Allow Direct Installation of Windows 8 Apps via Compliance Settings in ConfigMgr 2012

by

This weeks’ post will be about Allowing Direct Installation of Windows 8 Apps via Compliance Settings and can be seen as either a stand-alone post as well as a follow-up on my last post about Deploying Certificate Profiles with ConfigMgr 2012 . As there are two real requirements to deploy Windows 8 Apps:

  • The Certification Authority (CA), that is used to sign the App, is trusted by the Windows 8 device.
  • Allow Direct Installation of Windows 8 Apps is configured on the Windows 8 device.

Of course these settings are configurable via Group Policies (as described in this post ), but, to use Group Policies, the device needs to be a member of the domain. So when either the device isn’t domain joined, or the company likes one way to configure a setting for all devices, see part 1 of this post for deploying a root certificate and read the rest of this post for Allowing Direct Installation of Windows 8 Apps .

Create the Configuration Item

Now lets start with creating a Configuration Item that will check and remediate the existence and value of the value AllowAllTrustedApps in the key HKLM\SOFTWARE\Policies\Microsoft\Windows\Appx .

  • In the Configuration Manager Console navigate to Assets and Compliance > Overview > Compliance Settings > Configuration Items .
  • On the Home tab, in the Create group, click Create Configuration Item and the Create Configuration Item Wizard will popup.
  • On the General page, fill in with Name <aCIName> and click Next .
  • On the Supported Platforms page, select Windows 8 and Windows 8.1 Preview and click Next .
  • AllowAllTrustedAppsOn the Settings page, click New , fill in the following information and click Next .
    • On the General tab, fill in the following information and click OK .
      • Fill in as Name <aSName> .
      • Select as Setting Type Script .
      • Select as Data Type String .
      • Click with Discovery script Edit Script… and in the Edit Discovery Script popup add the following script and click Ok . 
        $Path = "HKLM:SOFTWARE\Policies\Microsoft\Windows\Appx"
If (!(Test-Path -Path $Path)) { $Compliance = "NonCompliant" }
Else {
    If ((Get-ItemProperty -Path $Path).AllowAllTrustedApps -ne 1) {
        $Compliance = "NonCompliant"        
    } 
    Else { $Compliance = "Compliant" }
}
Return $Compliance

      • Click with Remediation script (optional) Edit Script… and in the Edit Discovery Script popup add the following script and click OK . 
        $Path = "HKLM:SOFTWARE\Policies\Microsoft\Windows\Appx"
If (!(Test-Path -Path $Path)) { 
    New-Item -Path $Path -Force
}
New-ItemProperty $Path -Name AllowAllTrustedApps -Value 1 -Force

    • AllowAllTrustedApps_CompliantOn the Compliance Rules tab, click New , fill in the following information and click OK .
      • Fill in as Name <aRName> .
      • Select as Rule Type Value .
      • Select with The settings must comply with the following rule: Equals .
      • Fill in with the following values Compliant .
        • Note : This value is important for it to function, as it is “hardcoded” in the script.
      • Select Run the specified remediation script when this setting is noncompliant .
      • Select with Noncompliance severity for reports: Information .
  • On the Compliance Rules page click Next .
  • On the Summary page click Next .
  • On the Completion page click Close .

Create the Configuration Baseline

The second thing to do is to create a Configuration Baseline to allow the new Configuration Item to be evaluated for compliance.

  • ConfBaseIn the Configuration Manager Console navigate to Assets and Compliance > Overview > Compliance Settings > Configuration Baselines .
  • On the Home tab, in the Create group, click Create Configuration Baseline and the Create Configuration Baseline popup will show.
  • On the Create Configuration Baseline popup, fill in with Name <aCBName> and click Add > Configuration Item and the Add Configuration Items popup will show .
  • On the Add Configuration Items popup select the new Configuration Item <aCIName> , click Add , click OK and back on the Create Configuration Baseline popup click OK .

Deploy the Configuration Baseline

The last thing to do is to deliver the Configuration Baseline to the client devices by deploying it.

  • DeplConfBaseIn the Configuration Manager Console navigate to Assets and Compliance > Overview > Compliance Settings > Configuration Baselines .
  • Select the new Configuration Baseline <aCBName> and on the Home tab, in the Deployment group, click Deploy and the Deploy Configuration Baselines popup will show.
  • On the Deploy Configuration Baselines popup, select Remediate noncompliant rules when supported , Browse to <aCollection> and click OK.

Results

As always, now it is time to take a look at the results! There is a lot to show, like log files, the checked and/or created registry key and even the compliance information. I think the nicest one, in this situation, is the DcmWmiProvider.log , as it will show the information about running the different scripts. The log will show the result of running the discovery script, followed by the remediation script and their results. DcmWmiProvLog

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.