devbox: enable msauth default account and broker in devbox

Detect when we are in a Microsoft Dev Box environment, and if we are,
then default to enabling the default OS account setting and enabling
WAM.

Author: mjcheetham

docs/configuration.md

@@ -543,7 +543,10 @@ git config --global credential.msauthFlow devicecode
 
 Use the operating system account manager where available.
 
-Defaults to `false`. This default is subject to change in the future.
+Defaults to `false`. In certain cloud hosted environments when using a work or
+school account, such as [Microsoft DevBox][devbox], the default is `true`.
+
+These defaults are subject to change in the future.
 
 _**Note:** before you enable this option on Windows, please review the
 [Windows Broker][wam] details for what this means to your local Windows user
@@ -568,7 +571,10 @@ git config --global credential.msauthUseBroker true
 
 Use the current operating system account by default when the broker is enabled.
 
-Defaults to `false`. This default is subject to change in the future.
+Defaults to `false`. In certain cloud hosted environments when using a work or
+school account, such as [Microsoft DevBox][devbox], the default is `true`.
+
+These defaults are subject to change in the future.
 
 Value|Description
 -|-
@@ -692,6 +698,7 @@ git config --global credential.azreposCredentialType oauth
 [credential-plaintextstorepath]: #credentialplaintextstorepath
 [credential-cache]: https://git-scm.com/docs/git-credential-cache
 [cred-stores]: credstores.md
+[devbox]: https://azure.microsoft.com/en-us/products/dev-box
 [enterprise-config]: enterprise-config.md
 [envars]: environment.md
 [freedesktop-ss]: https://specifications.freedesktop.org/secret-service/

docs/environment.md

@@ -776,7 +776,10 @@ export GCM_MSAUTH_FLOW="devicecode"
 
 Use the operating system account manager where available.
 
-Defaults to `false`. This default is subject to change in the future.
+Defaults to `false`. In certain cloud hosted environments when using a work or
+school account, such as [Microsoft DevBox][devbox], the default is `true`.
+
+These defaults are subject to change in the future.
 
 _**Note:** before you enable this option on Windows, please
 [review the details][windows-broker] about what this means to your local Windows
@@ -807,7 +810,10 @@ export GCM_MSAUTH_USEBROKER="false"
 
 Use the current operating system account by default when the broker is enabled.
 
-Defaults to `false`. This default is subject to change in the future.
+Defaults to `false`. In certain cloud hosted environments when using a work or
+school account, such as [Microsoft DevBox][devbox], the default is `true`.
+
+These defaults are subject to change in the future.
 
 Value|Description
 -|-
@@ -881,6 +887,7 @@ export GCM_AZREPOS_CREDENTIALTYPE="oauth"
 [credential-provider]: configuration.md#credentialprovider
 [credential-stores]: credstores.md
 [default-values]: enterprise-config.md
+[devbox]: https://azure.microsoft.com/en-us/products/dev-box
 [freedesktop-ss]: https://specifications.freedesktop.org/secret-service/
 [gcm]: usage.md
 [gcm-interactive]: #gcm_interactive

docs/windows-broker.md

@@ -43,6 +43,14 @@ variable or set the
 [`credential.msauthUseDefaultAccount`][credential.msauthUseDefaultAccount] Git
 configuration value to `true`.
 
+In certain cloud hosted environments when using a work or school account, such
+as [Microsoft Dev Box][devbox], this setting is **_automatically enabled_**.
+
+To disable this behavior, set the environment variable
+[`GCM_MSAUTH_USEDEFAULTACCOUNT`][GCM_MSAUTH_USEDEFAULTACCOUNT] or the
+[`credential.msauthUseDefaultAccount`][credential.msauthUseDefaultAccount] Git
+configuration value explicitly to `false`.
+
 ## Surprising behaviors
 
