Skip to main content

Group Policy

Control WinGet functionality, sources, and behavior across your organization using Windows Group Policy. This guide covers all available policies and enterprise deployment strategies.

Overview

WinGet Group Policy enables centralized control over:
  • Feature availability and restrictions
  • Package source configuration
  • Security settings and overrides
  • Default behavior and preferences
Group Policy settings override user-configured settings in settings.json. Policies take precedence.

Installing Policy Templates

Locating ADMX Files

Policy templates are included in the WinGet source repository: 
doc/admx/DesktopAppInstaller.admx
doc/admx/en-US/DesktopAppInstaller.adml

Deployment Steps

1

Copy ADMX File

Copy DesktopAppInstaller.admx to your PolicyDefinitions folder:Local Machine:
C:\Windows\PolicyDefinitions\
Domain Controller (Central Store):
\\domain.com\SYSVOL\domain.com\Policies\PolicyDefinitions\
2

Copy ADML File

Copy DesktopAppInstaller.adml to the language-specific folder:Local Machine:
C:\Windows\PolicyDefinitions\en-US\
Domain Controller:
\\domain.com\SYSVOL\domain.com\Policies\PolicyDefinitions\en-US\
3

Verify Installation

Open Group Policy Editor:
gpedit.msc  # Local policy
gpmc.msc    # Domain policy
Navigate to:
Computer Configuration > Administrative Templates > Windows Components > Desktop App Installer
You should see all WinGet policies listed.

Policy Categories

Toggle Policies

Toggle policies enable or disable specific features. They use DWORD values (0 = Disabled, 1 = Enabled).

Value Policies

Value policies set configuration values like intervals or proxy settings.

List Policies

List policies define multiple items, such as additional sources or allowed sources.

Core Functionality Policies

Enable Windows Package Manager

Policy: EnableAppInstaller Path: Computer Configuration > Administrative Templates > Windows Components > Desktop App Installer > Enable Windows Package Manager Controls whether WinGet can be used at all.
Enabled/Not Configured: Users can use WinGetDisabled: WinGet is completely blockedRegistry Key:
HKLM\Software\Policies\Microsoft\Windows\AppInstaller
Value: EnableAppInstaller
Type: DWORD (0 or 1)

Enable Command Line Interfaces

Policy: EnableWindowsPackageManagerCommandLineInterfaces Controls access to WinGet CLI and PowerShell cmdlets.
Enabled/Not Configured: CLI and PowerShell are accessibleDisabled: Blocks winget.exe and WinGet PowerShell module
Does not override the Enable Windows Package Manager policy. Both must be enabled.

Enable Settings

Policy: EnableSettings Controls whether users can modify their WinGet settings.
Enabled/Not Configured: Users can edit settings.jsonDisabled: Settings file is read-only; only policy appliesUse this to enforce standardized configurations.

Enable Experimental Features

Policy: EnableExperimentalFeatures Controls access to experimental features.
Enabled/Not Configured: Users can enable experimental features in settingsDisabled: All experimental features are blockedUseful for preventing untested features in production environments.

Source Management Policies

Source Auto Update Interval

Policy: SourceAutoUpdateInterval Sets the automatic update interval for package sources (in minutes). 
Computer Configuration > Administrative Templates > Windows Components > Desktop App Installer > Set Windows Package Manager Source Auto Update Interval In Minutes
Range: 0 - 43200 minutes (0 = disabled, max = 30 days)Default: 15 minutes if not configuredRegistry:
HKLM\Software\Policies\Microsoft\Windows\AppInstaller
Value: SourceAutoUpdateInterval
Type: DWORD
Example Values:
  • 0: Disable automatic updates
  • 60: Update every hour
  • 1440: Update once per day

Enable Default Source

Policy: EnableDefaultSource Controls availability of the default WinGet source (winget).
Not Configured: Default source available, users can removeEnabled: Default source available, users cannot removeDisabled: Default source not available
Disabling the default source without providing alternatives will prevent package installation from public repositories.

