstepaction"]
|
> [!div class="nextstepaction"]
|
||||||
> [Next: deploy apps](deploy-apps.md)
|
> [Next: deploy apps >](deploy-apps.md)
|
||||||
|
|
||||||
[EDU-1]: https://learn.microsoft.com/education/windows/windows-11-se-overview#add-your-own-applications
|
[EDU-1]: https://learn.microsoft.com/education/windows/windows-11-se-overview#add-your-own-applications
|
||||||
[EDU-2]: https://learn.microsoft.com/education/windows/windows-11-se-overview#available-applications
|
[EDU-2]: https://learn.microsoft.com/education/windows/windows-11-se-overview#available-applications
|
||||||
|
|||||||
@ -28,7 +28,6 @@ The following table details the applications types that can be deployed via Intu
|
|||||||
> Before deploying apps, first check which apps will be targeting your Windows 11 SE devices and ensure that they will have their minimum requirements met, and ensure that apps which were previously blocked from installing or running are no longer unintentionally being provisioned once the managed installer policies are introduced.
|
> Before deploying apps, first check which apps will be targeting your Windows 11 SE devices and ensure that they will have their minimum requirements met, and ensure that apps which were previously blocked from installing or running are no longer unintentionally being provisioned once the managed installer policies are introduced.
|
||||||
>
|
>
|
||||||
|
|
||||||
|
|
||||||
## Win32 apps
|
## Win32 apps
|
||||||
|
|
||||||
Win32 apps are installed from Intune via an .intunewin package created by the IntuneWinAppUtil command line tool.\
|
Win32 apps are installed from Intune via an .intunewin package created by the IntuneWinAppUtil command line tool.\
|
||||||
|
|||||||
@ -1,3 +1,3 @@
|
|||||||
<?xml version="1.0" encoding="UTF-8"?>
|
<?xml version="1.0" encoding="UTF-8"?>
|
||||||
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
|
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
|
||||||
<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1" width="672px" height="102px" viewBox="-0.5 -0.5 672 102"><defs><linearGradient x1="0%" y1="100%" x2="0%" y2="0%" id="mx-gradient-ffffff-1-b6a0dc-1-s-0"><stop offset="0%" style="stop-color: rgb(182, 160, 220); stop-opacity: 1;"/><stop offset="100%" style="stop-color: rgb(255, 255, 255); stop-opacity: 1;"/></linearGradient></defs><g><path d="M 10 25 L 3.71 9.28 Q 0 0 10 0 L 200 0 Q 210 0 213.71 9.28 L 226.29 40.72 Q 230 50 226.29 59.28 L 213.71 90.72 Q 210 100 200 100 L 10 100 Q 0 100 3.71 90.72 L 16.29 59.28 Q 20 50 16.29 40.72 Z" fill-opacity="0.8" fill="url(#mx-gradient-ffffff-1-b6a0dc-1-s-0)" stroke="#b6a0dc" stroke-opacity="0.8" stroke-width="1.5" stroke-miterlimit="10" pointer-events="none"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 184px; height: 1px; padding-top: 50px; margin-left: 23px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 18px; font-family: "Segoe UI"; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: none; white-space: normal; overflow-wrap: normal;">Deploy an application via Microsoft Intune</div></div></div></foreignObject><text x="115" y="55" fill="rgb(0, 0, 0)" font-family="Segoe UI" font-size="18px" text-anchor="middle">Deploy an application...</text></switch></g><path d="M 230 25 L 223.71 9.28 Q 220 0 230 0 L 420 0 Q 430 0 433.71 9.28 L 446.29 40.72 Q 450 50 446.29 59.28 L 433.71 90.72 Q 430 100 420 100 L 230 100 Q 220 100 223.71 90.72 L 236.29 59.28 Q 240 50 236.29 40.72 Z" fill-opacity="0.8" fill="url(#mx-gradient-ffffff-1-b6a0dc-1-s-0)" stroke="#b6a0dc" stroke-opacity="0.8" stroke-width="1.5" stroke-miterlimit="10" pointer-events="none"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 184px; height: 1px; padding-top: 50px; margin-left: 243px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 18px; font-family: "Segoe UI"; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: none; white-space: normal; overflow-wrap: normal;">Validate the application</div></div></div></foreignObject><text x="335" y="55" fill="rgb(0, 0, 0)" font-family="Segoe UI" font-size="18px" text-anchor="middle">Validate the applicat...