[GPO] Add GPO to disable per-user install (#25141)

* Add per user installer * Separate upgrade codes for per machine and per user installation Move per machine check to bootstrapper Move all defines to common.wxs Fix CI * Update installer/PowerToysSetup/generateFileList.ps1 Co-authored-by: Jeremy Sinclair <4016293+snickler@users.noreply.github.com> * Update installer/PowerToysSetup/generateAllFileComponents.ps1 Co-authored-by: Jeremy Sinclair <4016293+snickler@users.noreply.github.com> * Update installer/PowerToysSetup/generateFileList.ps1 Co-authored-by: Jeremy Sinclair <4016293+snickler@users.noreply.github.com> * expect.txt * Revert "Update installer/PowerToysSetup/generateFileList.ps1" This reverts commit 34545dab9c. * Update release CI to build both installers * Revert bundle name change It messes up app ID for per-user installation which ends up breaking winget update of the per-user PT * spellcheck * Fix bad merge * Add RegistryPreview * Include backup_restore_settings.json * Revert testing endpoint change * Add per-machine/per-user installation GPOs * Update doc/gpo/README.md * Update doc/gpo/README.md * spellcheck * Remove disable per-machine policy * Update doc/gpo/README.md Co-authored-by: Heiko <61519853+htcfreek@users.noreply.github.com> --------- Co-authored-by: Jeremy Sinclair <4016293+snickler@users.noreply.github.com> Co-authored-by: Heiko <61519853+htcfreek@users.noreply.github.com>
2025-12-15 03:07:56 +01:00 · 2023-03-31 14:31:45 +02:00
parent 870f8e3571
commit 195f288492
8 changed files with 79 additions and 14 deletions
--- a/.github/actions/spell-check/expect.txt
+++ b/.github/actions/spell-check/expect.txt
@@ -283,7 +283,6 @@ CLIPCHILDREN
 CLIPSIBLINGS
 Cloneable
 clrcall
 clrcompression
 Cls
 CLSCTX
 clsid
@@ -427,7 +426,6 @@ DCOM
 dcommon
 dcomp
 dcompi
 DCompiler
 DComposition
 DCR
 DCs
@@ -581,7 +579,6 @@ EFDD
 EFE
 EFFEFC
 EFile
 egfile
 ekus
 emmintrin
 Emoji
@@ -645,7 +642,6 @@ FAF
 FAFD
 fancymouse
 fancyzone
 fancyzones
 FANCYZONESDRAWLAYOUTTEST
 FANCYZONESEDITOR
 Farbraum
@@ -746,6 +742,7 @@ GNumber
 google
 gpedit
 gpo
 GPOCA
 GPT
 gpu
 graphql
@@ -893,7 +890,6 @@ IMAGERESIZEREXT
 imageresizerinput
 imageresizersettings
 imagingdevices
 Imc
 ime
 imeutil
 inetcpl
@@ -1449,7 +1445,6 @@ pinfo
 pinvoke
 pipename
 PKBDLLHOOKSTRUCT
 Pkcs
 PKEY
 plib
 PLK
@@ -1597,9 +1592,9 @@ REGFILTERPINS
 REGISTERCLASSFAILED
 REGISTRYHEADER
 registrypath
 registryroot
 registrypreview
 REGISTRYPREVIEWEXT
 registryroot
 regkey
 REGPINTYPES
 regroot
@@ -1851,7 +1846,6 @@ stdcpplatest
 STDMETHODCALLTYPE
 STDMETHODIMP
 stefan
 stefansjfw
 Stereolithography
 STGM
 STGMEDIUM
@@ -2211,7 +2205,6 @@ wox
 wparam
 wpf
 wpfdepsjsonpath
 wpfgfx
 wpftmp
 wpr
 wprp
--- a/doc/gpo/README.md
+++ b/doc/gpo/README.md
@@ -44,6 +44,15 @@ If this setting is not configured, experimentation is allowed.
 ### Installer and Updates
 #### Disable per-user installation
 This policy configures whether PowerToys per-user installation is allowed or not.
 If enabled, per-user installation is not allowed.
 If disabled or not configured, per-user installation is allowed.
 You can set this policy only as Computer policy.
 #### Disable automatic downloads
 This policy configures whether automatic downloads of available updates are disabled or not. (On metered connections updates are never downloaded.)