Enable Microsoft Store Source

Policy: EnableMicrosoftStoreSource Controls availability of the Microsoft Store source.
Not Configured: Store source available, removableEnabled: Store source available, not removableDisabled: Store source unavailable

Enable Additional Sources

Policy: EnableAdditionalSources Define enterprise package sources that users cannot remove.
1

Enable the Policy

Navigate to:
Computer Configuration > Administrative Templates > Windows Components > Desktop App Installer > Enable Windows Package Manager Additional Sources
Set to Enabled.
2

Add Source Definitions

In the policy configuration dialog, click Show next to “Additional Sources”.Add each source as a JSON object:
{"Name":"CompanyApps","Arg":"https://packages.company.com/cache","Type":"Microsoft.PreIndexed.Package","Data":"","Identifier":"CompanyApps_ID"}
3

Deploy Policy

Apply the GPO to target organizational units.Sources appear automatically on client machines and cannot be removed by users.
Required fields:
  • Name: Display name for the source
  • Arg: URL or UNC path to source
  • Type: Source type (Microsoft.PreIndexed.Package or Microsoft.Rest)
  • Identifier: Unique identifier
Optional fields:
  • Data: Additional metadata
  • TrustLevel: Array of trust levels
  • Priority: Source priority (requires experimental feature)
Example:
{
  "Name": "EnterpriseApps",
  "Arg": "https://winget.enterprise.com/cache",
  "Type": "Microsoft.PreIndexed.Package",
  "Identifier": "EnterpriseApps_8wekyb3d8bbwe",
  "Data": "",
  "Priority": 100
}

Enable Allowed Sources

Policy: EnableAllowedSources Restrict users to only specified sources.
1

Enable the Policy

Set Enabled for:
Enable Windows Package Manager Allowed Sources
2

Define Allowed Sources

List each permitted source in JSON format.Example allowing only corporate and default sources:
{"Name":"winget","Arg":"https://cdn.winget.microsoft.com/cache","Type":"Microsoft.PreIndexed.Package","Identifier":"Microsoft.Winget.Source_8wekyb3d8bbwe"}
{"Name":"CompanyApps","Arg":"https://packages.company.com/cache","Type":"Microsoft.PreIndexed.Package","Identifier":"CompanyApps_ID"}
3

Test Restrictions

Users can only add or remove sources listed in the policy.Attempts to add other sources will fail.
Disabled: Users cannot configure any additional sources beyond policy-defined ones.Not Configured: Users can add/remove sources freely.

Enable Font Source

Policy: EnableFontSource Controls the experimental font package source.
Requires the fonts experimental feature to be enabled.

Security Policies

Enable Local Manifest Files

Policy: EnableLocalManifestFiles Controls whether users can install from local YAML manifest files. 
# Blocked if policy is disabled
winget install --manifest ./local-package.yaml
Enabled/Not Configured: Local manifests allowedDisabled: winget install --manifest is blocked
Local manifests bypass source validation. Disable in high-security environments.

Enable Hash Override

Policy: EnableHashOverride Controls whether users can override SHA256 hash validation.
Enabled/Not Configured: Users can use --force or --ignore-security-hashDisabled: Hash validation cannot be bypassedRecommended: Disable in production environments for security.

Enable Local Archive Malware Scan Override

Policy: EnableLocalArchiveMalwareScanOverride Controls ability to skip malware scanning for local archive installations.
Enabled: Users can skip malware scan with:
winget install --manifest ./package.yaml \
  --ignore-local-archive-malware-scan
Disabled/Not Configured: Malware scan cannot be bypassed
Only enable if you have alternative malware protection measures.

Enable Certificate Pinning Bypass for Microsoft Store

Policy: EnableBypassCertificatePinningForMicrosoftStore Controls certificate validation for Microsoft Store source.
Enabled: Bypasses certificate pinning for Store sourceDisabled/Not Configured: Certificate must match known Store certificatesUse cases:
  • Corporate SSL inspection/decryption
  • Proxy environments with certificate replacement
Only enable in controlled network environments. Reduces security.

