Menu
CCMEXEC.COM – Enterprise Mobility
  • Home
  • General
  • Configuration Manager
  • Windows 10
  • Intune
  • GitHub
  • Windows 11
  • About the author
CCMEXEC.COM – Enterprise Mobility

Configuring Desktop App Installer using CSP and script?!

Posted on January 17, 2023January 31, 2023 by Jörgen Nilsson

Desktop App installer a.k.a. Windows Package Manager and Winget is a powerful addition to the Windows platform. It is also something that we all need to learn and configure according to our organization’s requirements, compliance requirements and security. The “New” Store support in Intune makes this a bit trickier as well as we must allow the users to install apps from the MS Store and/or the Winget repository to get that integration to work.
I realized I was thinking of the “new” store support in Intune the wrong way, I was seeing it as a replacement for the Business Store, but it is not. The business store will reach end of life in Q1 2023, which is soon when writing this. And the “new” store feature is not a replacement it is a refreshed store app support in the console just like  “Legacy” store apps and we should not compare it to the Business Store.

Last week I was tasked with configuring the Desktop App Installer as not all organization’s want their end user to install applications from the Winget repository as it is not controlled the same was as the MS Store repository. Well, in fairness organizations with high security requirements don’t want to let users install from the MS Store either. But with the Business Store retiring we have no choice of we want to deploy MS Whiteboard for example.

All organization’s need to decide on how Desktop App Installer (Winget) should be used. It is enabled by default so without any configuration a user can install apps from the MS Store repository and the Winget repository.

Configuration

For Group Policy there are .admx and .adml files that can be downloaded, imported into the central Policy Definitions folder and configured.

For Intune managed devices there is a DesktopAppInstaller CSP – https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-desktopappinstaller which works great for Windows 11 22H2 as the .admx/.adml file are there by default. According to Microsoft Learn it should work for Windows 10 as well but that is not what I am seeing.
Update: Microsoft Leearn is now updated with the information that is only supports Windows 11 22H2.
Older versions of Windows 11 and Windows 10 does not have them and as the DesktopAppInstaller CSP is a ADMX backed CSP it will fail on older versions than Windows 11 22H2.

What about ingesting the .admx file then? Well, the registry keys/values created is located under Software\Microsoft\Windows\Appinstaller and that is a protected/blocked registry key. Ingestion will fail both with the Custom .ADMX feature and Ingestion using a custom policy (CSP) with access denied as shown below.

More information on the blocking of ingesting .admx files in the \Software\Policies\Microsoft key can be found here: https://learn.microsoft.com/en-us/windows/client-management/win32-and-centennial-app-policy-configuration#overview  

Desktop AppInstaller CSP settings

The settings will only allow apps from the MS Store and disable Hash Override, adding your own repository and modifying settings.



Here are my custom Configuration Policies for Desktop App installer, exported using “Intune Manager”, https://github.com/Micke-K/IntuneManagement which is simply great!

