Desktop App installer a.k.a. Windows Package Manager and Winget is a powerful addition to the Windows platform. It is also something that we all need to learn and configure according to our organization’s requirements, compliance requirements and security. The “New” Store support in Intune makes this a bit trickier as well as we must allow the users to install apps from the MS Store and/or the Winget repository to get that integration to work.
I realized I was thinking of the “new” store support in Intune the wrong way, I was seeing it as a replacement for the Business Store, but it is not. The business store will reach end of life in Q1 2023, which is soon when writing this. And the “new” store feature is not a replacement it is a refreshed store app support in the console just like “Legacy” store apps and we should not compare it to the Business Store.
Last week I was tasked with configuring the Desktop App Installer as not all organization’s want their end user to install applications from the Winget repository as it is not controlled the same was as the MS Store repository. Well, in fairness organizations with high security requirements don’t want to let users install from the MS Store either. But with the Business Store retiring we have no choice of we want to deploy MS Whiteboard for example.
All organization’s need to decide on how Desktop App Installer (Winget) should be used. It is enabled by default so without any configuration a user can install apps from the MS Store repository and the Winget repository.
Configuration
For Group Policy there are .admx and .adml files that can be downloaded, imported into the central Policy Definitions folder and configured.
For Intune managed devices there is a DesktopAppInstaller CSP – https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-desktopappinstaller which works great for Windows 11 22H2 as the .admx/.adml file are there by default. According to Microsoft Learn it should work for Windows 10 as well but that is not what I am seeing.
Update: Microsoft Leearn is now updated with the information that is only supports Windows 11 22H2.
Older versions of Windows 11 and Windows 10 does not have them and as the DesktopAppInstaller CSP is a ADMX backed CSP it will fail on older versions than Windows 11 22H2.
What about ingesting the .admx file then? Well, the registry keys/values created is located under Software\Microsoft\Windows\Appinstaller and that is a protected/blocked registry key. Ingestion will fail both with the Custom .ADMX feature and Ingestion using a custom policy (CSP) with access denied as shown below.
More information on the blocking of ingesting .admx files in the \Software\Policies\Microsoft key can be found here: https://learn.microsoft.com/en-us/windows/client-management/win32-and-centennial-app-policy-configuration#overview
Desktop AppInstaller CSP settings
The settings will only allow apps from the MS Store and disable Hash Override, adding your own repository and modifying settings.
Here are my custom Configuration Policies for Desktop App installer, exported using “Intune Manager”, https://github.com/Micke-K/IntuneManagement which is simply great!
| EnableMicrosoftStoreSource | |
| Name | EnableMicrosoftStoreSource |
| Description | Enable Additional Windows Package Manager Sources |
| OMA-URI | ./Device/Vendor/MSFT/Policy/Config/DesktopAppInstaller/EnableMicrosoftStoreSource |
| Data type | String |
| Value | <Enabled/> |
| Enable Additional Sources | |
| Name | Enable Additional Sources |
| Description | If you don’t configure this setting, no additional sources will be configured for Windows Package Manager |
| OMA-URI | ./Device/Vendor/MSFT/Policy/Config/DesktopAppInstaller/EnableAdditionalSources |
| Data type | String |
| Value | <disabled/> |
| EnableDefaultSource | |
| Name | EnableDefaultSource |
| Description | This policy controls the default source included with the Windows Package Manager |
