Windows 10 S 모드는 보안 및 성능을 위해 설계되었으며 Microsoft Store의 앱을 독점적으로 실행합니다. Microsoft Store에서 제공되지 않는 앱을 설치하려면 S 모드에서 전환해야 합니다. S 모드에서 전환은 단방향입니다. 전환하면 Windows 10 S 모드로 되돌아갈 수 없습니다. S 모드에서 전환은 무료입니다.
S 모드에서 Windows 10을 실행 중인 PC에서 설정 > 업데이트 및 보안 > 정품 인증을 엽니다.
Windows 10 Home으로 전환 또는 Windows 10 Pro로 전환 섹션에서 Microsoft Store로 이동을 선택합니다. ('Windows 버전 업그레이드' 섹션도 표시되는 경우에는 화면에 나타난 'Microsoft Store로 이동' 링크를 클릭하지 않도록 유의해야 합니다.)
Microsoft Store에 표시되는 S 모드에서 전환(또는 이와 유사한) 페이지에서 다운로드 버튼을 선택합니다. 페이지에 확인 메시지가 표시되면 Microsoft Store 외부에서 앱을 설치할 수 있습니다.
Windows 10 Home에서 Windows 10 Pro로 업그레이드하는 방법 알아보기
Sunday, May 31, 2020
Wednesday, May 20, 2020
Enable Win32 apps on S mode devices
Windows 10 S mode is a locked-down operating system that only runs Store apps. By default, Windows S mode devices do not allow installation and execution of Win32 apps. These devices include a a single Win 10S base policy, which locks the S mode device from running any Win32 apps on it. However, by creating and using an S mode supplemental policy in Intune, you can install and run Win32 apps on Windows 10 S mode managed devices. By using the Windows Defender Application Control (WDAC) PowerShell tools, you can create one or more supplemental policies for Windows S mode. You must sign the supplemental policies with the Device Guard Signing Service (DGSS) or with SignTool.exe and then upload and distribute the policies via Intune. As an alternative, you can sign the supplemental policies with a codesigning certificate from your organization, however the preferred method is to use DGSS. In the instance that you use the codesigning certificate from your organization, the root certificate that the codesigning certificate chains up to, must be present on the device.
By assigning the S mode supplemental policy in Intune, you enable the device to make an exception to the device's existing S mode policy, which allows the uploaded corresponding signed app catalog. The policy sets an allow list of apps (the app catalog) that can be used on the S mode device.
Note
Win32 apps on S mode devices are only supported on Windows 10 November 2019 Update (build 18363) or later versions.
The steps to allow Win32 apps to run on a Windows 10 device in S mode are the following:
Enable S mode devices through Intune as part of Windows 10 S enrollment process.
Create a supplemental policy to allow Win32 apps:
You can use Microsoft Defender Application Control (WDAC) tools to create a supplemental policy. The base policy Id within the policy must match the S mode base policy Id (which is hard coded on the client). Also, make sure that the policy version is higher than the previous version.
You use DGSS to sign your supplemental policy. For more information, see Sign code integrity policy with Device Guard signing.
You upload the signed supplemental policy to Intune by creating a Windows 10 S mode supplemental policy (see below).
You allow Win32 app catalogs through Intune:
You create catalog files (1 for every app) and signs them using DGSS or other certificate infrastructure.
You package the signed catalog into the .intunewin file using the Microsoft Win32 Content Prep Tool. There are no naming restrictions when creating a catalog file using the Microsoft Win32 Content Prep Tool. When generating the .intunewin file from the specified source folder and setup file, you can provide a separate folder containing only catalog files by using the -a cmdline option. For more information, see Win32 app management - Prepare the Win32 app content for upload.
Intune applies the signed app catalog to install the Win32 app on the S mode device using the Intune Management Extension.
Note
Line-of-business (LOB) .appx and .appx bundles on Windows 10 S mode will be supported via Microsoft Store for Business (MSFB) signing.
S mode supplemental policy for apps must be delivered via Intune Management Extension.
S mode policies are enforced at the device level. Multiple targeted policies will be merged on the device. The merged policy will be enforced on the device.
To create a Windows 10 S mode supplemental policy, use the following steps:
Sign in to the Microsoft Endpoint Manager admin center.
Select Apps > S mode supplemental policies > Create policy.
Before adding the Policy file, you must create and sign it. For more information, see:
Create a WDAC policy using PowerShell tools and convert it to a binary format
Sign using Device Guard Signing Service (recommended)
On the Basics page, add the following values:
Table 1
Value
Description
Policy file
The the file that contains the WDAC policy.
Name
The name of this policy.
Description
[Optional] The description of this policy.
Click Next: Scope tags.
On the Scope tags page you can optionally configure scope tags to determine who can see the app policy in Intune. For more information about scope tags, see Use role-based access control and scope tags for distributed IT.
Click Next: Assignments.
The Assignments page allows you can assign the policy to users and devices. It is important to note that you can assign a policy to a device whether or not the device is managed by Intune.
Click Next: Review + create to review the values you entered for the profile.
When you are done, click Create to create the S mode supplemental policy in Intune.
