This weeks’ post will be about Allowing Direct Installation of Windows 8 Apps via Compliance Settings and can be seen as either a stand-alone post as well as a follow-up on my last post about Deploying Certificate Profiles with ConfigMgr 2012 . As there are two real requirements to deploy Windows 8 Apps:
- The Certification Authority (CA), that is used to sign the App, is trusted by the Windows 8 device.
- Allow Direct Installation of Windows 8 Apps is configured on the Windows 8 device.
Of course these settings are configurable via Group Policies (as described in this post ), but, to use Group Policies, the device needs to be a member of the domain. So when either the device isn’t domain joined, or the company likes one way to configure a setting for all devices, see part 1 of this post for deploying a root certificate and read the rest of this post for Allowing Direct Installation of Windows 8 Apps .
Create the Configuration Item
Now lets start with creating a Configuration Item that will check and remediate the existence and value of the value AllowAllTrustedApps in the key HKLM\SOFTWARE\Policies\Microsoft\Windows\Appx .
- In the Configuration Manager Console navigate to Assets and Compliance > Overview > Compliance Settings > Configuration Items .
- On the Home tab, in the Create group, click Create Configuration Item and the Create Configuration Item Wizard will popup.
- On the General page, fill in with Name <aCIName> and click Next .
- On the Supported Platforms page, select Windows 8 and Windows 8.1 Preview and click Next .
- On the Settings page, click New , fill in the following information and click Next .
- On the General tab, fill in the following information and click OK .
- Fill in as Name <aSName> .
- Select as Setting Type Script .
- Select as Data Type String .
- Click with Discovery script Edit Script… and in the Edit Discovery Script popup add the following script and click Ok .
$Path = "HKLM:SOFTWARE\Policies\Microsoft\Windows\Appx" If (!(Test-Path -Path $Path)) { $Compliance = "NonCompliant" } Else { If ((Get-ItemProperty -Path $Path).AllowAllTrustedApps -ne 1) { $Compliance = "NonCompliant" } Else { $Compliance = "Compliant" } } Return $Compliance
- Click with Remediation script (optional) Edit Script… and in the Edit Discovery Script popup add the following script and click OK .
$Path = "HKLM:SOFTWARE\Policies\Microsoft\Windows\Appx" If (!(Test-Path -Path $Path)) { New-Item -Path $Path -Force } New-ItemProperty $Path -Name AllowAllTrustedApps -Value 1 -Force
- On the Compliance Rules tab, click New , fill in the following information and click OK .
- Fill in as Name <aRName> .
- Select as Rule Type Value .
- Select with The settings must comply with the following rule: Equals .
- Fill in with the following values Compliant .
- Note : This value is important for it to function, as it is “hardcoded” in the script.
- Select Run the specified remediation script when this setting is noncompliant .
- Select with Noncompliance severity for reports: Information .
- On the General tab, fill in the following information and click OK .
- On the Compliance Rules page click Next .
- On the Summary page click Next .
- On the Completion page click Close .
Create the Configuration Baseline
The second thing to do is to create a Configuration Baseline to allow the new Configuration Item to be evaluated for compliance.
- In the Configuration Manager Console navigate to Assets and Compliance > Overview > Compliance Settings > Configuration Baselines .
- On the Home tab, in the Create group, click Create Configuration Baseline and the Create Configuration Baseline popup will show.
- On the Create Configuration Baseline popup, fill in with Name <aCBName> and click Add > Configuration Item and the Add Configuration Items popup will show .
- On the Add Configuration Items popup select the new Configuration Item <aCIName> , click Add , click OK and back on the Create Configuration Baseline popup click OK .
Deploy the Configuration Baseline
The last thing to do is to deliver the Configuration Baseline to the client devices by deploying it.
- In the Configuration Manager Console navigate to Assets and Compliance > Overview > Compliance Settings > Configuration Baselines .
- Select the new Configuration Baseline <aCBName> and on the Home tab, in the Deployment group, click Deploy and the Deploy Configuration Baselines popup will show.
- On the Deploy Configuration Baselines popup, select Remediate noncompliant rules when supported , Browse to <aCollection> and click OK.
Results
As always, now it is time to take a look at the results! There is a lot to show, like log files, the checked and/or created registry key and even the compliance information. I think the nicest one, in this situation, is the DcmWmiProvider.log , as it will show the information about running the different scripts. The log will show the result of running the discovery script, followed by the remediation script and their results.