APPX/MSIX App Deployment Issues After Windows Update KB5020030

Starting from a certain Windows version, MSIX/APPX installation was blocked as the client machine could not access the download location for the given packages. 
For Windows 10, versions greater than or equal to 10.0.19045.2604, and Windows 11, versions less than or equal to 10.0.22000.434, the following error was received: 0x80190193.

For Windows 11, versions greater than 10.0.22000.434, the following error was received: 0x80072F0C.

SOTI MobiControl 2024.0.0, 2024.1.0 and 2025.0.0

The application fails to install on the device with the following error:

Modern Application Management: "error 0x80190193: Opening the package from location ********-9ef4-11a5bf257a75?appKind=ModernEnterprise failed."

The root cause of the inaccessibility is that the machine certificate was absent from the client’s request, causing our server to block it.

As part of Windows update KB5020030, a change was introduced to address an issue where the headers were being sent too frequently for requests that didn’t require them. The MDM headers are now only sent if the APPX or MSIX URI matches the pattern from the regex. This resulted in absolute confirmation that a change occurred in Windows, starting with the November 15, 2022, preview release (KB5020030) and subsequent updates.

Workaround provided by Microsoft:

• The registry key HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Appx’s MdmHosts sets a regex that the Appx HTTP handler uses to determine whether it needs to send the MDM headers. Prior to this change, the headers were being sent too frequently for requests that didn’t require them. This was an oversharing concern and was blocking the rollout of certain updates that used HTTP requests. The MDM headers are now only sent if the APPX or MSIX URI matches the pattern from the regex.
• Default value of MDM hosts:

  ^(?:[^\/]*)\.MANAGE[^\.]*\.(MICROSOFT\.(COM|US)|MICROSOFTONLINE\.CN)$.

• As a workaround, Microsoft has asked that the domain (download location) be added to this registry. In our case, this is our DMA Address. The update would be done something like this:

  ^(?:[^\/]*)((\.MANAGE[^\.]*\.(MICROSOFT\.(COM|US)|MICROSOFTONLINE\.CN)$)|(INLXYZ\.TEST\.SOTI\.NET)$) *here the DMA address was INLXYZ.TEST.SOTI.NET. DMA must be in CAPS

• If you have a multi-DS setup, you may need to add multiple domains as follows:
  

  ^(?:[^\/]*)((\.MANAGE[^\.]*\.(MICROSOFT\.(COM|US)|MICROSOFTONLINE\.CN)$)|(INLXYZ\.TEST1\.SOTI\.NET)|(INLXYZ\.TEST2\.SOTI\.NET)$) 
  *here the DMA addresses are INLXYZ.TEST1.SOTI.NET and INLXYZ.TEST2.SOTI.NET.DMA’s must be in CAPS.

Solution provided by SOTI:

• The following custom script can be used to add the addresses. You can either run this script via SOTI MobiControl's send script feature or PowerShell to run this script on the client machine.
• Note- The following script is based on the default value of MdmHosts Registry (^(?:[^\/]*)\.MANAGE[^\.]*\.(MICROSOFT\.(COM|US)|MICROSOFTONLINE\.CN)$). Any different registry entry would be replaced by this script.