 The WAM and Windows identity systems are complex, addressing a very broad range
@@ -183,10 +191,10 @@ In order to fix the problem, there are a few options:
 [azure-refresh-token-terms]: https://docs.microsoft.com/azure/active-directory/devices/concept-primary-refresh-token#key-terminology-and-components
 [azure-conditional-access]: https://docs.microsoft.com/azure/active-directory/conditional-access/overview
 [azure-devops]: https://dev.azure.com
-[GCM_MSAUTH_USEBROKER]: environment.md#GCM_MSAUTH_USEBROKER
-[GCM_MSAUTH_USEDEFAULTACCOUNTR]: environment.md#GCM_MSAUTH_USEDEFAULTACCOUNTR
-[credential.msauthUseBroker]: configuration.md#credentialmsauthusebroker
-[credential.msauthUseDefaultAccount]: configuration.md#credentialmsauthusedefaultaccount
+[GCM_MSAUTH_USEBROKER]: environment.md#GCM_MSAUTH_USEBROKER-experimental
+[GCM_MSAUTH_USEDEFAULTACCOUNT]: environment.md#GCM_MSAUTH_USEDEFAULTACCOUNT-experimental
+[credential.msauthUseBroker]: configuration.md#credentialmsauthusebroker-experimental
+[credential.msauthUseDefaultAccount]: configuration.md#credentialmsauthusedefaultaccount-experimental
 [aad-questions]: img/aad-questions.png
 [aad-questions-21h1]: img/aad-questions-21H1.png
 [aad-bitlocker]: img/aad-bitlocker.png
@@ -197,3 +205,4 @@ In order to fix the problem, there are a few options:
 [apps-must-ask]: img/apps-must-ask.png
 [ms-com]: https://docs.microsoft.com/en-us/windows/win32/com/the-component-object-model
 [msal-dotnet]: https://aka.ms/msal-net
+[devbox]: https://azure.microsoft.com/en-us/products/dev-box

src/shared/Core/Authentication/MicrosoftAuthentication.cs

@@ -557,8 +557,8 @@ public bool CanUseBroker()
                 return false;
             }
 
-            // Default to not using the OS broker
-            const bool defaultValue = false;
+            // Default to using the OS broker only on DevBox for the time being
+            bool defaultValue = PlatformUtils.IsDevBox();
 
             if (Context.Settings.TryGetSetting(Constants.EnvironmentVariables.MsAuthUseBroker,
                     Constants.GitConfiguration.Credential.SectionName,

src/shared/Core/Constants.cs

@@ -16,6 +16,8 @@ public static class Constants
 
         public const string GcmDataDirectoryName = ".gcm";
 
+        public static readonly Guid DevBoxPartnerId = new("e3171dd9-9a5f-e5be-b36c-cc7c4f3f3bcf");
+
         public static class CredentialStoreNames
         {
             public const string WindowsCredentialManager = "wincredman";
@@ -187,6 +189,10 @@ public static class WindowsRegistry
         {
             public const string HKAppBasePath = @"SOFTWARE\GitCredentialManager";
             public const string HKConfigurationPath = HKAppBasePath + @"\Configuration";
+
+            public const string HKWindows365Path = @"SOFTWARE\Microsoft\Windows365";
+            public const string IsW365EnvironmentKeyName = "IsW365Environment";
+            public const string W365PartnerIdKeyName = "PartnerId";
         }
 
         public static class HelpUrls

src/shared/Core/PlatformUtils.cs

@@ -22,6 +22,35 @@ public static PlatformInformation GetPlatformInformation(ITrace2 trace2)
             return new PlatformInformation(osType, osVersion, cpuArch, clrVersion);
         }
 
+        public static bool IsDevBox()
+        {
+            if (!IsWindows())
+            {
+                return false;
+            }
+
+#if NETFRAMEWORK
+            // Check for machine (HKLM) registry keys for Cloud PC indicators
+            // Note that the keys are only found in the 64-bit registry view
+            using (Microsoft.Win32.RegistryKey hklm64 = Microsoft.Win32.RegistryKey.OpenBaseKey(Microsoft.Win32.RegistryHive.LocalMachine, Microsoft.Win32.RegistryView.Registry64))
+            using (Microsoft.Win32.RegistryKey w365Key = hklm64.OpenSubKey(Constants.WindowsRegistry.HKWindows365Path))
+            {
+                if (w365Key is null)
+                {
+                    // No Windows365 key exists
+                    return false;
+                }
+
+                object w365Value = w365Key.GetValue(Constants.WindowsRegistry.IsW365EnvironmentKeyName);
+                string partnerValue = w365Key.GetValue(Constants.WindowsRegistry.W365PartnerIdKeyName)?.ToString();
+
+                return w365Value is not null && Guid.TryParse(partnerValue, out Guid partnerId) && partnerId == Constants.DevBoxPartnerId;
+            }
+#else
+            return false;
+#endif
+        }
+
         public static bool IsWindowsBrokerSupported()
         {
             if (!IsWindows())

src/shared/Core/Settings.cs

@@ -781,7 +781,7 @@ ProxyConfiguration CreateConfiguration(Uri uri, bool isLegacy = false)
                 KnownGitCfg.Credential.MsAuthUseDefaultAccount,
                 out string str)
             ? str.IsTruthy()
-            : false;
+            : PlatformUtils.IsDevBox(); // default to true in DevBox environment
 
         #region IDisposable