Policy CSP - DesktopAppInstaller
Tip
This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see Understanding ADMX-backed policies.
The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.
EnableAdditionalSources
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 11, version 22H2 [10.0.22621] and later |
./Device/Vendor/MSFT/Policy/Config/DesktopAppInstaller/EnableAdditionalSources
This policy controls additional sources provided by the enterprise IT administrator.
If you don't configure this policy, no additional sources will be configured for the Windows Package Manager.
If you enable this policy, the additional sources will be added to the Windows Package Manager and can't be removed. The representation for each additional source can be obtained from installed sources using 'winget source export'.
If you disable this policy, no additional sources can be configured for the Windows Package Manager.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
Tip
This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.
ADMX mapping:
| Name | Value |
|---|---|
| Name | EnableAdditionalSources |
| Friendly Name | Enable App Installer Additional Sources |
| Location | Computer Configuration |
| Path | Windows Components > Desktop App Installer |
| Registry Key Name | Software\Policies\Microsoft\Windows\AppInstaller |
| Registry Value Name | EnableAdditionalSources |
| ADMX File Name | DesktopAppInstaller.admx |
EnableAllowedSources
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 11, version 22H2 [10.0.22621] and later |
./Device/Vendor/MSFT/Policy/Config/DesktopAppInstaller/EnableAllowedSources
This policy controls additional sources allowed by the enterprise IT administrator.
If you don't configure this policy, users will be able to add or remove additional sources other than those configured by policy.
If you enable this policy, only the sources specified can be added or removed from the Windows Package Manager. The representation for each allowed source can be obtained from installed sources using 'winget source export'.
If you disable this policy, no additional sources can be configured for the Windows Package Manager.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
Tip
This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.
ADMX mapping:
| Name | Value |
|---|---|
| Name | EnableAllowedSources |
| Friendly Name | Enable App Installer Allowed Sources |
| Location | Computer Configuration |
| Path | Windows Components > Desktop App Installer |
| Registry Key Name | Software\Policies\Microsoft\Windows\AppInstaller |
| Registry Value Name | EnableAllowedSources |
| ADMX File Name | DesktopAppInstaller.admx |
EnableAppInstaller
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 11, version 22H2 [10.0.22621] and later |
./Device/Vendor/MSFT/Policy/Config/DesktopAppInstaller/EnableAppInstaller
This policy controls whether the Windows Package Manager can be used by users.
If you enable or don't configure this setting, users will be able to use the Windows Package Manager.
If you disable this setting, users won't be able to use the Windows Package Manager.
Users will still be able to execute the winget command. The default help will be displayed, and users will still be able to execute winget -? to display the help as well. Any other command will result in the user being informed the operation is disabled by Group Policy.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
Tip
This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.
ADMX mapping:
| Name | Value |
|---|---|
| Name | EnableAppInstaller |
| Friendly Name | Enable App Installer |
| Location | Computer Configuration |
| Path | Windows Components > Desktop App Installer |
| Registry Key Name | Software\Policies\Microsoft\Windows\AppInstaller |
| Registry Value Name | EnableAppInstaller |
| ADMX File Name | DesktopAppInstaller.admx |
EnableBypassCertificatePinningForMicrosoftStore
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 11, version 22H2 [10.0.22621] and later |
./Device/Vendor/MSFT/Policy/Config/DesktopAppInstaller/EnableBypassCertificatePinningForMicrosoftStore
This policy controls whether the Windows Package Manager will validate the Microsoft Store certificate hash matches to a known Microsoft Store certificate when initiating a connection to the Microsoft Store Source.
If you enable this policy, the Windows Package Manager will bypass the Microsoft Store certificate validation.
If you disable this policy, the Windows Package Manager will validate the Microsoft Store certificate used is valid and belongs to the Microsoft Store before communicating with the Microsoft Store source.
If you don't configure this policy, the Windows Package Manager administrator settings will be adhered to.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
Tip
This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.