--- a/installer/PowerToysSetup/Product.wxs
+++ b/installer/PowerToysSetup/Product.wxs
@@ -148,6 +148,9 @@
      <Custom Action="RegisterPowerToysSchTask" After="InstallFiles">
        NOT Installed and CREATESCHEDULEDTASK = 1
      </Custom>
      <Custom Action="CheckGPO" After="InstallInitialize">
        NOT Installed
      </Custom>
      <Custom Action="ApplyModulesRegistryChangeSets" After="InstallFiles">
        NOT Installed
      </Custom>
@@ -413,6 +416,13 @@
                DllEntry="UnRegisterContextMenuPackagesCA"
                  />
    <CustomAction Id="CheckGPO"
                  Return="check"
                  Impersonate="yes"
                  BinaryKey="PTCustomActions"
                  DllEntry="CheckGPOCA"
                  />
    <!-- Close 'PowerToys.exe' before uninstall-->
    <Property Id="MSIRESTARTMANAGERCONTROL" Value="DisableShutdown" />
    <Property Id="MSIFASTINSTALL" Value="DisableShutdown" />
--- a/installer/PowerToysSetupCustomActions/CustomAction.cpp
+++ b/installer/PowerToysSetupCustomActions/CustomAction.cpp
@@ -6,6 +6,7 @@
 #include <spdlog/sinks/base_sink.h>
 #include "../../src/common/logger/logger.h"
 #include "../../src/common/utils/gpo.h"
 #include "../../src/common/utils/MsiUtils.h"
 #include "../../src/common/utils/modulesRegistry.h"
 #include "../../src/common/updating/installer.h"
@@ -50,6 +51,33 @@ HRESULT getInstallFolder(MSIHANDLE hInstall, std::wstring& installationDir)
 LExit:
    return hr;
 }
 UINT __stdcall CheckGPOCA(MSIHANDLE hInstall)
 {
    HRESULT hr = S_OK;
    hr = WcaInitialize(hInstall, "CheckGPOCA");
    ExitOnFailure(hr, "Failed to initialize");
    LPWSTR currentScope = nullptr;
    hr = WcaGetProperty(L"InstallScope", &currentScope);
    if(std::wstring{ currentScope } == L"perUser")
    {
        if (powertoys_gpo::getDisablePerUserInstallationValue() == powertoys_gpo::gpo_rule_configured_enabled)
        {
            PMSIHANDLE hRecord = MsiCreateRecord(0);
            MsiRecordSetString(hRecord, 0, TEXT("The system administrator has disabled per-user installation."));
            MsiProcessMessage(hInstall, static_cast<INSTALLMESSAGE>(INSTALLMESSAGE_ERROR + MB_OK), hRecord);
            hr = E_ABORT;
        }
    }
 LExit:
    UINT er = SUCCEEDED(hr) ? ERROR_SUCCESS : ERROR_INSTALL_FAILURE;
    return WcaFinalize(er);
 }
 UINT __stdcall ApplyModulesRegistryChangeSetsCA(MSIHANDLE hInstall)
 {
    HRESULT hr = S_OK;
--- a/installer/PowerToysSetupCustomActions/CustomAction.def
+++ b/installer/PowerToysSetupCustomActions/CustomAction.def
@@ -1,6 +1,7 @@
 LIBRARY "PowerToysSetupCustomActions"
 EXPORTS
 	CheckGPOCA
 	ApplyModulesRegistryChangeSetsCA
 	CreateScheduledTaskCA
 	CreateWinAppSDKHardlinksCA
--- a/src/common/utils/gpo.h
+++ b/src/common/utils/gpo.h
@@ -51,6 +51,7 @@ namespace powertoys_gpo {
    const std::wstring POLICY_CONFIGURE_ENABLED_REGISTRY_PREVIEW = L"ConfigureEnabledUtilityRegistryPreview";
    // The registry value names for PowerToys installer and update policies.
