Blog Post

Windows IT Pro Blog
6 MIN READ

Manage Windows Package Manager with Group Policy

Demitrius_Nelon's avatar
May 11, 2021

As we prepare to ship version 1.0 of Windows Package Manager, we wanted to provide guidance on how to manage Windows Package Manager using Group Policy.

We first announced the existence of Windows Package Manager at Microsoft Build in 2020. Designed to save you time and frustration, Windows Package Manager is a set of software tools that help automate the process of getting packages (applications) on Windows devices. Users can specify which apps they want installed and the Windows Package Manager does the work of finding the latest version (or the exact version specified) of that application and installing it on the user's Windows 10 device.

Announcing Group Policy for Windows Package Manager

When we released the Windows Package Manager v0.3.1102 preview, we provided an initial set of “Desktop App Installer Policies” Group Policy Administrative Template files (ADMX/ADML)—making it easy for you review and configure Group Policy Objects targeting your domain-joined devices. To download these ADMX files today, visit the Microsoft Download Center.

Not only to these new policies empower you to enable Windows Package Manager, they enable you to control certain commands and arguments, and configure the sources to which your devices connect.

The new Desktop App Installer policies are accessible via the Local Group Policy Editor in Windows 10 as shown here:

Group Policy settings

Any policies that have been enabled or configured will be shown when a user executes winget --info. The goal is to assist users in troubleshooting unexpected behaviors they may encounter in the Windows Package Manager because of any policies that are enabled or configured. For example, a user may attempt to modify a setting controlled by policy and not be able to understand why the device does not appear to honor their setting.

Before we proceed further, let's clarify two basic terms used with respect to Windows Package Manager:

  • A package represents an app, application, or program.
  • A manifest is a file (or set of data) containing meta-data providing descriptive elements for a package as well as the location of the installer, and the installers SHA256 hash. The Windows Package Manager obtains manifests from sources such as the default source available for the community repository. Additional sources may be a REST API-based service provided by an enterprise or other party. It is also possible to use a manifest from a path available locally on the machine.

Enable App Installer

This policy controls whether Windows Package Manager can be used by users. Users will still be able to execute the winget command. The default help will be displayed, and users will still be able to execute winget -? to display the help as well. Any other command will result in the user being informed the operation is disabled by Group Policy.

If you enable or do not configure this setting, users will be able to use the Windows Package Manager.

If you disable this setting, users will not be able to use the Windows Package Manager.

Enable App Installer settings

This policy controls whether users can change their settings. The settings are stored inside of a .json file on the user’s system. It may be possible for users to gain access to the file using elevated credentials. This will not override any policy settings that have been configured by this policy.

If you enable or do not configure this setting, users will be able to change settings for Windows Package Manager.

If you disable this setting, users will not be able to change settings for Windows Package Manager.

Enable App Installer Hash Override

This policy controls whether Windows Package Manager can be configured to enable the ability to override SHA256 security validation in settings. Windows Package Manager compares the installer after it has downloaded with the hash provided in the manifest.

If you enable or do not configure this setting, users will be able to enable the ability to override SHA256 security validation in Windows Package Manager settings.

If you disable this setting, users will not be able to enable the ability to override SHA256 security validation in Windows Package Manager settings.

Enable App Installer Experimental Features

This policy controls whether users can enable experimental features in Windows Package Manager. Experimental features are used during Windows Package Manager development cycle to provide previews for new behaviors. Some of these experimental features may be implemented prior to the Group Policy settings designed to control their behavior.

If you enable or do not configure this setting, users will be able to enable experimental features for Windows Package Manager.

If you disable this setting, users will not be able to enable experimental features for Windows Package Manager.

Enable App Installer Local Manifest Files

This policy controls whether users can install packages with local manifest files. If a user has a manifest available via their local file system rather than a Windows Package Manager source, they may install packages using winget install -m <path to manifest>.

If you enable or do not configure this setting, users will be able to install packages with local manifests using Windows Package Manager.

If you disable this setting, users will not be able to install packages with local manifests using Windows Package Manager.

Set App Installer Source Auto Update Interval in Minutes

This policy controls the auto-update interval for package-based sources. The default source for Windows Package Manager is configured such that an index of the packages is cached on the local machine. The index is downloaded when a user invokes a command, and the interval has passed (the index is not updated in the background). This setting has no impact on REST-based sources.

If you disable or do not configure this setting, the default interval or the value specified in settings will be used by Windows Package Manager.

If you enable this setting, the number of minutes specified will be used by Windows Package Manager.

Enable App Installer Default Source

This policy controls the default source included with Windows Package Manager. The default source for Windows Package Manager is an open-source repository of packages located at https://github.com/microsoft/winget-pkgs.

If you enable or do not configure this setting, the default source for Windows Package Manager will be available and can be removed.

