winget-cli
winget-cli copied to clipboard
microsoft
ADMX configuration does not work through Microsoft Enpoint
Description of the new feature / enhancement
ADMX Ingestion [1] of the provided ADMX file fails due to constrains of Endpoint ADMX ingestion [2]
Registry keys within Software\Policies\Microsoft\Windows\AppInstaller are not writeable. Therefore, the ADMX ingestion does not work.
As we're going AADJ only and the MS Store does not really work with business accounts and is still enabled by default, we need to implement a cumbersome workaround.
[1] https://docs.microsoft.com/en-us/archive/blogs/ukplatforms/google-chrome-gpo-via-intune [2] https://docs.microsoft.com/en-us/windows/client-management/mdm/win32-and-centennial-app-policy-configuration
Proposed technical implementation details
Direct Endpoint integration would be the best option i guess. Add a new exception of a writeable registry key location to ADMX ingestion would be the second best option, but still requires the involvement of Microsoft outside the winget team.
Watching a second registry key location would be another (quite unclean) option.
Eventlog
Eventlog Errors
Log Name: Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin
Source: Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider
Date: 01/02/2022 14:01:33
Event ID: 404
Task Category: None
Level: Error
Keywords:
User: SYSTEM
Description:
MDM ConfigurationManager: Command failure status. Configuration Source ID: (2FD40D97-DEA2-463C-918D-EE910BADD8E3), Enrollment Name: (MDMDeviceWithAAD), Provider Name: (Policy), Command Type: (Add: from Replace or Add), CSP URI: (./Device/Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/Microsoft/Policy/DesktopAppInstaller), Result: (Access is denied.).
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider" Guid="{3da494e4-0fe2-415c-b895-fb5265c5c83b}" />
<EventID>404</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2022-02-01T22:01:33.2204238Z" />
<EventRecordID>4510</EventRecordID>
<Correlation />
<Execution ProcessID="15872" ThreadID="11512" />
<Channel>Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin</Channel>
<Computer>CLFPF21B7DS</Computer>
<Security UserID="S-1-5-18" />
</System>
<EventData>
<Data Name="Message1">2FD40D97-DEA2-463C-918D-EE910BADD8E3</Data>
<Data Name="Message2">MDMDeviceWithAAD</Data>
<Data Name="Message3">Policy</Data>
<Data Name="InternalCmdType">1</Data>
<Data Name="Message5">./Device/Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/Microsoft/Policy/DesktopAppInstaller</Data>
<Data Name="HexInt1">0x80070005</Data>
</EventData>
</Event>
Log Name: Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin
Source: Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider
Date: 01/02/2022 14:01:33
Event ID: 865
Task Category: None
Level: Error
Keywords:
User: SYSTEM
Computer: CLFPF21B7DS
Description:
MDM PolicyManager: ADMX Ingestion: EnrollmentId (2FD40D97-DEA2-463C-918D-EE910BADD8E3), app name (Microsoft), setting type (Policy), unique Id (DesktopAppInstaller). Result:(0x80070005) Access is denied..
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider" Guid="{3da494e4-0fe2-415c-b895-fb5265c5c83b}" />
<EventID>865</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2022-02-01T22:01:33.2203516Z" />
<EventRecordID>4509</EventRecordID>
<Correlation />
<Execution ProcessID="15872" ThreadID="11512" />
<Channel>Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin</Channel>
<Computer>CLFPF21B7DS</Computer>
<Security UserID="S-1-5-18" />
</System>
<EventData>
<Data Name="Message1">2FD40D97-DEA2-463C-918D-EE910BADD8E3</Data>
<Data Name="Message2">Microsoft</Data>
<Data Name="Message3">Policy</Data>
<Data Name="Message4">DesktopAppInstaller</Data>
<Data Name="HexInt1">0x80070005</Data>
<Data Name="HexInt3">0x80070005</Data>
</EventData>
</Event>
Log Name: Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin
Source: Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider
Date: 01/02/2022 14:01:33
Event ID: 850
Task Category: None
Level: Error
Keywords:
User: SYSTEM
Computer: CLFPF21B7DS
Description:
MDM PolicyManager ADMX Ingestion: Blocked registry key: (Software\Policies\Microsoft\Windows\AppInstaller) in (policy) tag.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider" Guid="{3da494e4-0fe2-415c-b895-fb5265c5c83b}" />
<EventID>850</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2022-02-01T22:01:33.2198261Z" />
<EventRecordID>4508</EventRecordID>
<Correlation />
<Execution ProcessID="15872" ThreadID="11512" />
<Channel>Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin</Channel>
<Computer>CLFPF21B7DS</Computer>
<Security UserID="S-1-5-18" />
</System>
<EventData>
<Data Name="Message1">Software\Policies\Microsoft\Windows\AppInstaller</Data>
<Data Name="Message2">policy</Data>
</EventData>
</Event>
the only current way seems to be OMA-URI: https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-desktopappinstaller
Good news. Winget ADMX backed policies made into Intune settings catalog. Can confirm that using OMA-URI or manual upload of the winget ADMX might fail. this issue is also covered here: https://andrewstaylor.com/2022/10/26/managing-winget-using-intune-and-admx-import/