    const std::wstring POLICY_DISABLE_PER_USER_INSTALLATION = L"PerUserInstallationDisabled";
    const std::wstring POLICY_DISABLE_AUTOMATIC_UPDATE_DOWNLOAD = L"AutomaticUpdateDownloadDisabled";
    const std::wstring POLICY_SUSPEND_NEW_UPDATE_TOAST = L"SuspendNewUpdateAvailableToast";
    const std::wstring POLICY_DISABLE_PERIODIC_UPDATE_CHECK = L"PeriodicUpdateCheckDisabled";
@@ -260,6 +261,12 @@ namespace powertoys_gpo {
    {
        return getConfiguredValue(POLICY_CONFIGURE_ENABLED_REGISTRY_PREVIEW);
    }
    inline gpo_rule_configured_t getDisablePerUserInstallationValue()
    {
        return getConfiguredValue(POLICY_DISABLE_PER_USER_INSTALLATION);
    }
    inline gpo_rule_configured_t getDisableAutomaticUpdateDownloadValue()
    {
        return getConfiguredValue(POLICY_DISABLE_AUTOMATIC_UPDATE_DOWNLOAD);
--- a/src/gpo/assets/PowerToys.admx
+++ b/src/gpo/assets/PowerToys.admx
@@ -319,7 +319,17 @@
        <decimal value="0" />
      </disabledValue>
    </policy>
-	<policy name="DisableAutomaticUpdateDownload" class="Both" displayName="$(string.DisableAutomaticUpdateDownload)" explainText="$(string.DisableAutomaticUpdateDownloadDescription)" key="Software\Policies\PowerToys" valueName="AutomaticUpdateDownloadDisabled">
+	  <policy name="DisablePerUserInstallation" class="Machine" displayName="$(string.DisablePerUserInstallation)" explainText="$(string.DisablePerUserInstallationDescription)" key="Software\Policies\PowerToys" valueName="PerUserInstallationDisabled">
      <parentCategory ref="InstallerUpdates" />
      <supportedOn ref="SUPPORTED_POWERTOYS_0_69_0" />
      <enabledValue>
        <decimal value="1" />
      </enabledValue>
      <disabledValue>
        <decimal value="0" />
      </disabledValue>
    </policy>
 	  <policy name="DisableAutomaticUpdateDownload" class="Both" displayName="$(string.DisableAutomaticUpdateDownload)" explainText="$(string.DisableAutomaticUpdateDownloadDescription)" key="Software\Policies\PowerToys" valueName="AutomaticUpdateDownloadDisabled">
      <parentCategory ref="InstallerUpdates" />
      <supportedOn ref="SUPPORTED_POWERTOYS_0_68_0" />
      <enabledValue>
@@ -329,7 +339,7 @@
        <decimal value="0" />
      </disabledValue>
    </policy>
-	<policy name="SuspendNewUpdateToast" class="Both" displayName="$(string.SuspendNewUpdateToast)" explainText="$(string.SuspendNewUpdateToastDescription)" key="Software\Policies\PowerToys" valueName="SuspendNewUpdateAvailableToast">
+	  <policy name="SuspendNewUpdateToast" class="Both" displayName="$(string.SuspendNewUpdateToast)" explainText="$(string.SuspendNewUpdateToastDescription)" key="Software\Policies\PowerToys" valueName="SuspendNewUpdateAvailableToast">
      <parentCategory ref="InstallerUpdates" />
      <supportedOn ref="SUPPORTED_POWERTOYS_0_68_0" />
      <enabledValue>
--- a/src/gpo/assets/en-US/PowerToys.adml
+++ b/src/gpo/assets/en-US/PowerToys.adml
@@ -30,6 +30,12 @@ If you enable this setting, the utility will be always enabled and the user won'
 If you disable this setting, the utility will be always disabled and the user won't be able to enable it.
 If you don't configure this setting, users are able to disable or enable the utility.
 </string>
      <string id="DisablePerUserInstallationDescription">This policy configures whether per-user PowerToys installation is allowed or not.
 If enabled, per-user installation is not allowed.
 If disabled or not configured, per-user installation is allowed.
 </string>
      <string id="DisableAutomaticUpdateDownloadDescription">This policy configures whether automatic downloads of available updates are disabled or not. (On metered connections updates are never downloaded.)
@@ -87,9 +93,10 @@ If this setting is disabled, experimentation is not allowed.
      <string id="ConfigureEnabledUtilityShortcutGuide">Shortcut Guide: Configure enabled state</string>
      <string id="ConfigureEnabledUtilityTextExtractor">Text Extractor: Configure enabled state</string>
      <string id="ConfigureEnabledUtilityVideoConferenceMute">Video Conference Mute: Configure enabled state</string>
-	  <string id="DisableAutomaticUpdateDownload">Disable automatic downloads</string>
+      <string id="DisablePerUserInstallation">Disable per-user installation</string>
-	  <string id="SuspendNewUpdateToast">Suspend Action Center notification for new updates</string>
+      <string id="DisableAutomaticUpdateDownload">Disable automatic downloads</string>
-	  <string id="DisablePeriodicUpdateCheck">Disable automatic update checks</string>
+      <string id="SuspendNewUpdateToast">Suspend Action Center notification for new updates</string>
      <string id="DisablePeriodicUpdateCheck">Disable automatic update checks</string>
      <string id="AllowExperimentation">Allow Experimentation</string>
    </stringTable>
  </resources>