deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 05:17:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

updates

Browse Source
This commit is contained in:
Paolo Matarazzo 2023-06-19 07:57:10 -04:00
parent cabe2dd4b0
commit faab3760bf
4 changed files with 15 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
education/windows/tutorial-deploy-apps-winse/considerations.md
View File

@ -1,7 +1,7 @@
---
title: Important considerations before deploying apps with managed installer
description: Learn about important aspects to consider before deploying apps with managed installer.
ms.date: 05/23/2023
ms.date: 06/19/2023
ms.topic: tutorial
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11 SE, version 22H2 and later</a>
@ -26,7 +26,7 @@ For example, if you deploy a UWP LOB app but haven't deployed a supplemental pol
If you choose to block device use on the installation of apps, you must ensure that apps are also not blocked from installation.
:::image type="content" source="./images/esp-error.png" alt-text="Enrollment Status Page showing an error in OOBE on Windows 11 SE." border="false":::
:::image type="content" source="./images/esp-error.png" alt-text="Screenshot of the Enrollment Status Page showing an error in OOBE on Windows 11 SE." border="false":::
### ESP errors mitigation

6
education/windows/tutorial-deploy-apps-winse/create-policies.md
View File

@ -1,7 +1,7 @@
---
title: Create policies to enable applications
description: Learn how to create policies to enable the installation and execution of apps on Windows SE.
ms.date: 05/23/2023
ms.date: 06/19/2023
ms.topic: tutorial
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11 SE, version 22H2 and later</a>
@ -64,7 +64,7 @@ From a non-Windows SE device with the WDAC Policy Wizard installed, follow these
1. Apply an audit mode WDAC Base policy. The WDAC Wizard includes a template policy called *WinSEPolicy.xml*, which is based on the Windows 11 SE base policy:
- Open the **WDAC Wizard** and select **Policy Editor**
- In the Policy Path to Edit field, browse for *%ProgramFiles%\WindowsApps\Microsoft.WDAC\** and select the file called *WinSEPolicy.xml*. Select **Next**
:::image type="content" source="images/wdac-winsepolicy.png" alt-text="WDAC wizard - creation of a policy targeting the base WinSEPolicy.xml policy":::
:::image type="content" source="images/wdac-winsepolicy.png" alt-text="Screenshot of the WDAC wizard - creation of a policy targeting the base WinSEPolicy.xml policy":::
- Toggle the option for **Audit Mode** and complete the wizard. Note the location of the *.cip* and *.xml* files shown on the final page of the wizard
- From an elevated PowerShell session, run the following command to activate the policy:
@ -124,7 +124,7 @@ From a non-Windows SE device with the WDAC Policy Wizard installed, you can crea
- **Rule action**: **Allow**
- **Rule type**: **Packaged App**
- **Package Name**: specify the package name of app. If the app is installed, you can search by name. If the app isn't installed, check the **Use Custom Package Family** box and specify the package family name of the app
:::image type="content" source="images/wdac-uwp-policy.png" alt-text="WDAC wizard - selection of an installed UWP app package.":::
:::image type="content" source="images/wdac-uwp-policy.png" alt-text="Screenshot of the WDAC wizard - selection of an installed UWP app package.":::
- Select the app name
- Select **Create Rule**
- Select **Next**