</text></switch></g><path d="M 450 25 L 443.71 9.28 Q 440 0 450 0 L 640 0 Q 650 0 653.71 9.28 L 666.29 40.72 Q 670 50 666.29 59.28 L 653.71 90.72 Q 650 100 640 100 L 450 100 Q 440 100 443.71 90.72 L 456.29 59.28 Q 460 50 456.29 40.72 Z" fill-opacity="0.8" fill="url(#mx-gradient-ffffff-1-b6a0dc-1-s-0)" stroke="#b6a0dc" stroke-opacity="0.8" stroke-width="1.5" stroke-miterlimit="10" pointer-events="none"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 184px; height: 1px; padding-top: 50px; margin-left: 463px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 18px; font-family: "Segoe UI"; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: none; white-space: normal; overflow-wrap: normal;">Create additional policies (optional)</div></div></div></foreignObject><text x="555" y="55" fill="rgb(0, 0, 0)" font-family="Segoe UI" font-size="18px" text-anchor="middle">Create additional pol...</text></switch></g></g></svg>
|
<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1" width="902px" height="102px" viewBox="-0.5 -0.5 902 102"><defs><linearGradient x1="0%" y1="100%" x2="0%" y2="0%" id="mx-gradient-ffffff-1-b6a0dc-1-s-0"><stop offset="0%" style="stop-color: rgb(182, 160, 220); stop-opacity: 1;"/><stop offset="100%" style="stop-color: rgb(255, 255, 255); stop-opacity: 1;"/></linearGradient></defs><g><path d="M 10 25 L 3.71 9.28 Q 0 0 10 0 L 278.96 0 Q 288.96 0 292.67 9.28 L 305.24 40.72 Q 308.96 50 305.24 59.28 L 292.67 90.72 Q 288.96 100 278.96 100 L 10 100 Q 0 100 3.71 90.72 L 16.29 59.28 Q 20 50 16.29 40.72 Z" fill-opacity="0.8" fill="url(#mx-gradient-ffffff-1-b6a0dc-1-s-0)" stroke="#b6a0dc" stroke-opacity="0.8" stroke-width="1.5" stroke-miterlimit="10" pointer-events="none"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 263px; height: 1px; padding-top: 50px; margin-left: 23px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 18px; font-family: "Segoe UI"; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: none; white-space: normal; overflow-wrap: normal;">Deploy an application via Intune</div></div></div></foreignObject><text x="154" y="55" fill="rgb(0, 0, 0)" font-family="Segoe UI" font-size="18px" text-anchor="middle">Deploy an application via Int...</text></switch></g><path d="M 305.52 25 L 299.24 9.28 Q 295.52 0 305.52 0 L 574.48 0 Q 584.48 0 588.19 9.28 L 600.76 40.72 Q 604.48 50 600.76 59.28 L 588.19 90.72 Q 584.48 100 574.48 100 L 305.52 100 Q 295.52 100 299.24 90.72 L 311.81 59.28 Q 315.52 50 311.81 40.72 Z" fill-opacity="0.8" fill="url(#mx-gradient-ffffff-1-b6a0dc-1-s-0)" stroke="#b6a0dc" stroke-opacity="0.8" stroke-width="1.5" stroke-miterlimit="10" pointer-events="none"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 263px; height: 1px; padding-top: 50px; margin-left: 319px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 18px; font-family: "Segoe UI"; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: none; white-space: normal; overflow-wrap: normal;">Validate the application</div></div></div></foreignObject><text x="450" y="55" fill="rgb(0, 0, 0)" font-family="Segoe UI" font-size="18px" text-anchor="middle">Validate the application</text></switch></g><path d="M 601.04 25 L 594.76 9.28 Q 591.04 0 601.04 0 L 870 0 Q 880 0 883.71 9.28 L 896.29 40.72 Q 900 50 896.29 59.28 L 883.71 90.72 Q 880 100 870 100 L 601.04 100 Q 591.04 100 594.76 90.72 L 607.33 59.28 Q 611.04 50 607.33 40.72 Z" fill-opacity="0.8" fill="url(#mx-gradient-ffffff-1-b6a0dc-1-s-0)" stroke="#b6a0dc" stroke-opacity="0.8" stroke-width="1.5" stroke-miterlimit="10" pointer-events="none"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 263px; height: 1px; padding-top: 50px; margin-left: 614px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 18px; font-family: "Segoe UI"; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: none; white-space: normal; overflow-wrap: normal;">Create additional policies (optional)</div></div></div></foreignObject><text x="746" y="55" fill="rgb(0, 0, 0)" font-family="Segoe UI" font-size="18px" text-anchor="middle">Create additional policies (o...</text></switch></g></g></svg>
|
||||||
|
Before Width: | Height: | Size: 4.4 KiB After Width: | Height: | Size: 4.5 KiB |
Reference in New Issue
Block a user