ADMX mapping:
| Name | Value |
|---|---|
| Name | EnableBypassCertificatePinningForMicrosoftStore |
| Friendly Name | Enable App Installer Microsoft Store Source Certificate Validation Bypass |
| Location | Computer Configuration |
| Path | Windows Components > Desktop App Installer |
| Registry Key Name | Software\Policies\Microsoft\Windows\AppInstaller |
| Registry Value Name | EnableBypassCertificatePinningForMicrosoftStore |
| ADMX File Name | DesktopAppInstaller.admx |
EnableDefaultSource
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 11, version 22H2 [10.0.22621] and later |
./Device/Vendor/MSFT/Policy/Config/DesktopAppInstaller/EnableDefaultSource
This policy controls the default source included with the Windows Package Manager.
If you don't configure this setting, the default source for the Windows Package Manager will be available and can be removed.
If you enable this setting, the default source for the Windows Package Manager will be available and can't be removed.
If you disable this setting the default source for the Windows Package Manager won't be available.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
Tip
This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.
ADMX mapping:
| Name | Value |
|---|---|
| Name | EnableDefaultSource |
| Friendly Name | Enable App Installer Default Source |
| Location | Computer Configuration |
| Path | Windows Components > Desktop App Installer |
| Registry Key Name | Software\Policies\Microsoft\Windows\AppInstaller |
| Registry Value Name | EnableDefaultSource |
| ADMX File Name | DesktopAppInstaller.admx |
EnableExperimentalFeatures
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 11, version 22H2 [10.0.22621] and later |
./Device/Vendor/MSFT/Policy/Config/DesktopAppInstaller/EnableExperimentalFeatures
This policy controls whether users can enable experimental features in the Windows Package Manager.
If you enable or don't configure this setting, users will be able to enable experimental features for the Windows Package Manager.
If you disable this setting, users won't be able to enable experimental features for the Windows Package Manager.
Experimental features are used during Windows Package Manager development cycle to provide previews for new behaviors. Some of these experimental features may be implemented prior to the Group Policy settings designed to control their behavior.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
Tip
This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.
ADMX mapping:
| Name | Value |
|---|---|
| Name | EnableExperimentalFeatures |
| Friendly Name | Enable App Installer Experimental Features |
| Location | Computer Configuration |
| Path | Windows Components > Desktop App Installer |
| Registry Key Name | Software\Policies\Microsoft\Windows\AppInstaller |
| Registry Value Name | EnableExperimentalFeatures |
| ADMX File Name | DesktopAppInstaller.admx |
EnableHashOverride
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 11, version 22H2 [10.0.22621] and later |
./Device/Vendor/MSFT/Policy/Config/DesktopAppInstaller/EnableHashOverride
This policy controls whether or not the Windows Package Manager can be configured to enable the ability override the SHA256 security validation in settings.
If you enable or don't configure this policy, users will be able to enable the ability override the SHA256 security validation in the Windows Package Manager settings.
If you disable this policy, users won't be able to enable the ability override the SHA256 security validation in the Windows Package Manager settings.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
Tip
This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.
ADMX mapping:
| Name | Value |
|---|---|
| Name | EnableHashOverride |
| Friendly Name | Enable App Installer Hash Override |
| Location | Computer Configuration |
| Path | Windows Components > Desktop App Installer |
| Registry Key Name | Software\Policies\Microsoft\Windows\AppInstaller |
| Registry Value Name | EnableHashOverride |
| ADMX File Name | DesktopAppInstaller.admx |
EnableLocalArchiveMalwareScanOverride
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 11, version 22H2 [10.0.22621] and later |
./Device/Vendor/MSFT/Policy/Config/DesktopAppInstaller/EnableLocalArchiveMalwareScanOverride
This policy controls the ability to override malware vulnerability scans when installing an archive file using a local manifest using the command line arguments.
If you enable this policy, users can override the malware scan when performing a local manifest install of an archive file.
If you disable this policy, users will be unable to override the malware scan of an archive file when installing using a local manifest.
