Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
WinGet (Windows Package Manager) is a comprehensive package manager solution that includes:
- WinGet: The command line tool and client interface for the Windows Package Manager. You can view the packages available using the command
winget searchfind more winget commands: Use the WinGet tool to install and manage applications. - Submit packages to Windows Package Manager: The packaging services for hosting and installing applications on Windows devices.
- WinGet Configuration files: Create a set of instructions for Windows Package Manager to consolidate the steps for manually setting up a device and onboarding to a new project to a single command that is reliable and repeatable. WinGet Configuration files utilize PowerShell Desired State Configuration (DSC) in combination with YAML formatted instructions and WinGet packages to handle your machine set up.
Windows Package Manager is a helpful tool for:
- Developers who want to manage their software applications using the command line.
- Independent Software Vendors (ISVs) who want to distribute software.
- Enterprise organizations who want to automate device set up and maintain a secure work environment.
Understanding package managers
A package manager is a system or set of tools used to installupgradeuninstalland optionally configure software. Most package managers are designed for discovering and installing developer tools.
Ideallydevelopers use a package manager to specify the prerequisites for the tools they need to develop solutions for a given project. The package manager then follows the declarative instructions to install and configure the tools. The package manager reduces the time spent getting an environment readyand it helps ensure the same versions of packages are installed on their machine.
Third party package managers may leverage the WinGet Community Repository to increase the size of their software catalog.
WinGet for developers
Developers use WinGet via the winget command line tool to discoverinstallupgraderemove and configure a curated set of applications. After it is installeddevelopers can access winget via the Windows TerminalPowerShellor the Command Prompt.
For more informationsee Use the winget tool to install and manage applications.
For a video demo of wingetsee Intro to Windows Package Manager.
Find the latest WinGet announcements and version updates in the Windows Command Line Blog.
WinGet for ISV software distribution
Independent Software Vendors (ISVs) can use WinGet as a distribution channel for software packages containing their tools and applications. To submit software packages to the WinGet Community Repositorywe provide the open source WinGet Community Repository on GitHub where ISVs can upload package manifests to have their software packages considered for inclusion in the default winget source. Manifests and the packages they reference are automatically validated and may also be reviewed manually.
For more informationsee Submit packages to WinGet Community Repository.
WinGet for Enterprise Security
WinGet can be used via the command line to install and manage applications across multiple machines. Those responsible for setting up enterprise work environmentssuch as IT Administrators or Security Analysts with the goal of maintaining a consistent level of security settings across everyone’s work machine may also be using Microsoft Intune to manage security using “Group Policy” settings.
To maintain ongoing security updatesWinGet is released using the Microsoft Store and installs applications from the Microsoft Store using the “msstore” source and applying “certificate pinning” to ensure that the connection is secure and established with the proper endpoint.
The Group Policy applied by your enterprise organization may be using SSL inspection via a firewall between WinGet and the Microsoft Store source that causes a connection error to appear in the WinGet client.
For this reasonWinget (via Desktop App Installer) supports a policy setting called: “BypassCertificatePinningForMicrosoftStore”. This policy controls whether WinGet will validate the Microsoft Store certificate hash matches to a known Microsoft Store certificate when initiating a connection to the Microsoft Store Source. The options for this policy include:
- Not configured (default): If you do not configure this policythe Windows Package Manager administrator settings will be adhered to. We recommend leaving this policy in the not configured default unless you have a specific need to change it.
- Enable: If you enable this policythe Windows Package Manager will bypass the Microsoft Store certificate validation.
- Disable: If you disable this policythe Windows Package Manager will validate the Microsoft Store certificate used is valid and belongs to the Microsoft Store before communicating with the Microsoft Store source.
“Certificate Pinning” ensures that the package manager connection to the Microsoft Store is securehelping to avoid risks associated with attacks such as Man-in-the-Middle (MITM) attacks involving a third party inserting themselves between a client (user) and server (application) to secretly intercept communication flows to steal sensitive data such as login credentialsetc. Disabling “Certificate Pinning” (enabling the bypass) can expose your organization to risk in this area and should be avoided.
To learn more about setting up Group Policy for your enterprise organizationsee the Microsoft Intune documentation.
Additional Group Policy settings for WinGet
WinGet provides additional configuration options through Group Policyallowing IT administrators to manage and control functionality across multiple devices. These settings are particularly beneficial for enterprise environments where compliance and consistency are critical.
Beginning in Windows 11additional Group Policy templates for WinGet are included with each release. These templates are divided into several subcategoriesenabling IT administrators to configure key aspects of the tool's behaviorsuch as:
- Source Control: Specify which sources are allowed or blocked.
- Local Development: Control whether users are allowed to enable experimental features or local manifest installations.
- Execution Policies: Set policies for the command line interface and proxy options.
To download the Group Policy templates:
- Visit WinGet GitHub releases.
- Locate the release version you wish to use.
- Download the
DesktopAppInstallerPolicies.zipfile included in the release assets.
The ZIP file contains the necessary .admx and .adml files for deploying the policies. Once you've downloaded the DesktopAppInstallerPolicies.zip file:
- Extract the contents of the ZIP file on your local machine.
- Copy the
.admxfile to theC:\Windows\PolicyDefinitionsfolder on the target device. - Copy the corresponding language-specific
.admlfile to the appropriate subdirectorysuch asC:\Windows\PolicyDefinitions\en-US. - Open the Group Policy Management Console (GPMC) to configure the policies.
Note
When working on a Windows Domain Controlleryou can store the Group Policy templates in the Central Store. For detailed instructionssee How to create and manage the Central Store for Group Policy Administrative Templates in Windows.
New Group Policy settings may be introduced with each release of WinGet. To ensure your environment is always up to date:
- Regularly check for updates on the WinGet GitHub repository page.
- Review the release notes for changes or additions to the policy templates.
Collaborate with us on GitHub
The source for this content can be found on GitHubwhere you can also create and review issues and pull requests. For more informationsee our contributor guide.
Windows developer