Application whitelisting

[KrisTiteca]

We already mentioned this through the customer connection program but for companies who take security seriously, we really need an application whitelisting mechanism to restrict what a user can install using winget.

I have tried numerous times to explain that for us it's not because an app was validated by Microsoft that we want it on our computers. There can still be security concerns, GDPR or legal issues and it not the mention the attack surface.

First steps have been made or they are being developed where you would have a GPO that can prevent access to winget CLI or powershell.

But for us that doesn't mean that there won't be a way to install apps, it would still be possible to use for example COM to be able to install apps.

Therefore, in my opinion, it would be much better to have a seperate GPO where you can whitelist the app ID's you want to allow to be installed. This would be much better in my opinion.

Maybe there could also be a less maintenance intensive option, where you have a GPO that only allows the apps deployed through Intune to be installed.

Thanks,
Kris Titeca

[stephannn]

Hi there,
I think the same. Something like the allow list in Edge would be nice and I don't understand why it is not there yet

[denelon]

The https://github.com/microsoft/winget-cli-restsource is a reference implementation for a private REST source for WinGet. Group Policy can be configured to manage which sources are configured or allowed by WinGet users in the enterprise. We've also recently added policies so the COM API used by Intune can be enabled and the user level access to run WinGet can be disabled.