deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 13:27:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

updates

Browse Source
This commit is contained in:
Paolo Matarazzo 2023-06-19 07:57:10 -04:00
parent cabe2dd4b0
commit faab3760bf
4 changed files with 15 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
education/windows/tutorial-deploy-apps-winse/considerations.md
View File

@ -1,7 +1,7 @@
--- ---
title: Important considerations before deploying apps with managed installer title: Important considerations before deploying apps with managed installer
description: Learn about important aspects to consider before deploying apps with managed installer. description: Learn about important aspects to consider before deploying apps with managed installer.
ms.date: 05/23/2023 ms.date: 06/19/2023
ms.topic: tutorial ms.topic: tutorial
appliesto: appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11 SE, version 22H2 and later</a> - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11 SE, version 22H2 and later</a>
@ -26,7 +26,7 @@ For example, if you deploy a UWP LOB app but haven't deployed a supplemental pol
If you choose to block device use on the installation of apps, you must ensure that apps are also not blocked from installation. If you choose to block device use on the installation of apps, you must ensure that apps are also not blocked from installation.
:::image type="content" source="./images/esp-error.png" alt-text="Enrollment Status Page showing an error in OOBE on Windows 11 SE." border="false"::: :::image type="content" source="./images/esp-error.png" alt-text="Screenshot of the Enrollment Status Page showing an error in OOBE on Windows 11 SE." border="false":::
### ESP errors mitigation ### ESP errors mitigation

6
education/windows/tutorial-deploy-apps-winse/create-policies.md
View File

@ -1,7 +1,7 @@
--- ---
title: Create policies to enable applications title: Create policies to enable applications
description: Learn how to create policies to enable the installation and execution of apps on Windows SE. description: Learn how to create policies to enable the installation and execution of apps on Windows SE.
ms.date: 05/23/2023 ms.date: 06/19/2023
ms.topic: tutorial ms.topic: tutorial
appliesto: appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11 SE, version 22H2 and later</a> - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11 SE, version 22H2 and later</a>
@ -64,7 +64,7 @@ From a non-Windows SE device with the WDAC Policy Wizard installed, follow these
1. Apply an audit mode WDAC Base policy. The WDAC Wizard includes a template policy called *WinSEPolicy.xml*, which is based on the Windows 11 SE base policy: 1. Apply an audit mode WDAC Base policy. The WDAC Wizard includes a template policy called *WinSEPolicy.xml*, which is based on the Windows 11 SE base policy:
- Open the **WDAC Wizard** and select **Policy Editor** - Open the **WDAC Wizard** and select **Policy Editor**
- In the Policy Path to Edit field, browse for *%ProgramFiles%\WindowsApps\Microsoft.WDAC\** and select the file called *WinSEPolicy.xml*. Select **Next** - In the Policy Path to Edit field, browse for *%ProgramFiles%\WindowsApps\Microsoft.WDAC\** and select the file called *WinSEPolicy.xml*. Select **Next**
:::image type="content" source="images/wdac-winsepolicy.png" alt-text="WDAC wizard - creation of a policy targeting the base WinSEPolicy.xml policy"::: :::image type="content" source="images/wdac-winsepolicy.png" alt-text="Screenshot of the WDAC wizard - creation of a policy targeting the base WinSEPolicy.xml policy":::
- Toggle the option for **Audit Mode** and complete the wizard. Note the location of the *.cip* and *.xml* files shown on the final page of the wizard - Toggle the option for **Audit Mode** and complete the wizard. Note the location of the *.cip* and *.xml* files shown on the final page of the wizard
- From an elevated PowerShell session, run the following command to activate the policy: - From an elevated PowerShell session, run the following command to activate the policy:
@ -124,7 +124,7 @@ From a non-Windows SE device with the WDAC Policy Wizard installed, you can crea
- **Rule action**: **Allow** - **Rule action**: **Allow**
- **Rule type**: **Packaged App** - **Rule type**: **Packaged App**
- **Package Name**: specify the package name of app. If the app is installed, you can search by name. If the app isn't installed, check the **Use Custom Package Family** box and specify the package family name of the app - **Package Name**: specify the package name of app. If the app is installed, you can search by name. If the app isn't installed, check the **Use Custom Package Family** box and specify the package family name of the app
:::image type="content" source="images/wdac-uwp-policy.png" alt-text="WDAC wizard - selection of an installed UWP app package."::: :::image type="content" source="images/wdac-uwp-policy.png" alt-text="Screenshot of the WDAC wizard - selection of an installed UWP app package.":::
- Select the app name - Select the app name
- Select **Create Rule** - Select **Create Rule**
- Select **Next** - Select **Next**