| OMA-URI | ./Device/Vendor/MSFT/Policy/Config/DesktopAppInstaller/EnableDefaultSource |
| Data type | String |
| Value | <disabled/> |
| EnableLocalManifestFiles | |
| Name | EnableLocalManifestFiles |
| Description | If you enable or don’t configure this setting, users will be able to install packages with local manifests using the Windows Package Manager |
| OMA-URI | ./Device/Vendor/MSFT/Policy/Config/DesktopAppInstaller/EnableLocalManifestFiles |
| Data type | String |
| Value | <disabled/> |
| EnableHashOverride | |
| Name | EnableHashOverride |
| Description | This policy controls whether Windows Package Manager can be configured to enable the ability to override SHA256 security validation in settings. |
| OMA-URI | ./Device/Vendor/MSFT/Policy/Config/DesktopAppInstaller/EnableHashOverride |
| Data type | String |
| Value | <disabled/> |
| EnableAppInstaller | |
| Name | EnableAppInstaller |
| Description | This policy controls whether Windows Package Manager can be used by users. Users will still be able to execute the winget command |
| OMA-URI | ./Device/Vendor/MSFT/Policy/Config/DesktopAppInstaller/EnableAppInstaller |
| Data type | String |
| Value | <enabled/> |
| EnableMSAppInstallerProtocol | |
| Name | EnableMSAppInstallerProtocol |
| Description | This policy controls whether users can install packages from a website that is using the ms-appinstaller protocol |
| OMA-URI | ./Device/Vendor/MSFT/Policy/Config/DesktopAppInstaller/EnableMSAppInstallerProtocol |
| Data type | String |
| Value | <disabled/> |
| EnableSettings | |
| Name | EnableSettings |
| Description | This policy controls whether the Windows Package Manager can be used by users |
| OMA-URI | ./Device/Vendor/MSFT/Policy/Config/DesktopAppInstaller/EnableSettings |
| Data type | String |
| Value | <disabled/> |
| EnableAllowedSources | |
| Name | EnableAllowedSources |
| Description | his policy controls additional sources approved for users to configure using Windows Package Manager |
| OMA-URI | ./Device/Vendor/MSFT/Policy/Config/DesktopAppInstaller/EnableAllowedSources |
| Data type | String |
| Value | <disabled/> |
| EnableExperimentalFeatures | |
| Name | EnableExperimentalFeatures |
| Description | This policy controls whether users can enable experimental features in Windows Package Manager |
| OMA-URI | ./Device/Vendor/MSFT/Policy/Config/DesktopAppInstaller/EnableExperimentalFeatures |
| Data type | String |
| Value | <disabled/> |
PowerShell script for the rest
As I couldn’t use the Desktop App Installer CSP for Windows 10 and Windows 11 22H2, I reverted to using a PowerShell script so I can get the job done!
# Registry key to create for the Desktop App Installer Policies
$RegistryPath = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\AppInstaller"
# Check if the Appinstaller registry key already exists
if (!(Test-Path $RegistryPath)) {
New-Item -Path $RegistryPath -Force
}
# Create the Desktop App Installer registry values
New-ItemProperty -Path $RegistryPath -Name "EnableAdditionalSources" -Value "0" -PropertyType dword -Force
New-ItemProperty -Path $RegistryPath -Name "EnableAllowedSources" -Value "0" -PropertyType dword -Force
New-ItemProperty -Path $RegistryPath -Name "EnableAppInstaller" -Value "1" -PropertyType dword -Force
New-ItemProperty -Path $RegistryPath -Name "EnableDefaultSource" -Value "0" -PropertyType dword -Force
New-ItemProperty -Path $RegistryPath -Name "EnableExperimentalFeatures" -Value "0" -PropertyType dword -Force
New-ItemProperty -Path $RegistryPath -Name "EnableHashOverride" -Value "0" -PropertyType dword -Force
New-ItemProperty -Path $RegistryPath -Name "EnableLocalManifestFiles" -Value "0" -PropertyType dword -Force
New-ItemProperty -Path $RegistryPath -Name "EnableMicrosoftStoreSource" -Value "1" -PropertyType dword -Force
New-ItemProperty -Path $RegistryPath -Name "EnableMSAppInstallerProtocol" -Value "0" -PropertyType dword -Force
New-ItemProperty -Path $RegistryPath -Name "EnableSettings" -Value "0" -PropertyType dword -Force