12
education/windows/tutorial-deploy-apps-winse/troubleshoot.md
View File

@ -1,7 +1,7 @@
---
title: Troubleshoot app deployment issues in Windows SE
description: Troubleshoot common issues when deploying apps to Windows SE devices.
ms.date: 05/23/2023
ms.date: 06/19/2023
ms.topic: tutorial
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11 SE, version 22H2 and later</a>
@ -38,7 +38,7 @@ Use the Event Viewer to see if a supplemental policy is deployed correctly. Thes
- The policy that allows managed installers is **`C0DB889B-59C5-453C-B297-399C851934E4`**. Checking that this policy is applied correctly, indicates that a device is setup to allow managed installers (and therefore, can allow installation of Win32 apps via the Intune Management Extension).\
You can check that the **Managed Installer policy** rule was set in the policy, by checking the **Options** field in the **details** pane. For more information, see: [Understanding Application Control event IDs][WIN-1]
:::image type="content" source="images/troubleshoot-managed-installer-policy.png" alt-text="CodeIntegrity operational log" lightbox="images/troubleshoot-managed-installer-policy.png":::
:::image type="content" source="images/troubleshoot-managed-installer-policy.png" alt-text="Screenshot of the CodeIntegrity operational log" lightbox="images/troubleshoot-managed-installer-policy.png":::
You can also verify that the policy has been activated by running the following from the <kbd>Win</kbd> + <kbd>R</kbd> *Run dialog* on a target device as an Administrator (hold <kbd>CTRL</kbd> + <kbd>Shift</kbd> when pressing Enter to run the command):
@ -49,11 +49,11 @@ Use the Event Viewer to see if a supplemental policy is deployed correctly. Thes
- For the policy that allows managed installers to run, a policyID `C0DB889B-59C5-453C-B297-399C851934E4` and Friendly Name *[Win-EDU] Microsoft Apps Supplemental Policy - Prod* should be present, and have **Is Currently Enforced** showing as **true**
- For any additional policies that you deploy, check that a policy with a matching ID and Friendly Name is shown in the list and the **Is Currently Enforced** and **Is Authorized** properties are both showing as **true**
:::image type="content" source="images/troubleshoot-citool.png" alt-text="Output of citool.exe with the Win-EDU supplemental policy.":::
:::image type="content" source="images/troubleshoot-citool.png" alt-text="Screenshot of the output of citool.exe with the Win-EDU supplemental policy.":::
1. Check for **error events** with code **3077**: and reference [Understanding Application Control event IDs][WIN-1]
:::image type="content" source="images/troubleshoot-codeintegrity-log.png" alt-text="Error in the CodeIntegrity operational log showing that PowerShell execution is prevented by policy." lightbox="images/troubleshoot-codeintegrity-log.png":::
:::image type="content" source="images/troubleshoot-codeintegrity-log.png" alt-text="Screenshot of the error in the CodeIntegrity operational log showing that PowerShell execution is prevented by policy." lightbox="images/troubleshoot-codeintegrity-log.png":::
When checking an error event, you can observe that the information in the *General* tab may show something like the following:
@ -81,9 +81,9 @@ To query AppLocker policies and validate that they're configured correctly, foll
1. Open the **Local Security Policy** mmc console (`secpol.msc`)
1. Select **Security Settings > Application Control Policies**
1. Right-click **AppLocker** and select **Export Policy…**
:::image type="content" source="images/applocker-export-policy.png" alt-text="Export the AppLocker policies from the Local Security Policy mmc console." lightbox="images/applocker-export-policy.png" border="false":::
:::image type="content" source="images/applocker-export-policy.png" alt-text="Screenshot of the export of the AppLocker policies from the Local Security Policy mmc console." lightbox="images/applocker-export-policy.png" border="false":::
1. For the policy that sets the Intune Management Extension as a Managed installer, *MICROSOFT.MANAGEMENT.SERVICES.INTUNEWINDOWSAGENT.EXE* should be nested under a RuleCollection section of Type *ManagedInstaller*
:::image type="content" source="images/applocker-policy-validation.png" alt-text="Xml file generated by the get-applockerpolicy PowerShell cmdlet." lightbox="images/applocker-policy-validation.png":::
:::image type="content" source="images/applocker-policy-validation.png" alt-text="Screenshot of the xml file generated by the get-applockerpolicy PowerShell cmdlet." lightbox="images/applocker-policy-validation.png":::
1. For any policies you added to set other executables you want to be managed installers, look for the rules you defined nested under a RuleCollection section of Type *ManagedInstaller*
### AppLocker service

8
education/windows/tutorial-deploy-apps-winse/validate-apps.md
View File

@ -1,7 +1,7 @@
---
title: Validate the applications deployed to Windows SE devices
description: Learn how to validate the applications deployed to Windows SE devices via Intune.
ms.date: 06/07/2023
ms.date: 06/19/2023
ms.topic: tutorial
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11 SE, version 22H2 and later</a>
@ -66,11 +66,11 @@ To check the installation status of an app from the Intune portal:
1. Select the application you want to check
1. From the **Overview** page, you can verify the overall installation status
:::image type="content" source="./images/intune-app-install-overview.png" alt-text="Microsoft Intune admin center - App installation details." lightbox="./images/intune-app-install-overview.png":::
:::image type="content" source="./images/intune-app-install-overview.png" alt-text="Screenshot of the Microsoft Intune admin center - App installation details." lightbox="./images/intune-app-install-overview.png":::
1. From the **Device install status** page, you can verify the installation status for each device, and the status code that indicates the cause of the failure
:::image type="content" source="./images/intune-app-install-status.png" alt-text="Microsoft Intune admin center - App installation status for each device." lightbox="./images/intune-app-install-status.png":::
:::image type="content" source="./images/intune-app-install-status.png" alt-text="Screenshot of the Microsoft Intune admin center - App installation status for each device." lightbox="./images/intune-app-install-status.png":::
> [!NOTE]
> A Win32 application may install correctly, but report to Intune as failed.\
@ -120,7 +120,7 @@ These apps are eventually blocked before any of their functionalities can be acc
You may see a dialog indicating **This app won't run on your PC**. Check the indicated executable and verify that it matches the executable of the installed application.
:::image type="content" source="images/winse-app-block.png" alt-text="Windows SE - error window while opening an app.":::
:::image type="content" source="images/winse-app-block.png" alt-text="Screenshot of Windows SE - error window while opening an app.":::
### Event Viewer