search

microsoft / winget-cli

WinGet is the Windows Package Manager. This project includes a CLI (Command Line Interface), PowerShell modules, and a COM (Component Object Model) API (Application Programming Interface).
https://learn.microsoft.com/windows/package-manager/
MIT License
22.58k stars 1.4k forks source link

AgentExecutor.exe Crashes #2742

Open rudyooms84 opened 1 year ago

rudyooms84 commented 1 year ago

Brief description of your issue

The Intune AgentExecutor.exe Crashes when a specific Winget Policy has been set: EnableMicrosoftStoreSource Dword 0

When removing that policy the stores apps configured from Intune are deployed to the device. When looking at a procmon trace, I also notice that the agentexecutor looks at those policies

image

Steps to reproduce

Configuring the Intune Policy (CSP) ./Device/Vendor/MSFT/Policy/Config/DesktopAppInstaller/EnableMicrosoftStoreSource to disabled and reinstalling a Windows 11 device

Please note: on an already enrolled device, I am noticing no issues

Expected behavior

I was hoping that with this policy the winget sources would get disabled... but still have the possibility to use the intune agentexecutor to install store apps (as it uses a own winget dll)

Actual behavior

Agentexecutor crashes and published store apps aren't installed, when removing those registry keys that are placed by the CSP and running a gpupdate the store apps begin installing directly

Environment

Windows 11 
Winget v1.3
Jwcarter99 commented 8 months ago

I am looking to get an update on this issue. I am still seeing this issue in WPM 1.6.2721. Is there an ETA of a solution here? As the original commenter mentioned I see that if the GPO to block the Store as a source "Enable App Installer Microsoft Store Source" is set to Disabled, then Intune required packages such as Company Portal are not installed and stuck on "Waiting for install status". We have also noticed that Windows user profile removal is not clean because the following files cannot be removed does not have correct permissions in this state (%LocalAppData%\Microsoft\WinGet\Settings\defaultState\sources_metadata).

Ultimately, our goal is to block WinGet command line to prevent standard users from installing directly from the Microsoft Store without needing to block the source. Is there a new ADMX in the works to accommodate this behavior?

ugurkocde commented 7 months ago

Maybe you have more success setting ./Device/Vendor/MSFT/Policy/Config/DesktopAppInstaller/EnableWindowsPackageManagerCommandLineInterfaces to disable the CLI for the user -> Result: The user can not run winget in powershell.

Description of the setting:

Bild

It will disable the winget command for users but not disable the AppInstaller on the device so that App deployments with Intune still work.

Here is the ADMX with the setting EnableWindowsPackageManagerCommandLineInterfaces: https://github.com/microsoft/winget-cli/blob/master/doc/admx/DesktopAppInstaller.admx

Michael-ol commented 7 months ago

Is it not a preview setting? https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-desktopappinstaller#enablewindowspackagemanagercommandlineinterfaces

And it seems that this settings are only for Windows 11 now. Not Windows 10 anymore. But maybe I'm wrong

ugurkocde commented 7 months ago

It is in preview and only available for insider builds but this does not mean that you can not set the registry key on a device that has no Windows Insider Build installed. I have successfully tested it on multiple VMs. The reg key is: EnableWindowsPackageManagerCommandLineInterfaces, dWord and Value is 0. Can you try it?

Michael-ol commented 7 months ago

In Intune I have an error : image I try to add manually the setting on a windows 10 and it's working. Winget is block but App install by Intune are not. image Thanks a lot.

All that remains is to block the installation of applications that do not require administrator rights. ;-)

ugurkocde commented 7 months ago

Great to hear :)

Its currently still in Preview and will possible work better with Intune as soon as it is out of Preview.

If you want to have a better control of App installations maybe look into Applocker.

Jwcarter99 commented 6 months ago

This was working great but now I seem to be running up against this when trying to install an app from the Company Portal APPINSTALLER_CLI_ERROR_BLOCKED_BY_POLICY - 0x8A15003A

If I remove the policy that was set to "Disabled" - "Enable Windows Package Manager command line interfaces" I am able to install apps from the Company Portal as normal.

Windows Package Manager v1.6.3421

Oneill701 commented 6 months ago

Unfortunately I noticed the same problem since yesterday. Thank you for your comment Jwcarter99. It helped me. I had problems installing via the portal and removing the registry key and after reboot it works again. Bad news.