Important considerations before deploying apps with Managed Installer

This article describes important aspects to consider before deploying apps with managed installer.

Existing apps deployed in Intune

If you have Windows 11 SE devices that already have apps deployed through Intune, the apps won't get retroactively tagged with the managed installer mark. You may need to redeploy the apps through Intune to get them properly tagged with managed installer and allowed to run.

Enrollment Status Page

The Enrollment Status Page (ESP) is compatible with Windows 11 SE. However, due to the Windows 11 SE base policy, devices can be blocked from completing enrollment if:

  1. You have the ESP configured to block device use until required apps are installed, and
  2. You deploy an app that is blocked by the Windows 11 SE base policy, not installable via a managed installer (without more policies), and not allowed by any supplemental policies or AppLocker policies

If you choose to block device use on the installation of apps, you must ensure that apps are also not blocked from installation.

Screenshot of the Enrollment Status Page showing an error in OOBE on Windows 11 SE.

ESP errors mitigation

To ensure that you don't run into installation or enrollment blocks, you can pick one of the following options, in accordance with your internal policies:

  1. Ensure that all apps are unblocked from installation. Apps must be compatible with the Windows 11 SE managed installer flow, and if they aren't compatible out-of-box, have the corresponding supplemental policy to allow them
  2. Don't deploy apps that you haven't validated
  3. Set your Enrollment Status Page configuration to not block device use based on required apps

To learn more about the ESP, see Set up the Enrollment Status Page.

Potential impact to events collected by Log Analytics integrations

Log Analytics is a cloud service that can be used to collect data from AppLocker policy events. Windows 11 SE devices enrolled in an Intune Education tenant will automatically receive an AppLocker policy. The result is an increase in events generated by the AppLocker policy.

If your organization is using Log Analytics, it's recommended to review your Log Analytics setup to:

  • Ensure there's an appropriate data collection cap in place to avoid unexpected billing costs
  • Turn off the collection of non-error AppLocker events in Log Analytics, except for MSI and Script logs

For more information, see Use Event Viewer with AppLocker