Managing Winget using Intune and ADMX Import

One of the new announcements from the Microsoft Technical Takeoff was the management of the Winget App Installer via GPO (this video)

With the new ADMX import functionality, why not import these new GPOs and use Intune to manage the App Installer on your machines.

Update – 1st November 2022 – The policy locations are currently restricted on ADMX import so I have added a guide to use OMA-URI instead. I will leave the import here for future reference

Custom OMA-URI

Management via Settings Catalog is in progress, but until then, we can create a Custom policy to manage Winget Settings

First we need to create a Custom profile

Give it a name and continue to add Settings.

For reference, the CSP settings are all here:

https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-desktopappinstaller

These are all device based policies so the path will be:

./Device/Vendor/MSFT/Policy/Config/DesktopAppInstaller/POLICYNAME

Fortunately these are all simple Enabled/Disabled 1/0 policies so the setting will be a String with a value of either

<enabled/>

or

<disabled/>

To check these have worked, run this command on a machine

winget --info

Which should display something like this:

Note:

If you set the update interval, it’s not a simple enable/disable so you will need code like this (value is in minutes):

<enabled/> <data id="SourceAutoUpdateInterval" value="30"/>

Thanks to Phil Jorgensen for pointing this one out

If you want to grab a JSON export of my policy, you can find that here

Old Content

In this post, I’ll run through the steps to do just that.

First up, grab the ADMX files from the Winget Github Repo released page:

https://github.com/microsoft/winget-cli/releases

Now we need to import the ADMX files, navigate to Devices – Configuration Profiles and then click Import ADMX:

Before we import the new policies, these require the Windows.admx files (if you want to know why, have a look at this post from Rudy Ooms)

Click Import and navigate to c:\windows\policydefinitions

And also the Windows.adml from your preferred language

Click Next and Import

When that has completed we need to upload the Winget policies, same process, but selecting the downloaded ADMX and ADML files

Now we wait for the upload to be marked as Available

Now to create the policy:

We want to use Imported Administrative Templates

Give it a name

You will find the settings here:

Set whatever is required for your environment

Add any scope tags and assign as required:

Finally Create your profile

25 thoughts on “Managing Winget using Intune and ADMX Import”

  1. Hey Andrew! Wanted to add if one were to set the Auto Update Interval value, won’t be enough. Example for a 30 minute interval:

    Data type: String
    Value:
    data id="SourceAutoUpdateInterval" value="30"

    Reply
  2. I get the same as described above by Mohamed. Access denied to ‘Software\Policies\Microsoft\Windows\AppInstaller’.

    “MDM PolicyManager ADMX Ingestion: Blocked registry key: (Software\Policies\Microsoft\Windows\AppInstaller) in (policy) tag.”

    Reply
  3. When i check the Administative Events : MDM PolicyManager ADMX Ingestion: Blocked registry key: (Software\Policies\Microsoft\Windows\AppInstaller) in (policy) tag.

    Reply
  4. Hello Andrew,

    I have exactly the same error with the latest version retrieved from Github. I also tried with the latest pre-release is still the error.

    message error :
    ERROR CODE
    0x20101
    ERROR DETAILS
    The administrative template file failed to be sent to the device

    Reply
    • Can you try installing the latest Winget release from their GitHub? The error seems to be version related I think so I wonder if the policy is newer than the bundled version with Windows

      Reply
  5. I did. Didn’t make any difference and I followed your blog step by step. Already tried device and user based assignments. But none of the methods made a difference.

    Reply
  6. First I’ve imported the Windows admx and adel and then the DesktopInstaller ADMX, but still ended up with an error.

    ERROR CODE
    0x20101
    ERROR DETAILS
    The administrative template file failed to be sent to the device.

    Reply
  7. Great idea! I do receive an upload error:

    “Error Details
    ADMX file referenced not found NamespaceMissing:Microsoft.Policies.Windows. Please upload it first.”

    Reply

Leave a Comment