You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: hub/package-manager/index.md
+32-1Lines changed: 32 additions & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -49,7 +49,7 @@ The WinGet client can be used in the command line to install and manage applicat
49
49
50
50
To maintain ongoing security updates, the WinGet client is released using the Microsoft Store and installs applications from the Microsoft Store using the [“msstore” source](./winget/source.md) and applying “certificate pinning” to ensure that the connection is secure and established with the proper endpoint.
51
51
52
-
The Group Policy applied by your enterprise organization may be using SSL inspection via a firewall between the WinGet client and the Microsoft Store source that causes a connection error to appear in the WinGet client.
52
+
The Group Policy applied by your enterprise organization may be using SSL inspection via a firewall between the WinGet client and the Microsoft Store source that causes a connection error to appear in the WinGet client.
53
53
54
54
For this reason, the Windows Package Manager desktop installer supports a policy setting called: “BypassCertificatePinningForMicrosoftStore”. This policy controls whether the Windows Package Manager will validate the Microsoft Store certificate hash matches to a known Microsoft Store certificate when initiating a connection to the Microsoft Store Source. The options for this policy include:
55
55
@@ -60,3 +60,34 @@ For this reason, the Windows Package Manager desktop installer supports a policy
60
60
“Certificate Pinning” ensures that the package manager connection to the Microsoft Store is secure, helping to avoid risks associated with attacks such as Man-in-the-Middle (MITM) attacks involving a third party inserting themselves between a client (user) and server (application) to secretly intercept communication flows to steal sensitive data such as login credentials, etc. Disabling “Certificate Pinning” (enabling the bypass) can expose your organization to risk in this area and should be avoided.
61
61
62
62
To learn more about setting up Group Policy for your enterprise organization, see the [Microsoft Intune documentation](/mem/intune/).
63
+
64
+
## Additional Group Policy settings for Windows Package Manager
65
+
66
+
Windows Package Manager provides additional configuration options through Group Policy, allowing IT administrators to manage and control functionality across multiple devices. These settings are particularly beneficial for enterprise environments where compliance and consistency are critical.
67
+
68
+
Beginning in Windows 11, additional Group Policy templates for Windows Package Manager are included with each release. These templates are divided into several subcategories, enabling IT administrators to configure key aspects of the tool's behavior, such as:
69
+
70
+
-**Source Control**: Specify which sources are allowed or blocked.
71
+
-**Local Development**: Control whether users are allowed to enable experimental features or local manifest installations.
72
+
-**Execution Policies**: Set policies for the command line interface and proxy options.
3. Download the `DesktopAppInstallerPolicies.zip` file included in the release assets.
79
+
80
+
The ZIP file contains the necessary `.admx` and `.adml` files for deploying the policies. Once you've downloaded the `DesktopAppInstallerPolicies.zip` file:
81
+
82
+
1. Extract the contents of the ZIP file on your local machine.
83
+
2. Copy the `.admx` file to the `C:\Windows\PolicyDefinitions` folder on the target device.
84
+
3. Copy the corresponding language-specific `.adml` file to the appropriate subdirectory, such as `C:\Windows\PolicyDefinitions\en-US`.
85
+
4. Open the Group Policy Management Console (GPMC) to configure the policies.
86
+
87
+
> [!NOTE]
88
+
> When working on a Windows Domain Controller, you can store the Group Policy templates in the Central Store. For detailed instructions, see [How to create and manage the Central Store for Group Policy Administrative Templates in Windows](/troubleshoot/windows-client/group-policy/create-and-manage-central-store).
89
+
90
+
New Group Policy settings may be introduced with each release of Windows Package Manager. To ensure your environment is always up to date:
91
+
92
+
- Regularly check for updates on the [Windows Package Manager GitHub repository](https://github.com/microsoft/winget-cli/releases) page.
93
+
- Review the release notes for changes or additions to the policy templates.
0 commit comments