Group Policy update with granular settings to selectively allow/disallow entry points WinGet CLI, WinGet InProc COM, WinGet Out-Of-Proc #3491
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…low entry proints WinGet CLI, WinGet InProc COM, WinGet Out-Of-Proc Changes included : - New Group Policy called "Enable Windows Package Manager" exposes sub settings - WinGet CLI - WinGet InProcess COM - WinGet OutOfProcess COM to control different WinGet endpoints specified which works in combination with V1 "EnableAppInstaller" Policy. i.e when "Enable Windows Package Manager" Policy is set it has precedence over "EnableAppInstaller" Policy & when NotConfigured the default behavior for "EnableAppInstaller" Policy gets applied. - E2E Tests for CLI scenarios - E2E Tests for OutOfProc call scenario [How Tested:] - Applied new group policy adml/admx template onto test machine - Built & Deployed WinGetDev test package executed all the applicable scenarios to be gated by the policy - InProc COM - Used sample C# dotnet framework project that attempts to create InProc COM object using CLSIDs with different InProc COM Policy combination and ensured they are now gated by new policy in combination with EnableAppInstaller - Executed Out-Of-Proc tests part of this change and ensured they all behave as expected.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
Madhusudhan-MSFT
changed the title
|
/azp run |
|
Azure Pipelines successfully started running 1 pipeline(s). |
|
/azp run |
|
Commenter does not have sufficient privileges for PR 3491 in repo microsoft/winget-cli |
florelis
reviewed
Aug 3, 2023
| <string id="EnableWindowsPackageManager">Enable Windows Package Manager</string> | ||
| <string id="EnableWindowsPackageManagerExplanation">This policy determines the access level of apps and services to the Windows Package Manager COM APIs and WinGet CLI, which can be used to install or configure apps on your device. | ||
|
|
||
| By disabling this policy, you prevent any app or service from using the Windows Package Manager COM APIs and WinGet CLI to install or configure apps on your device. |
There was a problem hiding this comment.
Nit: I'd try to stick to the same wording as in the other policies. "If you enable this setting" instead of "By enabling this policy"
There was a problem hiding this comment.
We are in discussion to revise this policy entirely. All these policy details are subject to change as part of the revision. I hope we can accommodate all these feedback part of our revision scheme.
| @@ -106,6 +122,11 @@ If you disable or do not configure this setting, users will not be able to insta | |||
| <presentation id="AllowedSources"> | |||
| <listBox refId="AllowedSources" required="false">Allowed Sources: </listBox> | |||
| </presentation> | |||
| <presentation id="EnableWindowsPackageManagerExplanation"> | |||
| <checkBox refId="EnableWinGetCLI" defaultChecked="true">WinGet CLI</checkBox> | |||
| <checkBox refId="EnableWinGetInProcessCOM" defaultChecked="true">WinGet InProcess COM</checkBox> | |||
There was a problem hiding this comment.
Is "InProcess" and "OutOfProcess" the way it is usually written? Would a translator translate it or leave it as is?
|
|
||
| By leaving this policy as not configured, you allow any app or service to use the Windows Package Manager COM APIs to install apps on your device. | ||
|
|
||
| This policy will override the "Enable App Installer" policy.</string> |
There was a problem hiding this comment.
I'm guessing this only overrides when it is set? It would be weird if it overrode a "enabled" with a "not configured"
Comment on lines
+153
to
+160
| <boolean id="EnableWinGetCLI" valueName="EnableWinGetCLI"> | ||
| <trueValue> | ||
| <decimal value="1"></decimal> | ||
| </trueValue> | ||
| <falseValue> | ||
| <decimal value="0"></decimal> | ||
| </falseValue> | ||
| </boolean> |
| <decimal value="0"></decimal> | ||
| </falseValue> | ||
| </boolean> | ||
| </elements> |
There was a problem hiding this comment.
Will we be able to add more elements in the future?
Comment on lines
+848
to
+859
| PolicyState enableWinGetCLIPolicyState = Settings::GroupPolicies().GetState(Settings::TogglePolicy::Policy::WinGetCLI); | ||
|
|
||
| // Block any CLI execution if WinGetPackageManager - EnableWinGetCLI Policy is disabled. | ||
| if (enableWinGetCLIPolicyState == PolicyState::Disabled) | ||
| { | ||
| AICLI_LOG(CLI, Error, << "WinGet is disabled by group policy"); | ||
| throw GroupPolicyException(Settings::TogglePolicy::Policy::WinGetCLI); | ||
| } | ||
|
|
||
| // Block any execution if winget (EnableAppInstaller) is disabled by policy & the new policy WinGetPackageManager isn't configured. | ||
| // Override the function to bypass this. | ||
| if (!Settings::GroupPolicies().IsEnabled(Settings::TogglePolicy::Policy::WinGet)) | ||
| if (enableWinGetCLIPolicyState == PolicyState::NotConfigured |
There was a problem hiding this comment.
Would it be possible to put this logic in the GroupPolicies struct so we don't have to deal with the override logic here?
Madhusudhan-MSFT
deleted the
user/masudars/CLI_InProcCOM_OutOfProcCOM_GroupPolicy_Support
branch
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Group Policy update with granular settings to selectively allow/disallow entry points WinGet CLI, WinGet InProc COM, WinGet Out-Of-Proc
Changes included :
[How Tested:]
Microsoft Reviewers: codeflow:open?pullrequest=#3491