Network Policies

Set Default Proxy

Policy: WindowsPackageManagerDefaultProxy Define a default proxy for all WinGet network operations.
1

Enable Policy

Navigate to:
Set Windows Package Manager Default Proxy
Set to Enabled.
2

Configure Proxy

Enter proxy URL in the text field:
http://proxy.company.com:8080
Or with authentication:
http://username:password@proxy.company.com:8080
If not configured, WinGet uses system proxy settings.

Enable Proxy Command Line Options

Policy: EnableWindowsPackageManagerProxyCommandLineOptions Controls whether users can override proxy settings via command line.
Enabled: Users can specify proxy per-command:
winget install --id Contoso.App --proxy http://myproxy:8080
Disabled/Not Configured: Command-line proxy options are blockedUse to enforce centralized proxy settings.

Installation Policies

MSIX Allowed Zones

Policy: EnableMsixAllowedZones Control from which URL security zones MSIX packages can be installed.
1

Enable Policy

Set Enabled for:
Enable App Installer Allowed Zones for MSIX Packages
2

Configure Zones

For each zone, select Allow or Block:
  • Local Machine: Files on local disk
  • Intranet: Corporate network sites
  • Trusted Sites: Manually trusted sites
  • Internet: General internet sites
  • Untrusted Sites: Explicitly untrusted
Not Configured: All zones allowed except Untrusted SitesExample Configuration:
  • Local Machine: Allow
  • Intranet: Allow
  • Trusted Sites: Allow
  • Internet: Block
  • Untrusted Sites: Block
This restricts MSIX installations to internal sources only.

Enable MSIX SmartScreen Check

Policy: EnableMsixSmartScreenCheck Controls whether MSIX package URIs are checked against Microsoft SmartScreen.
Enabled/Not Configured: SmartScreen validates package URIs from internetDisabled: SmartScreen checks are skipped
Only applies to packages originating from internet zones.

Protocol Policies

Enable ms-appinstaller Protocol

Policy: EnableMSAppInstallerProtocol Controls whether users can install packages via ms-appinstaller:// protocol links.
Enabled: Users can click web links like:
<a href="ms-appinstaller:?source=https://packages.contoso.com/app.appinstaller">
  Install App
</a>
Disabled/Not Configured: Protocol links are blockedDisable to prevent web-based package installation vectors.

Configuration Feature Policies

Enable Windows Package Manager Configuration

Policy: EnableWindowsPackageManagerConfiguration Controls the WinGet configuration feature (DSC integration).
Enabled/Not Configured: Users can run:
winget configure ./configuration.yaml
Disabled: Configuration feature is blocked
WinGet Configuration enables declarative system setup using PowerShell DSC.

Enable MCP Server

Policy: EnableWindowsPackageManagerMcpServer Controls the Model Context Protocol (MCP) server for WinGet.
Enabled/Not Configured: MCP server can be usedDisabled: MCP server functionality is blockedUsed for AI-assisted package management scenarios.

Policy Implementation Strategies

Scenario: Locked-Down Environment

1

Restrict to Corporate Sources

Enable Allowed Sources policy with only enterprise sources:
{"Name":"EnterpriseApps","Arg":"https://packages.corp.com/cache","Type":"Microsoft.PreIndexed.Package","Identifier":"Corp_ID"}
2

Block Risky Features

Disable these policies:
  • Enable Local Manifest Files
  • Enable Hash Override
  • Enable Local Archive Malware Scan Override
  • Enable Experimental Features
3

Enforce Settings

Disable Enable Settings to prevent user customization.
4

Configure Network

Set Default Proxy and disable Proxy Command Line Options.

Scenario: Balanced Corporate Environment

1

Provide Corporate Sources

Use Additional Sources to add enterprise repositories:
{"Name":"CompanyApps","Arg":"https://winget.company.com/cache","Type":"Microsoft.PreIndexed.Package","Identifier":"Company_ID"}
Leave default sources enabled.
2

Allow User Settings

Keep Enable Settings enabled for user preferences.
3

Security Baselines

Disable only:
  • Enable Hash Override
  • Enable Local Archive Malware Scan Override
4

Network Configuration

Set Default Proxy but allow command-line override for special cases.