If you disable this setting, the default source for Windows Package Manager will not be available.

Enable App Installer Microsoft Store Source

This policy controls the Microsoft Store as a source included with Windows Package Manager.

If you enable or do not configure this setting, the Microsoft Store source for Windows Package manager will be available and can be removed.

If you disable this setting, the Microsoft Store source for Windows Package Manager will not be available.

Enable App Installer Additional Sources

This policy controls additional sources configured for Windows Package Manager.

If you do not configure this setting, no additional sources will be configured for Windows Package Manager.

If you enable this setting, additional sources will be added to Windows Package Manager and cannot be removed. The representation for each additional source can be obtained from installed sources using winget source export.

If you disable this setting, no additional sources can be configured by the user for Windows Package Manager.

Enable Windows Package Manager Allowed Sources

This policy controls additional sources approved for users to configure using Windows Package Manager.

If you do not configure this setting, users will be able to add or remove additional sources other than those configured by policy.

If you enable this setting, only the sources specified can be added or removed from Windows Package Manager. The representation for each allowed source can be obtained from installed sources using winget source export.

If you disable this setting, no additional sources can be configured by the user for Windows Package Manager.

When will Windows Package Manager be available?

Version 1.0 of Windows Package Manager will soon ship as an automatic update via the Microsoft Store for all devices running Windows 10, version 1809 and later and we look forward to hearing your feedback. For more information on Windows Package Manager, please see the following resources:


Continue the conversation. Find best practices. Visit the Windows Tech Community.

Stay informed. For the latest updates on new releases, tools, and resources, stay tuned to this blog and follow us @MSWindowsITPro on Twitter.

 

Published May 11, 2021
Version 1.0
  • BankIT's avatar
    BankIT
    Copper Contributor

    Can this be implemented as a User policy instead of a Machine Policy? It seems more likely that you would want and Administrator or Desktop support to be able to access winget and the repositories but deny it for standard users.

  • Hi JohnJohnJohn87 group policy and also Intune Settings allow to block winget sources, including msstore, for users. Does this help you with your concerns? 

  • JohnJohnJohn87's avatar
    JohnJohnJohn87
    Copper Contributor

    I may be missing something, as we're fairly new to restricting the app store. To me, there seems to be a management gap with these GPOs. Our scenario is that we block the Microsoft Store and deploy apps via Intune and the Company Portal after internal vetting. WinGet seems to allow users to skirt this and install additional software from the Microsoft Store anyways (like Netflix, etc). Is there guidance on this kind of enterprise scenario we've missed? When I tested disabling the Desktop Installer it also broke our Intune deployments.

  • About defining sources

    As I thought the instructions in the ADMX description on the syntax for defining allowed or additional sources isn't clear enough, let me give an example on how to do this:


    1a. Deploy ADMX on-premises

    There is zip file with each Winget release, which contains the files required for central policy store (on-premises and Intune import) e.g. https://github.com/microsoft/winget-cli/releases/tag/v1.7.10861

    Copy the ADMX file to local GPO central store \\domainname.local\sysvol\domainname\Policies\PolicyDefinitions


    1b. Deploy ADMX in Intune

    Here is a description how to import the ADMX.
    https://github.com/microsoft/winget-cli/issues/1892

    Which ultimately leads us to the point that ADMX file cannot be used in Intune for "reasons".


    2.  Add an additional (private) repository
     
    On your Windows 10 / 11 client or Windows Server 2022 (unsupported) / Windows Server 2025 (supported), add a new (private) repository using winget.
    here I am taking the example given by winget.pro. Which offers a paid solution for a cloud based private winget repository.

    winget source add -n api.winget.pro -a https://api.winget.pro/yourrepositoryID -t "Microsoft.Rest"​


    3. Export the sources as indicated in the ADMX help

    winget source export​


     


    4. Edit ADMX based Policy for Repository

    Copy each repository and include these as whole into your local or Intune based Winget Policy
    execute "winget source export" to obtain the syntax that is required for sources. It is NOT https:// only but the full syntax provided from winget source export.

    wrong


    right

     

    5. Outcome of an applied GPO

     

    PS C:\Windows\system32> winget source list
    Name           Argument
    --------------------------------------------------------------------------
    api.winget.pro https://api.winget.pro/yourrepositoryID
    msstore        https://storeedgefd.dsx.mp.microsoft.com/v9.0
    winget         https://cdn.winget.microsoft.com/cache
  • Rinus Werkhoven's avatar
    Rinus Werkhoven
    Copper Contributor

    Indeed how about Intune? And can it install applications in system context? Where local admin is required?

  • LaredoDave's avatar
    LaredoDave
    Copper Contributor

    Does this only work for local group policies, or does the domain controller for Domain GPOs need to have the App Installer installed...  or some other 3rd thing?

    Thank you for your time!


    Dave