New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Introducing new Group Policy EnableWindowsPackageManagerCommandLineInterfaces for Intune #3524
Conversation
…terfaces for Intune The changess part of this commit includes: 1. ADMX/ADML Changes to include EnableWindowsPackageManagerCommandLineInterfaces policy 2. EnableWindowsPackageManagerCommandLineInterfaces is another simple - EnableValue/DisableValue boolean (1/0) policy
…dLineInterfaces Group Policy This commit includes: 1. WinGetCLi command code update to read & validation EnableWindowsPackageManagerCommandLineInterfaces Group Policy i.e block when disabled. 2. WinGetCLI End to End tests to validate EnableWindowsPackageManagerCommandLineInterfaces policy in combination with "EnableAppInstaller" WinGet Policy
…read and respect "EnableAppInstaller" & EnableWindowsPackageManagerCommandLineInterfaces Group Policies The commit includes: 1. Shared code to read Group Policies "Microsoft.WinGet.SharedLib" right now limited to read only Toggle Policies just enough to address the scope of Intune deliverable. 2. Group policy read and validation logic to block PowerShell modules 1. Microsoft.WinGet.Client.psd1 PowerShell module 2. Microsoft.WinGet.Configuration.psd1 PowerShell module when any of two policies are disabled "EnableAppInstaller" or "EnableWindowsPackageManagerCommandLineInterfaces" 3. The PowerShell module consumes the "Microsoft.WinGet.SharedLib" share code as file links added to - Microsoft.WinGet.Client.Engine - Microsoft.WinGet.Configuration.Engine cs projects and they compiled into its own assemblies to address following issues 1. PowerShell modules for WinGetClient & WinGet Configure target different OS versions & .net framework combination as a result having a common shared .net standard library fails to compile due to OS target version compatibility issues. 2. We can also avoid duplicating same share code b/w PowerShell module projects. NOTE: GroupPolicyResource.resx resource is duplicated into PowerShell modules assemblies as adding link resulted runtime failure due to missing resource file 4. Tests to validate PowerShell WinGet Client command with Group Policy in effect TODOs: Add Group Policy tests for WinGet Configure PowerShell cmdlets this is manually validated by running PowerShell cmdlets but actual test requires some additional setup so plan is add those test in future.
This comment has been minimized.
This comment has been minimized.
@@ -146,5 +146,15 @@ | |||
<decimal value="0" /> | |||
</disabledValue> | |||
</policy> | |||
<policy name="EnableWindowsPackageManagerCommandLineInterfaces" class="Machine" displayName="$(string.EnableWindowsPackageManagerCommandLineInterfaces)" explainText="$(string.EnableWindowsPackageManagerCommandLineInterfacesExplanation)" key="Software\Policies\Microsoft\Windows\AppInstaller" valueName="EnableWindowsPackageManagerCommandLineInterfaces"> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we need to include "WindowsPackageManager" in the name? None of the other policies do. Would be nice to stay consistent.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It is not a requirement that we prefix the title of our policies with "Desktop App Installer". The direction of this policy is at the WinGet functionality only, therefore prefixing the title with "Windows Package Manager" makes sense.
It would make sense for more of our policies to be prefixed like this.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, it would make sense to have them prefixed, but the others are not and that's hard to change. I can see the point of having a prefix, but I also think there is some value in having them all be consistent.
And if we are prefixing, does it need to be with WindowsPackageManager? Could it be just WinGet or something short?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In this context, we shouldn't be prefixing our GPOs with an abbreviation or shortened form of our product name. Which is why we are pushing for the "Windows Package Manager" as the new prefix.
