This weeks’ post will be about Allowing Direct Installation of Windows 8 Apps via Compliance Settings and can be seen as either a stand-alone post as well as a follow-up on my last post about Deploying Certificate Profiles with ConfigMgr 2012 . As there are two real requirements to deploy Windows 8 Apps:
- The Certification Authority (CA), that is used to sign the App, is trusted by the Windows 8 device.
- Allow Direct Installation of Windows 8 Apps is configured on the Windows 8 device.
Of course these settings are configurable via Group Policies (as described in this post ), but, to use Group Policies, the device needs to be a member of the domain. So when either the device isn’t domain joined, or the company likes one way to configure a setting for all devices, see part 1 of this post for deploying a root certificate and read the rest of this post for Allowing Direct Installation of Windows 8 Apps .
Create the Configuration Item
Now lets start with creating a Configuration Item that will check and remediate the existence and value of the value AllowAllTrustedApps in the key HKLM\SOFTWARE\Policies\Microsoft\Windows\Appx .
- In the Configuration Manager Console navigate to Assets and Compliance > Overview > Compliance Settings > Configuration Items .
- On the Home tab, in the Create group, click Create Configuration Item and the Create Configuration Item Wizard will popup.
- On the General page, fill in with Name <aCIName> and click Next .
- On the Supported Platforms page, select Windows 8 and Windows 8.1 Preview and click Next .
On the Settings page, click New , fill in the following information and click Next .
- On the General tab, fill in the following information and click OK .
- Fill in as Name <aSName> .
- Select as Setting Type Script .
- Select as Data Type String .
- Click with Discovery script Edit Script… and in the Edit Discovery Script popup add the following script and click Ok .
$Path = "HKLM:SOFTWARE\Policies\Microsoft\Windows\Appx" If (!(Test-Path -Path $Path)) { $Compliance = "NonCompliant" } Else { If ((Get-ItemProperty -Path $Path).AllowAllTrustedApps -ne 1) { $Compliance = "NonCompliant" } Else { $Compliance = "Compliant" } } Return $Compliance
- Click with Remediation script (optional) Edit Script… and in the Edit Discovery Script popup add the following script and click OK .
$Path = "HKLM:SOFTWARE\Policies\Microsoft\Windows\Appx" If (!(Test-Path -Path $Path)) { New-Item -Path $Path -Force } New-ItemProperty $Path -Name AllowAllTrustedApps -Value 1 -Force
On the Compliance Rules tab, click New , fill in the following information and click OK .
- Fill in as Name <aRName> .
- Select as Rule Type Value .
- Select with The settings must comply with the following rule: Equals .
- Fill in with the following values Compliant .
- Note : This value is important for it to function, as it is “hardcoded” in the script.
- Select Run the specified remediation script when this setting is noncompliant .
- Select with Noncompliance severity for reports: Information .
- On the General tab, fill in the following information and click OK .
- On the Compliance Rules page click Next .
- On the Summary page click Next .
- On the Completion page click Close .
Create the Configuration Baseline
The second thing to do is to create a Configuration Baseline to allow the new Configuration Item to be evaluated for compliance.
In the Configuration Manager Console navigate to Assets and Compliance > Overview > Compliance Settings > Configuration Baselines .
- On the Home tab, in the Create group, click Create Configuration Baseline and the Create Configuration Baseline popup will show.
- On the Create Configuration Baseline popup, fill in with Name <aCBName> and click Add > Configuration Item and the Add Configuration Items popup will show .
- On the Add Configuration Items popup select the new Configuration Item <aCIName> , click Add , click OK and back on the Create Configuration Baseline popup click OK .
Deploy the Configuration Baseline
The last thing to do is to deliver the Configuration Baseline to the client devices by deploying it.
In the Configuration Manager Console navigate to Assets and Compliance > Overview > Compliance Settings > Configuration Baselines .
- Select the new Configuration Baseline <aCBName> and on the Home tab, in the Deployment group, click Deploy and the Deploy Configuration Baselines popup will show.
- On the Deploy Configuration Baselines popup, select Remediate noncompliant rules when supported , Browse to <aCollection> and click OK.
Results
As always, now it is time to take a look at the results! There is a lot to show, like log files, the checked and/or created registry key and even the compliance information. I think the nicest one, in this situation, is the DcmWmiProvider.log , as it will show the information about running the different scripts. The log will show the result of running the discovery script, followed by the remediation script and their results.