EnableMicrosoftStoreSource
NameEnableMicrosoftStoreSource
DescriptionEnable Additional Windows Package Manager Sources
OMA-URI./Device/Vendor/MSFT/Policy/Config/DesktopAppInstaller/EnableMicrosoftStoreSource
Data typeString
Value<Enabled/>
Enable Additional Sources
NameEnable Additional Sources
DescriptionIf you don’t configure this setting, no additional sources will be configured for Windows Package Manager
OMA-URI./Device/Vendor/MSFT/Policy/Config/DesktopAppInstaller/EnableAdditionalSources
Data typeString
Value<disabled/>
EnableDefaultSource
NameEnableDefaultSource
DescriptionThis policy controls the default source included with the Windows Package Manager
OMA-URI./Device/Vendor/MSFT/Policy/Config/DesktopAppInstaller/EnableDefaultSource
Data typeString
Value<disabled/>
EnableLocalManifestFiles
NameEnableLocalManifestFiles
DescriptionIf you enable or don’t configure this setting, users will be able to install packages with local manifests using the Windows Package Manager
OMA-URI./Device/Vendor/MSFT/Policy/Config/DesktopAppInstaller/EnableLocalManifestFiles
Data typeString
Value<disabled/>
EnableHashOverride
NameEnableHashOverride
DescriptionThis policy controls whether Windows Package Manager can be configured to enable the ability to override SHA256 security validation in settings.
OMA-URI./Device/Vendor/MSFT/Policy/Config/DesktopAppInstaller/EnableHashOverride
Data typeString
Value<disabled/>
EnableAppInstaller
NameEnableAppInstaller
DescriptionThis policy controls whether Windows Package Manager can be used by users. Users will still be able to execute the winget command
OMA-URI./Device/Vendor/MSFT/Policy/Config/DesktopAppInstaller/EnableAppInstaller
Data typeString
Value<enabled/>
EnableMSAppInstallerProtocol
NameEnableMSAppInstallerProtocol
DescriptionThis policy controls whether users can install packages from a website that is using the ms-appinstaller protocol
OMA-URI./Device/Vendor/MSFT/Policy/Config/DesktopAppInstaller/EnableMSAppInstallerProtocol
Data typeString
Value<disabled/>
EnableSettings
NameEnableSettings
DescriptionThis policy controls whether the Windows Package Manager can be used by users
OMA-URI./Device/Vendor/MSFT/Policy/Config/DesktopAppInstaller/EnableSettings
Data typeString
Value<disabled/>
EnableAllowedSources
NameEnableAllowedSources
Descriptionhis policy controls additional sources approved for users to configure using Windows Package Manager
OMA-URI./Device/Vendor/MSFT/Policy/Config/DesktopAppInstaller/EnableAllowedSources
Data typeString
Value<disabled/>
EnableExperimentalFeatures
NameEnableExperimentalFeatures
DescriptionThis policy controls whether users can enable experimental features in Windows Package Manager
OMA-URI./Device/Vendor/MSFT/Policy/Config/DesktopAppInstaller/EnableExperimentalFeatures
Data typeString
Value<disabled/>

PowerShell script for the rest

As I couldn’t use the Desktop App Installer CSP for Windows 10 and Windows 11 22H2, I reverted to using a PowerShell script so I can get the job done!

# Registry key to create for the Desktop App Installer Policies

$RegistryPath = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\AppInstaller"

# Check if the Appinstaller registry key already exists

if (!(Test-Path $RegistryPath)) {

        New-Item -Path $RegistryPath -Force

}

# Create the Desktop App Installer registry values

New-ItemProperty -Path $RegistryPath -Name "EnableAdditionalSources" -Value "0" -PropertyType dword -Force

New-ItemProperty -Path $RegistryPath -Name "EnableAllowedSources" -Value "0" -PropertyType dword -Force

New-ItemProperty -Path $RegistryPath -Name "EnableAppInstaller" -Value "1" -PropertyType dword -Force

New-ItemProperty -Path $RegistryPath -Name "EnableDefaultSource" -Value "0" -PropertyType dword -Force

New-ItemProperty -Path $RegistryPath -Name "EnableExperimentalFeatures" -Value "0" -PropertyType dword -Force

New-ItemProperty -Path $RegistryPath -Name "EnableHashOverride" -Value "0" -PropertyType dword -Force

New-ItemProperty -Path $RegistryPath -Name "EnableLocalManifestFiles" -Value "0" -PropertyType dword -Force

New-ItemProperty -Path $RegistryPath -Name "EnableMicrosoftStoreSource" -Value "1" -PropertyType dword -Force

New-ItemProperty -Path $RegistryPath -Name "EnableMSAppInstallerProtocol" -Value "0" -PropertyType dword -Force

New-ItemProperty -Path $RegistryPath -Name "EnableSettings" -Value "0" -PropertyType dword -Force
  • Desktop App Installer
  • Intune Store Apps
  • Store
  • Winget
  • Leave a Reply Cancel reply

    Your email address will not be published. Required fields are marked *

    This site uses Akismet to reduce spam. Learn how your comment data is processed.

    My name is Jörgen Nilsson and I work as a Senior Consultant at Onevinn in Malmö, Sweden. This is my blog where I will share tips and stuff for my own and everyone elses use on Enterprise Mobility and Windows related topics.
    All code is provided "AS-IS" with no warranties.

    Tweets by ccmexec

    Recent Posts

    • Windows Servicing, Personal Teams and Success.cmd
    • Windows MDM Security Baseline – Settings Catalog
    • Configuring MS Edge Security Baseline v107 using Settings Catalog
    • Configuring Desktop App Installer using CSP and script?!
    • Customizing Taskbar and Start in Windows 11 22h2 with PowerShell

    ©2023 CCMEXEC.COM – Enterprise Mobility | WordPress Theme by Superb Themes
    This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish.Accept Reject Read More
    Privacy & Cookies Policy

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
    Non-necessary
    Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
    SAVE & ACCEPT