Allow Direct Installation of Windows 8 Apps via Compliance Settings in ConfigMgr 2012

This weeks’ post will be about Allowing Direct Installation of Windows 8 Apps via Compliance Settings and can be seen as either a stand-alone post as well as a follow-up on my last post about Deploying Certificate Profiles with ConfigMgr 2012 . As there are two real requirements to deploy Windows 8 Apps:

  • The Certification Authority (CA), that is used to sign the App, is trusted by the Windows 8 device.
  • Allow Direct Installation of Windows 8 Apps is configured on the Windows 8 device.

Of course these settings are configurable via Group Policies (as described in this post ), but, to use Group Policies, the device needs to be a member of the domain. So when either the device isn’t domain joined, or the company likes one way to configure a setting for all devices, see part 1 of this post for deploying a root certificate and read the rest of this post for Allowing Direct Installation of Windows 8 Apps .

Create the Configuration Item

Now lets start with creating a Configuration Item that will check and remediate the existence and value of the value AllowAllTrustedApps in the key HKLM\SOFTWARE\Policies\Microsoft\Windows\Appx .

  • In the Configuration Manager Console navigate to Assets and Compliance > Overview > Compliance Settings > Configuration Items .
  • On the Home tab, in the Create group, click Create Configuration Item and the Create Configuration Item Wizard will popup.
  • On the General page, fill in with Name <aCIName> and click Next .
  • On the Supported Platforms page, select Windows 8 and Windows 8.1 Preview and click Next .
  • AllowAllTrustedAppsOn the Settings page, click New , fill in the following information and click Next .
    • On the General tab, fill in the following information and click OK .
      • Fill in as Name <aSName> .
      • Select as Setting Type Script .
      • Select as Data Type String .
      • Click with Discovery script Edit Script… and in the Edit Discovery Script popup add the following script and click Ok .
        $Path = "HKLM:SOFTWARE\Policies\Microsoft\Windows\Appx" If (!(Test-Path -Path $Path)) { $Compliance = "NonCompliant" } Else { If ((Get-ItemProperty -Path $Path).AllowAllTrustedApps -ne 1) { $Compliance = "NonCompliant" } Else { $Compliance = "Compliant" } } Return $Compliance

      • Click with Remediation script (optional) Edit Script… and in the Edit Discovery Script popup add the following script and click OK .
        $Path = "HKLM:SOFTWARE\Policies\Microsoft\Windows\Appx" If (!(Test-Path -Path $Path)) { New-Item -Path $Path -Force } New-ItemProperty $Path -Name AllowAllTrustedApps -Value 1 -Force

    • AllowAllTrustedApps_CompliantOn the Compliance Rules tab, click New , fill in the following information and click OK .
      • Fill in as Name <aRName> .
      • Select as Rule Type Value .
      • Select with The settings must comply with the following rule: Equals .
      • Fill in with the following values Compliant .
        • Note : This value is important for it to function, as it is “hardcoded” in the script.
      • Select Run the specified remediation script when this setting is noncompliant .
      • Select with Noncompliance severity for reports: Information .
  • On the Compliance Rules page click Next .
  • On the Summary page click Next .
  • On the Completion page click Close .

Create the Configuration Baseline

The second thing to do is to create a Configuration Baseline to allow the new Configuration Item to be evaluated for compliance.

  • ConfBaseIn the Configuration Manager Console navigate to Assets and Compliance > Overview > Compliance Settings > Configuration Baselines .
  • On the Home tab, in the Create group, click Create Configuration Baseline and the Create Configuration Baseline popup will show.
  • On the Create Configuration Baseline popup, fill in with Name <aCBName> and click Add > Configuration Item and the Add Configuration Items popup will show .
  • On the Add Configuration Items popup select the new Configuration Item <aCIName> , click Add , click OK and back on the Create Configuration Baseline popup click OK .

Deploy the Configuration Baseline

The last thing to do is to deliver the Configuration Baseline to the client devices by deploying it.

  • DeplConfBaseIn the Configuration Manager Console navigate to Assets and Compliance > Overview > Compliance Settings > Configuration Baselines .
  • Select the new Configuration Baseline <aCBName> and on the Home tab, in the Deployment group, click Deploy and the Deploy Configuration Baselines popup will show.
  • On the Deploy Configuration Baselines popup, select Remediate noncompliant rules when supported , Browse to <aCollection> and click OK.

Results

As always, now it is time to take a look at the results! There is a lot to show, like log files, the checked and/or created registry key and even the compliance information. I think the nicest one, in this situation, is the DcmWmiProvider.log , as it will show the information about running the different scripts. The log will show the result of running the discovery script, followed by the remediation script and their results. DcmWmiProvLog

Share

Leave a Comment