12
education/windows/tutorial-deploy-apps-winse/troubleshoot.md
View File

@ -1,7 +1,7 @@
--- ---
title: Troubleshoot app deployment issues in Windows SE title: Troubleshoot app deployment issues in Windows SE
description: Troubleshoot common issues when deploying apps to Windows SE devices. description: Troubleshoot common issues when deploying apps to Windows SE devices.
ms.date: 05/23/2023 ms.date: 06/19/2023
ms.topic: tutorial ms.topic: tutorial
appliesto: appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11 SE, version 22H2 and later</a> - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11 SE, version 22H2 and later</a>
@ -38,7 +38,7 @@ Use the Event Viewer to see if a supplemental policy is deployed correctly. Thes
- The policy that allows managed installers is **`C0DB889B-59C5-453C-B297-399C851934E4`**. Checking that this policy is applied correctly, indicates that a device is setup to allow managed installers (and therefore, can allow installation of Win32 apps via the Intune Management Extension).\ - The policy that allows managed installers is **`C0DB889B-59C5-453C-B297-399C851934E4`**. Checking that this policy is applied correctly, indicates that a device is setup to allow managed installers (and therefore, can allow installation of Win32 apps via the Intune Management Extension).\
You can check that the **Managed Installer policy** rule was set in the policy, by checking the **Options** field in the **details** pane. For more information, see: [Understanding Application Control event IDs][WIN-1] You can check that the **Managed Installer policy** rule was set in the policy, by checking the **Options** field in the **details** pane. For more information, see: [Understanding Application Control event IDs][WIN-1]
:::image type="content" source="images/troubleshoot-managed-installer-policy.png" alt-text="CodeIntegrity operational log" lightbox="images/troubleshoot-managed-installer-policy.png"::: :::image type="content" source="images/troubleshoot-managed-installer-policy.png" alt-text="Screenshot of the CodeIntegrity operational log" lightbox="images/troubleshoot-managed-installer-policy.png":::
You can also verify that the policy has been activated by running the following from the <kbd>Win</kbd> + <kbd>R</kbd> *Run dialog* on a target device as an Administrator (hold <kbd>CTRL</kbd> + <kbd>Shift</kbd> when pressing Enter to run the command): You can also verify that the policy has been activated by running the following from the <kbd>Win</kbd> + <kbd>R</kbd> *Run dialog* on a target device as an Administrator (hold <kbd>CTRL</kbd> + <kbd>Shift</kbd> when pressing Enter to run the command):
@ -49,11 +49,11 @@ Use the Event Viewer to see if a supplemental policy is deployed correctly. Thes
- For the policy that allows managed installers to run, a policyID `C0DB889B-59C5-453C-B297-399C851934E4` and Friendly Name *[Win-EDU] Microsoft Apps Supplemental Policy - Prod* should be present, and have **Is Currently Enforced** showing as **true** - For the policy that allows managed installers to run, a policyID `C0DB889B-59C5-453C-B297-399C851934E4` and Friendly Name *[Win-EDU] Microsoft Apps Supplemental Policy - Prod* should be present, and have **Is Currently Enforced** showing as **true**
- For any additional policies that you deploy, check that a policy with a matching ID and Friendly Name is shown in the list and the **Is Currently Enforced** and **Is Authorized** properties are both showing as **true** - For any additional policies that you deploy, check that a policy with a matching ID and Friendly Name is shown in the list and the **Is Currently Enforced** and **Is Authorized** properties are both showing as **true**
:::image type="content" source="images/troubleshoot-citool.png" alt-text="Output of citool.exe with the Win-EDU supplemental policy."::: :::image type="content" source="images/troubleshoot-citool.png" alt-text="Screenshot of the output of citool.exe with the Win-EDU supplemental policy.":::
1. Check for **error events** with code **3077**: and reference [Understanding Application Control event IDs][WIN-1] 1. Check for **error events** with code **3077**: and reference [Understanding Application Control event IDs][WIN-1]
:::image type="content" source="images/troubleshoot-codeintegrity-log.png" alt-text="Error in the CodeIntegrity operational log showing that PowerShell execution is prevented by policy." lightbox="images/troubleshoot-codeintegrity-log.png"::: :::image type="content" source="images/troubleshoot-codeintegrity-log.png" alt-text="Screenshot of the error in the CodeIntegrity operational log showing that PowerShell execution is prevented by policy." lightbox="images/troubleshoot-codeintegrity-log.png":::
When checking an error event, you can observe that the information in the *General* tab may show something like the following: When checking an error event, you can observe that the information in the *General* tab may show something like the following:
@ -81,9 +81,9 @@ To query AppLocker policies and validate that they're configured correctly, foll
1. Open the **Local Security Policy** mmc console (`secpol.msc`) 1. Open the **Local Security Policy** mmc console (`secpol.msc`)
1. Select **Security Settings > Application Control Policies** 1. Select **Security Settings > Application Control Policies**
1. Right-click **AppLocker** and select **Export Policy…** 1. Right-click **AppLocker** and select **Export Policy…**
:::image type="content" source="images/applocker-export-policy.png" alt-text="Export the AppLocker policies from the Local Security Policy mmc console." lightbox="images/applocker-export-policy.png" border="false"::: :::image type="content" source="images/applocker-export-policy.png" alt-text="Screenshot of the export of the AppLocker policies from the Local Security Policy mmc console." lightbox="images/applocker-export-policy.png" border="false":::
1. For the policy that sets the Intune Management Extension as a Managed installer, *MICROSOFT.MANAGEMENT.SERVICES.INTUNEWINDOWSAGENT.EXE* should be nested under a RuleCollection section of Type *ManagedInstaller* 1. For the policy that sets the Intune Management Extension as a Managed installer, *MICROSOFT.MANAGEMENT.SERVICES.INTUNEWINDOWSAGENT.EXE* should be nested under a RuleCollection section of Type *ManagedInstaller*
:::image type="content" source="images/applocker-policy-validation.png" alt-text="Xml file generated by the get-applockerpolicy PowerShell cmdlet." lightbox="images/applocker-policy-validation.png"::: :::image type="content" source="images/applocker-policy-validation.png" alt-text="Screenshot of the xml file generated by the get-applockerpolicy PowerShell cmdlet." lightbox="images/applocker-policy-validation.png":::
1. For any policies you added to set other executables you want to be managed installers, look for the rules you defined nested under a RuleCollection section of Type *ManagedInstaller* 1. For any policies you added to set other executables you want to be managed installers, look for the rules you defined nested under a RuleCollection section of Type *ManagedInstaller*
### AppLocker service ### AppLocker service