Scenario: Developer Workstations

1

Maximum Flexibility

Leave most policies Not Configured or Enabled.
2

Add Internal Sources

Use Additional Sources for company-specific packages:
{"Name":"DevTools","Arg":"https://devtools.company.com/cache","Type":"Microsoft.PreIndexed.Package","Identifier":"DevTools_ID"}
3

Enable Experimental Features

Allow developers to test new functionality.
4

Minimal Restrictions

Only disable hash override for baseline security.

Verifying Policy Application

Check Registry Values

Verify policies are applied: 
# Check main policy key
Get-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\Windows\AppInstaller"

# Check specific policy
Get-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\Windows\AppInstaller" -Name EnableAppInstaller

Test WinGet Behavior

Validate policy enforcement: 
# Test if WinGet is enabled
winget --version

# Test source restrictions
winget source list

# Test installation restrictions
winget install --manifest ./test.yaml

Group Policy Results

Generate policy report: 
gpresult /H policy-report.html
Review applied policies in the HTML report under: 
Computer Configuration > Administrative Templates > Windows Components > Desktop App Installer

Troubleshooting

  1. Verify ADMX/ADML files are correctly placed
  2. Run gpupdate /force on client machines
  3. Check GPO is linked to correct OU
  4. Verify no conflicting GPOs
  5. Check client is receiving policies: gpresult /r
Policy should always win. If not:
  1. Verify policy is applied: check registry
  2. Ensure policy targets are correct (Computer vs User)
  3. Check for local policy overrides
  4. Restart WinGet process
Common issues:
  1. JSON Format: Ensure proper JSON escaping in policy editor
  2. Quotes: Use double quotes in JSON, not single quotes
  3. Identifiers: Make identifiers unique across sources
  4. URLs: Verify source URLs are accessible from clients
Test JSON syntax:
'{"Name":"Test","Arg":"https://test.com","Type":"Microsoft.PreIndexed.Package","Identifier":"Test_ID"}' | ConvertFrom-Json
If corporate proxy causes certificate errors:
  1. Enable Bypass Certificate Pinning policy
  2. Ensure proxy certificates are trusted system-wide
  3. Test source connectivity from client
  4. Review proxy logs for SSL interception issues

Best Practices

Start Restrictive

Begin with locked-down policies and relax as needed based on organizational requirements.

Test Before Deployment

Always test policies on a small group before organization-wide rollout.

Document Configuration

Maintain documentation of policy decisions and source configurations.

Monitor Compliance

Regularly review policy application with gpresult and registry checks.

Version Control Sources

Keep source JSON configurations in version control for audit trail.

Separate by OU

Apply different policy sets to different organizational units (developers, standard users, servers).

Policy Reference Table

Policy NameTypeDefaultRegistry Value
Enable Windows Package ManagerToggleEnabledEnableAppInstaller
Enable SettingsToggleEnabledEnableSettings
Enable Experimental FeaturesToggleEnabledEnableExperimentalFeatures
Enable Local Manifest FilesToggleEnabledEnableLocalManifestFiles
Enable Hash OverrideToggleEnabledEnableHashOverride
Enable Default SourceToggleRemovableEnableDefaultSource
Enable Microsoft Store SourceToggleRemovableEnableMicrosoftStoreSource
Enable Command Line InterfacesToggleEnabledEnableWindowsPackageManagerCommandLineInterfaces
Enable ConfigurationToggleEnabledEnableWindowsPackageManagerConfiguration
Source Auto Update IntervalValue15 minSourceAutoUpdateInterval
Default ProxyValueNoneDefaultProxy
Enable Additional SourcesListNoneAdditionalSources (subkey)
Enable Allowed SourcesListAllAllowedSources (subkey)

Private Sources

Set up enterprise package repositories

Configuration Files

Understand user settings and policy interaction

Package Management

Learn package workflows affected by policies

Build docs developers (and LLMs) love

Get started for freeTalk to us