ADMX configuration does not work through Microsoft Enpoint

[Exordian]

Description of the new feature / enhancement

ADMX Ingestion [1] of the provided ADMX file fails due to constrains of Endpoint ADMX ingestion [2]

Registry keys within Software\Policies\Microsoft\Windows\AppInstaller are not writeable. Therefore, the ADMX ingestion does not work.

As we're going AADJ only and the MS Store does not really work with business accounts and is still enabled by default, we need to implement a cumbersome workaround.

[1] https://docs.microsoft.com/en-us/archive/blogs/ukplatforms/google-chrome-gpo-via-intune [2] https://docs.microsoft.com/en-us/windows/client-management/mdm/win32-and-centennial-app-policy-configuration

Proposed technical implementation details

Direct Endpoint integration would be the best option i guess. Add a new exception of a writeable registry key location to ADMX ingestion would be the second best option, but still requires the involvement of Microsoft outside the winget team.

Watching a second registry key location would be another (quite unclean) option.

Eventlog

Eventlog Errors

``` Log Name: Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin Source: Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider Date: 01/02/2022 14:01:33 Event ID: 404 Task Category: None Level: Error Keywords: User: SYSTEM Description: MDM ConfigurationManager: Command failure status. Configuration Source ID: (2FD40D97-DEA2-463C-918D-EE910BADD8E3), Enrollment Name: (MDMDeviceWithAAD), Provider Name: (Policy), Command Type: (Add: from Replace or Add), CSP URI: (./Device/Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/Microsoft/Policy/DesktopAppInstaller), Result: (Access is denied.). Event Xml: 404 0 2 0 0 0x8000000000000000 4510 Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin CLFPF21B7DS 2FD40D97-DEA2-463C-918D-EE910BADD8E3 MDMDeviceWithAAD Policy 1 ./Device/Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/Microsoft/Policy/DesktopAppInstaller 0x80070005 Log Name: Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin Source: Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider Date: 01/02/2022 14:01:33 Event ID: 865 Task Category: None Level: Error Keywords: User: SYSTEM Computer: CLFPF21B7DS Description: MDM PolicyManager: ADMX Ingestion: EnrollmentId (2FD40D97-DEA2-463C-918D-EE910BADD8E3), app name (Microsoft), setting type (Policy), unique Id (DesktopAppInstaller). Result:(0x80070005) Access is denied.. Event Xml: 865 0 2 0 0 0x8000000000000000 4509 Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin CLFPF21B7DS 2FD40D97-DEA2-463C-918D-EE910BADD8E3 Microsoft Policy DesktopAppInstaller 0x80070005 0x80070005 Log Name: Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin Source: Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider Date: 01/02/2022 14:01:33 Event ID: 850 Task Category: None Level: Error Keywords: User: SYSTEM Computer: CLFPF21B7DS Description: MDM PolicyManager ADMX Ingestion: Blocked registry key: (Software\Policies\Microsoft\Windows\AppInstaller) in (policy) tag. Event Xml: 850 0 2 0 0 0x8000000000000000 4508 Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin CLFPF21B7DS Software\Policies\Microsoft\Windows\AppInstaller policy ```

[stephannn]

the only current way seems to be OMA-URI: https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-desktopappinstaller

[Karl-WE]

Good news. Winget ADMX backed policies made into Intune settings catalog. Can confirm that using OMA-URI or manual upload of the winget ADMX might fail. this issue is also covered here: https://andrewstaylor.com/2022/10/26/managing-winget-using-intune-and-admx-import/