Once the policy is created, you will see it added to the list of S mode supplemental policies in Intune. Once the policy is assigned, the policy gets deployed to the devices. Note that you must deploy the app to same security group as the supplemental policy. You can start targeting and assigning apps to those devices. This will allow your end users to install and execute the apps on the S mode devices.
Removal of S mode policy
Currently, to remove the S mode supplemental policy from the device, you must assign and deploy an empty policy to overwrite the existing S mode supplemental policy.
Policy Reporting
The S mode supplemental policy, which is enforced at device level, only has device level reporting. Device level reporting is available for success and error conditions.
Reporting values that are shown in the Intune console for S mode reporting polices:
Success: The S mode supplemental policy is in effect.
Unknown: The status of the S mode supplemental policy is not known.
TokenError: The S mode supplemental policy is structurally okay but there is an error with authorizing the token.
NotAuthorizedByToken: The token does not authorize this S mode supplemental policy.
PolicyNotFound: The S mode supplemental policy is not found.
Enable Win32 apps on S mode devices - Microsoft Intune | Microsoft Docs
https://docs.microsoft.com/en-us/mem/intune/apps/apps-win32-s-mode?WT.mc_id=email
By assigning the S mode supplemental policy in Intune, you enable the device to make an exception to the device's existing S mode policy, which allows the uploaded corresponding signed app catalog. The policy sets an allow list of apps (the app catalog) that can be used on the S mode device.
Note
Win32 apps on S mode devices are only supported on Windows 10 November 2019 Update (build 18363) or later versions.
The steps to allow Win32 apps to run on a Windows 10 device in S mode are the following:
Enable S mode devices through Intune as part of Windows 10 S enrollment process.
Create a supplemental policy to allow Win32 apps:
You can use Microsoft Defender Application Control (WDAC) tools to create a supplemental policy. The base policy Id within the policy must match the S mode base policy Id (which is hard coded on the client). Also, make sure that the policy version is higher than the previous version.
You use DGSS to sign your supplemental policy. For more information, see Sign code integrity policy with Device Guard signing.
You upload the signed supplemental policy to Intune by creating a Windows 10 S mode supplemental policy (see below).
You allow Win32 app catalogs through Intune:
You create catalog files (1 for every app) and signs them using DGSS or other certificate infrastructure.
You package the signed catalog into the .intunewin file using the Microsoft Win32 Content Prep Tool. There are no naming restrictions when creating a catalog file using the Microsoft Win32 Content Prep Tool. When generating the .intunewin file from the specified source folder and setup file, you can provide a separate folder containing only catalog files by using the -a cmdline option. For more information, see Win32 app management - Prepare the Win32 app content for upload.
Intune applies the signed app catalog to install the Win32 app on the S mode device using the Intune Management Extension.
Note
Line-of-business (LOB) .appx and .appx bundles on Windows 10 S mode will be supported via Microsoft Store for Business (MSFB) signing.
S mode supplemental policy for apps must be delivered via Intune Management Extension.
S mode policies are enforced at the device level. Multiple targeted policies will be merged on the device. The merged policy will be enforced on the device.
To create a Windows 10 S mode supplemental policy, use the following steps:
Sign in to the Microsoft Endpoint Manager admin center.
Select Apps > S mode supplemental policies > Create policy.
Before adding the Policy file, you must create and sign it. For more information, see:
Create a WDAC policy using PowerShell tools and convert it to a binary format
Sign using Device Guard Signing Service (recommended)
On the Basics page, add the following values:
Table 1
Value
Description
Policy file
The the file that contains the WDAC policy.
Name
The name of this policy.
Description
[Optional] The description of this policy.
Click Next: Scope tags.
On the Scope tags page you can optionally configure scope tags to determine who can see the app policy in Intune. For more information about scope tags, see Use role-based access control and scope tags for distributed IT.
Click Next: Assignments.
The Assignments page allows you can assign the policy to users and devices. It is important to note that you can assign a policy to a device whether or not the device is managed by Intune.
Click Next: Review + create to review the values you entered for the profile.
When you are done, click Create to create the S mode supplemental policy in Intune.
Once the policy is created, you will see it added to the list of S mode supplemental policies in Intune. Once the policy is assigned, the policy gets deployed to the devices. Note that you must deploy the app to same security group as the supplemental policy. You can start targeting and assigning apps to those devices. This will allow your end users to install and execute the apps on the S mode devices.
Removal of S mode policy
Currently, to remove the S mode supplemental policy from the device, you must assign and deploy an empty policy to overwrite the existing S mode supplemental policy.
Policy Reporting
The S mode supplemental policy, which is enforced at device level, only has device level reporting. Device level reporting is available for success and error conditions.
Reporting values that are shown in the Intune console for S mode reporting polices:
Success: The S mode supplemental policy is in effect.
Unknown: The status of the S mode supplemental policy is not known.
TokenError: The S mode supplemental policy is structurally okay but there is an error with authorizing the token.
NotAuthorizedByToken: The token does not authorize this S mode supplemental policy.
PolicyNotFound: The S mode supplemental policy is not found.
Enable Win32 apps on S mode devices - Microsoft Intune | Microsoft Docs
https://docs.microsoft.com/en-us/mem/intune/apps/apps-win32-s-mode?WT.mc_id=email
Subscribe to:
Posts (Atom)