By Aasawari Navathe - Sr Product Manager | Microsoft Intune
With Intune’s June (2306) release, we’ve made it easier for Intune for Education admins to add and deploy apps on their Windows 11 SE devices with the Managed installer policy. This policy automatically allows apps on Windows 11 SE devices deployed using the Intune Management Extension, which eliminates the need to request a supplemental policy update by Microsoft.
Windows 11 SE devices used in education environments by students are highly controlled to prevent users from installing apps not specified in the allowed apps list through the Windows Defender Application Control (WDAC) policy. Adding apps was managed by a WDAC supplemental policy maintained by Microsoft. To add apps to the allow list, admins needed to request a supplemental policy update by Microsoft. Now, with the 2306 release, admins can add apps via the Managed installer in the Microsoft Intune admin center, saving them time and making it easier to maintain the allowed apps on the list.
For Windows 11 SE customers who are using Intune for Education, no action is needed. The Managed installer policy will automatically apply to newly enrolled and existing Windows 11 SE devices. You can view the reporting status of the policy on these devices in the Intune admin center under Endpoint security > Application control (preview) > Managed installer.
Intune for Education tenants can see the status of the Managed installer policy as Active (Windows 11 SE only). Clicking into the policy, you can view Overview, Properties, and a detailed Device status pane.
A screenshot of the Managed installer - Intune Management Extension page in the Intune admin center showing the detailed Overview pane.
After a tenant is upgraded to 2306, and the device receives the Managed installer policy (no admin action needed for this), subsequent apps installed by Intune will be able to run on Windows 11 SE devices.
Important: Apps already deployed on Windows 11 SE devices prior to the Managed installer policy being applied will need to be redeployed from Intune to be allowed to run.
For more information, see the following documents: