One of the new announcements from the Microsoft Technical Takeoff was the management of the Winget App Installer via GPO (this video)
With the new ADMX import functionality, why not import these new GPOs and use Intune to manage the App Installer on your machines.
Update – 1st November 2022 – The policy locations are currently restricted on ADMX import so I have added a guide to use OMA-URI instead. I will leave the import here for future reference
Custom OMA-URI
Management via Settings Catalog is in progress, but until then, we can create a Custom policy to manage Winget Settings
First we need to create a Custom profile
Give it a name and continue to add Settings.
For reference, the CSP settings are all here:
https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-desktopappinstaller
These are all device based policies so the path will be:
./Device/Vendor/MSFT/Policy/Config/DesktopAppInstaller/POLICYNAMEFortunately these are all simple Enabled/Disabled 1/0 policies so the setting will be a String with a value of either
<enabled/>or
<disabled/>
To check these have worked, run this command on a machine
winget --infoWhich should display something like this:
Note:
If you set the update interval, it’s not a simple enable/disable so you will need code like this (value is in minutes):
<enabled/> <data id="SourceAutoUpdateInterval" value="30"/>Thanks to Phil Jorgensen for pointing this one out
If you want to grab a JSON export of my policy, you can find that here
Old Content
In this post, I’ll run through the steps to do just that.
First up, grab the ADMX files from the Winget Github Repo released page:
https://github.com/microsoft/winget-cli/releases
Now we need to import the ADMX files, navigate to Devices – Configuration Profiles and then click Import ADMX:
Before we import the new policies, these require the Windows.admx files (if you want to know why, have a look at this post from Rudy Ooms)
Click Import and navigate to c:\windows\policydefinitions
And also the Windows.adml from your preferred language
Click Next and Import
When that has completed we need to upload the Winget policies, same process, but selecting the downloaded ADMX and ADML files
Now we wait for the upload to be marked as Available
Now to create the policy:
We want to use Imported Administrative Templates
Give it a name
You will find the settings here:
Set whatever is required for your environment
Add any scope tags and assign as required:
Finally Create your profile
Great idea! I do receive an upload error:
“Error Details
ADMX file referenced not found NamespaceMissing:Microsoft.Policies.Windows. Please upload it first.”
Hi Nigel, make sure you upload windows.admx from c:\windows\policydefinitions (and windows.adml) before uploading the Winget ADMX files
Duh just figured that out – thanks again!
First I’ve imported the Windows admx and adel and then the DesktopInstaller ADMX, but still ended up with an error.
ERROR CODE
0x20101
ERROR DETAILS
The administrative template file failed to be sent to the device.
Hi, try removing and re-adding them, it might be something timed out (the functionality is still in preview so there can be the odd bug)
I’ve added OMA-URI settings now which seem to work ok
I did. Didn’t make any difference and I followed your blog step by step. Already tried device and user based assignments. But none of the methods made a difference.
What OS are your devices running?
Oh sorry for the late response. I got a VM with win11 22h2 and win10 22h2.
Can you try installing the latest Winget release from their GitHub? The error seems to be version related I think so I wonder if the policy is newer than the bundled version with Windows
Hello Andrew,
I have exactly the same error with the latest version retrieved from Github. I also tried with the latest pre-release is still the error.
message error :
ERROR CODE
0x20101
ERROR DETAILS
The administrative template file failed to be sent to the device
I think I can see why, the keys are writing to HKLM\Software\Policies\Microsoft\Windows\AppInstaller which is currently blocked in ADMX import:
https://learn.microsoft.com/en-us/windows/client-management/win32-and-centennial-app-policy-configuration#overview
I’ll see if I can convert to a custom OMA-URI instead
When i check the Administative Events : MDM PolicyManager ADMX Ingestion: Blocked registry key: (Software\Policies\Microsoft\Windows\AppInstaller) in (policy) tag.
Yes, it’s blocked on import at the moment, working on a custom one now
Looks like you can’t ingest into that reg location either, I’ve messaged Intune Support to see if it can be released
I’ve added OMA-URI settings now which seem to work ok
hello Andrew,
Thank you for your reactivity,
hoping for a solution for this error.
best regards
I get the same as described above by Mohamed. Access denied to ‘Software\Policies\Microsoft\Windows\AppInstaller’.
“MDM PolicyManager ADMX Ingestion: Blocked registry key: (Software\Policies\Microsoft\Windows\AppInstaller) in (policy) tag.”
The registry paths used for Winget ADMX are on the blocked list for importing. I’ve been told they’ll be in Settings Catalog soon, but I’m hoping to sort the Custom OMA-URI paths and update this accordingly.
I’ve added OMA-URI settings now which seem to work ok
Hello Andrew,
I just try the new method. I’ve got the same error message.
What error do you get?
Hey Andrew! Wanted to add if one were to set the Auto Update Interval value, won’t be enough. Example for a 30 minute interval:
Data type: String
Value:
data id="SourceAutoUpdateInterval" value="30"Tried steps shared by andrew but its not working .
OMA URI – only works for Windows 11 22h2 and above.
That’s correct, these policy settings were only introduced in Win11 22H2