Control Winget with the Desktop App Installer policy
By default every Windows 10/11 can have the App Installer package installed and use Winget to install apps from the Winget or Microsoft Store repository. Even if the user has no admin permissions it can still install apps in user context by using the “Winget install” command.
If you can’t use Winget the Desktop App Installer package is missing on your device. You can create a Win32 Intune package for this that will install and configure the Desktop App Installer package and even some extra apps by using Winget. The scripts can be found on my GitHub. |
You have the following options to control the use of Winget:
- Block the use of Winget: Because Winget is used in the Microsoft Store app (new), it’s not wise to block it completely by disabling the EnableMicrosoftStoreSource. If you do so, you are not able to deploy the Microsoft Store app (new) from Intune apps (install pending)!
- Work with an allow list where you can specify every app that can be installed: This option is really frustrating your IT department because they need to maintain an allow list for all apps and specific versions within the organization.
- Limit sources by only allowing the Microsoft Store repository: Only the Microsoft Store apps can be found and installed with Winget.
Only allow the Microsoft store app repository
To configure option 3 for Windows 11 22H2, we can make use of the DesktopAppInstaller CSP. On older versions of Windows 11 and Windows 10 there is no option to configure this with CSP. Therefore I created a Proactive remediation script that will do exactly that by setting the registry keys below.
Desktop App Installer policy in action!
Without the policy you will see the output below in PowerShell. Here you can install Mozilla Firefox from the Winget and Microsoft Store repository. You see the Source header msstore and winget.
After adding the registry keys mentioned earlier, you can only find Mozilla Firefox from the Microsoft Store repository and the Source header is gone.
The app can be installed by running “Winget install “Mozilla Firefox”” or “Winget install 9NZVDKPMR9RD”. When the app needs administrator permissions the user will receive an UAC consent prompt. The app can also be deployed with Microsoft Intune by adding it as a Microsoft Store app (new).
Prevent installing apps with Winget locally
With the implementation above users are able to only install apps from the Microsoft Store by using the Winget command. We need to implement the following to prevent installing apps directly on the device by using Winget:
HKLM:\SOFTWARE\Policies\Microsoft\WindowsStore with the values RemoveWindowsStore 1 and RequirePrivateStoreOnly 1. The Microsoft Store app (new) can still be installed by the IntuneManagementExtensionService
After this the admin or user is not able to use the Winget commands on the device directly due to policy restriction.
Also they are not able to install apps by downloading it from https://apps.microsoft.com because it redirects to the blocked Microsoft Store.