If you don't configure this policy, the Windows Package Manager administrator settings will be adhered to.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
Tip
This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.
ADMX mapping:
| Name | Value |
|---|---|
| Name | EnableLocalArchiveMalwareScanOverride |
| Friendly Name | Enable App Installer Local Archive Malware Scan Override |
| Location | Computer Configuration |
| Path | Windows Components > Desktop App Installer |
| Registry Key Name | Software\Policies\Microsoft\Windows\AppInstaller |
| Registry Value Name | EnableLocalArchiveMalwareScanOverride |
| ADMX File Name | DesktopAppInstaller.admx |
EnableLocalManifestFiles
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 11, version 22H2 [10.0.22621] and later |
./Device/Vendor/MSFT/Policy/Config/DesktopAppInstaller/EnableLocalManifestFiles
This policy controls whether users can install packages with local manifest files.
If you enable or don't configure this setting, users will be able to install packages with local manifests using the Windows Package Manager.
If you disable this setting, users won't be able to install packages with local manifests using the Windows Package Manager.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
Tip
This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.
ADMX mapping:
| Name | Value |
|---|---|
| Name | EnableLocalManifestFiles |
| Friendly Name | Enable App Installer Local Manifest Files |
| Location | Computer Configuration |
| Path | Windows Components > Desktop App Installer |
| Registry Key Name | Software\Policies\Microsoft\Windows\AppInstaller |
| Registry Value Name | EnableLocalManifestFiles |
| ADMX File Name | DesktopAppInstaller.admx |
EnableMicrosoftStoreSource
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 11, version 22H2 [10.0.22621] and later |
./Device/Vendor/MSFT/Policy/Config/DesktopAppInstaller/EnableMicrosoftStoreSource
This policy controls the Microsoft Store source included with the Windows Package Manager.
If you don't configure this setting, the Microsoft Store source for the Windows Package manager will be available and can be removed.
If you enable this setting, the Microsoft Store source for the Windows Package Manager will be available and can't be removed.
If you disable this setting the Microsoft Store source for the Windows Package Manager won't be available.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
Tip
This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.
ADMX mapping:
| Name | Value |
|---|---|
| Name | EnableMicrosoftStoreSource |
| Friendly Name | Enable App Installer Microsoft Store Source |
| Location | Computer Configuration |
| Path | Windows Components > Desktop App Installer |
| Registry Key Name | Software\Policies\Microsoft\Windows\AppInstaller |
| Registry Value Name | EnableMicrosoftStoreSource |
| ADMX File Name | DesktopAppInstaller.admx |
EnableMSAppInstallerProtocol
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 11, version 22H2 [10.0.22621] and later |
./Device/Vendor/MSFT/Policy/Config/DesktopAppInstaller/EnableMSAppInstallerProtocol
This policy controls whether users can install packages from a website that's using the ms-appinstaller protocol.
If you enable this setting, users will be able to install packages from websites that use this protocol.
If you disable or don't configure this setting, users won't be able to install packages from websites that use this protocol.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
Tip
This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.
ADMX mapping:
| Name | Value |
|---|---|
| Name | EnableMSAppInstallerProtocol |
| Friendly Name | Enable App Installer ms-appinstaller protocol |
| Location | Computer Configuration |
| Path | Windows Components > Desktop App Installer |
| Registry Key Name | Software\Policies\Microsoft\Windows\AppInstaller |
| Registry Value Name | EnableMSAppInstallerProtocol |
| ADMX File Name | DesktopAppInstaller.admx |
EnableSettings
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 11, version 22H2 [10.0.22621] and later |
./Device/Vendor/MSFT/Policy/Config/DesktopAppInstaller/EnableSettings
This policy controls whether users can change their settings.
If you enable or don't configure this setting, users will be able to change settings for the Windows Package Manager.
If you disable this setting, users won't be able to change settings for the Windows Package Manager.