@@ -146,5 +146,15 @@ | |||
<decimal value="0" /> | |||
</disabledValue> | |||
</policy> | |||
<policy name="EnableWindowsPackageManagerCommandLineInterfaces" class="Machine" displayName="$(string.EnableWindowsPackageManagerCommandLineInterfaces)" explainText="$(string.EnableWindowsPackageManagerCommandLineInterfacesExplanation)" key="Software\Policies\Microsoft\Windows\AppInstaller" valueName="EnableWindowsPackageManagerCommandLineInterfaces"> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, it would make sense to have them prefixed, but the others are not and that's hard to change. I can see the point of having a prefix, but I also think there is some value in having them all be consistent.
And if we are prefixing, does it need to be with WindowsPackageManager? Could it be just WinGet or something short?
This comment has been minimized.
This comment has been minimized.
/azp run |
Azure Pipelines successfully started running 1 pipeline(s). |
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
PowerShell client modules doesn't work from x86 release, so skipping those test It follows the pattern used for "WinGetClientModule" tests
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not too familiar with the structure of the shared code/resources here. Will let someone with more .Net experience weigh in.
src/AppInstallerCLIE2ETests/PowerShell/WinGetClientModuleGroupPolicyTests.cs
Outdated
Show resolved
Hide resolved
…ass library project file The commit includes: - Moving Microsoft.WinGet.SharedLib code to it own .net standard 2.0 class library project file - Removed explict links to shared code from - Microsoft.WinGet.Client.Engine.csproj - Microsoft.WinGet.Configuration.Engine.csproj and then now includes class library as project reference - Additonally updated - Microsoft.WinGet.Client.Cmdlets - Microsoft.WinGet.Configuration.Cmdlets projects to copy Microsoft.WinGet.SharedLib.dll to module path [How Tested:] - Did run some sanity tests to ensure all the changes works as expected.
…nfiguration Group Policy blocking scenario
/azp run |
Azure Pipelines successfully started running 1 pipeline(s). |
…Content initialization logic in tests
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
PowerShellwise this looks good to me
src/AppInstallerCLIE2ETests/PowerShell/WinGetClientModuleGroupPolicyTests.cs
Outdated
Show resolved
Hide resolved
…ered part of pester tests
Hello team, I was checking the conversation but I did not understand if this change was completed or what is the current status of this. |
This change has been completed. The latest clients have support for the policy and the ADMX/ADML has been updated and published with the release at GitHub. |
thank you for the reply Denelon, i was curious if this is only an intune policy or also a windows domain gpo. I am asking because on the Microsoft official documentation I found references only to the CSP policy |
WinGet leverages the second mechanism via ADMX/ADML ingestion. |
Understood, and this is working for all versions? I saw on the CSP link that this was only available for insider preview |
[Why;]
To allow Intune to be able to set a group policy to block end user installing packages from WinGet Command Line interfaces such as WinGet CLI, PowerShell modules while Intune can still install package by themselves by consuming WinGet APIs directly.
[WHAT:]
Policy Changes:
WinGet CLI Changes:
Group Policy i.e block when disabled.
combination with "EnableAppInstaller" WinGet Policy
How Tested:
PowerShell Module related changes:
just enough to address the scope of Intune deliverable.
when any of two policies are disabled
"EnableAppInstaller" or "EnableWindowsPackageManagerCommandLineInterfaces"
How Tested:
Patch Group Policy AMDX/AMDL
Deploy Microsoft.WinGet.Client.psd1 & Microsoft.WinGet.Configuration.psd1 PowerShell modules.
Import Microsoft.WinGet.Client.ps1 powershell module & run cmdlets with policy enabled/disabled and verify policy blocks
PowerShell module execution when it is disabled.
wingetdev configure E:\winget\src\AppInstallerCLIE2ETests\TestData\Configuration\PSGallery_NoModule_NoSettings.yml
Import Microsoft.WinGet.Configuration.psd1 PowerShell module & run cmdlets with policy enabled/disabled and verify policy blocks PowerShell module execution when it is disabled.
Related to : https://microsoft.visualstudio.com/OS/_workitems/edit/45810849/
Microsoft Reviewers: Open in CodeFlow