8
education/windows/tutorial-deploy-apps-winse/validate-apps.md
View File

@ -1,7 +1,7 @@
--- ---
title: Validate the applications deployed to Windows SE devices title: Validate the applications deployed to Windows SE devices
description: Learn how to validate the applications deployed to Windows SE devices via Intune. description: Learn how to validate the applications deployed to Windows SE devices via Intune.
ms.date: 06/07/2023 ms.date: 06/19/2023
ms.topic: tutorial ms.topic: tutorial
appliesto: appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11 SE, version 22H2 and later</a> - ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11 SE, version 22H2 and later</a>
@ -66,11 +66,11 @@ To check the installation status of an app from the Intune portal:
1. Select the application you want to check 1. Select the application you want to check
1. From the **Overview** page, you can verify the overall installation status 1. From the **Overview** page, you can verify the overall installation status
:::image type="content" source="./images/intune-app-install-overview.png" alt-text="Microsoft Intune admin center - App installation details." lightbox="./images/intune-app-install-overview.png"::: :::image type="content" source="./images/intune-app-install-overview.png" alt-text="Screenshot of the Microsoft Intune admin center - App installation details." lightbox="./images/intune-app-install-overview.png":::
1. From the **Device install status** page, you can verify the installation status for each device, and the status code that indicates the cause of the failure 1. From the **Device install status** page, you can verify the installation status for each device, and the status code that indicates the cause of the failure
:::image type="content" source="./images/intune-app-install-status.png" alt-text="Microsoft Intune admin center - App installation status for each device." lightbox="./images/intune-app-install-status.png"::: :::image type="content" source="./images/intune-app-install-status.png" alt-text="Screenshot of the Microsoft Intune admin center - App installation status for each device." lightbox="./images/intune-app-install-status.png":::
> [!NOTE] > [!NOTE]
> A Win32 application may install correctly, but report to Intune as failed.\ > A Win32 application may install correctly, but report to Intune as failed.\
@ -120,7 +120,7 @@ These apps are eventually blocked before any of their functionalities can be acc
You may see a dialog indicating **This app won't run on your PC**. Check the indicated executable and verify that it matches the executable of the installed application. You may see a dialog indicating **This app won't run on your PC**. Check the indicated executable and verify that it matches the executable of the installed application.
:::image type="content" source="images/winse-app-block.png" alt-text="Windows SE - error window while opening an app."::: :::image type="content" source="images/winse-app-block.png" alt-text="Screenshot of Windows SE - error window while opening an app.":::
### Event Viewer ### Event Viewer