The settings are stored inside of a .json file on the user’s system. It may be possible for users to gain access to the file using elevated credentials. This won't override any policy settings that have been configured by this policy.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
Tip
This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.
ADMX mapping:
| Name | Value |
|---|---|
| Name | EnableSettings |
| Friendly Name | Enable App Installer Settings |
| Location | Computer Configuration |
| Path | Windows Components > Desktop App Installer |
| Registry Key Name | Software\Policies\Microsoft\Windows\AppInstaller |
| Registry Value Name | EnableSettings |
| ADMX File Name | DesktopAppInstaller.admx |
EnableWindowsPackageManagerCommandLineInterfaces
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 11, version 24H2 [10.0.26100] and later |
./Device/Vendor/MSFT/Policy/Config/DesktopAppInstaller/EnableWindowsPackageManagerCommandLineInterfaces
This policy determines if a user can perform an action using the Windows Package Manager through a command line interface (WinGet CLI, or WinGet PowerShell).
If you disable this policy, users won't be able execute the Windows Package Manager CLI, and PowerShell cmdlets.
If you enable, or don't configuring this policy, users will be able to execute the Windows Package Manager CLI commands, and PowerShell cmdlets. (Provided "Enable App Installer" policy isn't disabled).
This policy doesn't override the "Enable App Installer" policy.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
Tip
This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.
ADMX mapping:
| Name | Value |
|---|---|
| Name | EnableWindowsPackageManagerCommandLineInterfaces |
| Friendly Name | Enable Windows Package Manager command line interfaces |
| Location | Computer Configuration |
| Path | Windows Components > Desktop App Installer |
| Registry Key Name | Software\Policies\Microsoft\Windows\AppInstaller |
| Registry Value Name | EnableWindowsPackageManagerCommandLineInterfaces |
| ADMX File Name | DesktopAppInstaller.admx |
EnableWindowsPackageManagerConfiguration
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 11, version 24H2 [10.0.26100] and later |
./Device/Vendor/MSFT/Policy/Config/DesktopAppInstaller/EnableWindowsPackageManagerConfiguration
This policy controls whether the Windows Package Manager configuration feature can be used by users.
If you enable or don't configure this setting, users will be able to use the Windows Package Manager configuration feature.
If you disable this setting, users won't be able to use the Windows Package Manager configuration feature.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
Tip
This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.
ADMX mapping:
| Name | Value |
|---|---|
| Name | EnableWindowsPackageManagerConfiguration |
| Friendly Name | Enable Windows Package Manager Configuration |
| Location | Computer Configuration |
| Path | Windows Components > Desktop App Installer |
| Registry Key Name | Software\Policies\Microsoft\Windows\AppInstaller |
| Registry Value Name | EnableWindowsPackageManagerConfiguration |
| ADMX File Name | DesktopAppInstaller.admx |
SourceAutoUpdateInterval
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 11, version 22H2 [10.0.22621] and later |
./Device/Vendor/MSFT/Policy/Config/DesktopAppInstaller/SourceAutoUpdateInterval
This policy controls the auto-update interval for package-based sources. The default source for Windows Package Manager is configured such that an index of the packages is cached on the local machine. The index is downloaded when a user invokes a command, and the interval has passed.
If you disable or don't configure this setting, the default interval or the value specified in the Windows Package Manager settings will be used.
If you enable this setting, the number of minutes specified will be used by the Windows Package Manager.
The default source for Windows Package Manager is configured such that an index of the packages is cached on the local machine. The index is downloaded when a user invokes a command, and the interval has passed (the index is not updated in the background). This setting has no impact on REST-based sources.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
Tip
This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.
ADMX mapping:
| Name | Value |
|---|---|
| Name | SourceAutoUpdateInterval |
| Friendly Name | Set App Installer Source Auto Update Interval In Minutes |
| Location | Computer Configuration |
| Path | Windows Components > Desktop App Installer |
| Registry Key Name | Software\Policies\Microsoft\Windows\AppInstaller |
| ADMX File Name | DesktopAppInstaller.admx |