Windows 10 S mode is a locked-down operating system that only runs Store apps. By default, Windows S mode devices don't allow installation and execution of Win32 apps. These devices include a single Win 10S base policy, which locks the S mode device from running any Win32 apps on it. However, by creating and using an S mode supplemental policy in Intune, you can install and run Win32 apps on Windows 10 S mode managed devices. By using the Microsoft Defender Application Control (WDAC) PowerShell tools, you can create one or more supplemental policies for Windows S mode. You must sign the supplemental policies with the Device Guard Signing Service (DGSS) or with SignTool.exe and then upload and distribute the policies via Intune. As an alternative, you can sign the supplemental policies with a codesigning certificate from your organization, however the preferred method is to use DGSS. In the instance that you use the codesigning certificate from your organization, the root certificate that the codesigning certificate chains up to, must be present on the device.
By assigning the S mode supplemental policy in Intune, you enable the device to make an exception to the device's existing S mode policy, which allows the uploaded corresponding signed app catalog. The policy sets an allowlist of apps (the app catalog) that can be used on the S mode device.
Note
Win32 apps on S mode devices are only supported on Windows 10 November 2019 Update (build 18363) or later versions.
The steps to allow Win32 apps to run on a Windows 10 device in S mode are the following:
Enable S mode devices through Intune as part of Windows 10 S enrollment process.
Create a supplemental policy to allow Win32 apps:
You can use Microsoft Defender Application Control (WDAC) tools to create a supplemental policy. The base policy ID within the policy must match the S mode base policy ID (which is hard coded on the client). Also, make sure that the policy version is higher than the previous version.
Intune applies the signed app catalog to install the Win32 app on the S mode device using the Intune Management Extension.
Note
S mode supplemental policy for apps must be delivered via Intune Management Extension.
S mode policies are enforced at the device level. Multiple targeted policies will be merged on the device. The merged policy will be enforced on the device.
To create a Windows 10 S mode supplemental policy, use the following steps:
Select Next: Assignments.
The Assignments page allows you can assign the policy to users and devices. It's important to note that you can assign a policy to a device whether or not the device is managed by Intune.
Select Next: Review + create to review the values you entered for the profile.
When you're done, select Create to create the S mode supplemental policy in Intune.
Once the policy is created, you'll see it added to the list of S mode supplemental policies in Intune. Once the policy is assigned, the policy gets deployed to the devices. Note that you must deploy the app to same security group as the supplemental policy. You can start targeting and assigning apps to those devices. This will allow your end users to install and execute the apps on the S mode devices.
Removal of S mode policy
Currently, to remove the S mode supplemental policy from the device, you must assign and deploy an empty policy to overwrite the existing S mode supplemental policy.
Policy Reporting
The S mode supplemental policy, which is enforced at device level, only has device level reporting. Device level reporting is available for success and error conditions.
Reporting values that are shown in the Microsoft Intune admin center for S mode reporting policies:
Success: The S mode supplemental policy is in effect.
Unknown: The status of the S mode supplemental policy isn't known.
TokenError: The S mode supplemental policy is structurally okay but there's an error with authorizing the token.
NotAuthorizedByToken: The token doesn't authorize this S mode supplemental policy.
PolicyNotFound: The S mode supplemental policy isn't found.
This module describes how you can use Intune to create and manage WIP policies that manage this protection. The module also covers implementing BitLocker and Encrypting File System.
Plan and execute an endpoint deployment strategy, using essential elements of modern management, co-management approaches, and Microsoft Intune integration.