18.10.17.1 (L1) Ensure 'Enable App Installer' is set to 'Disabled'

Information

This policy setting controls whether user have access to the Windows Package Manager. Windows Package Manager is a package manager solution that consists of a command line tool and set of services for installing applications on Microsoft Windows Server 2019 (or newer).

The recommended state for this setting is: Disabled

Windows Package Manager is a command line tool can be used to discover, install, upgrade, remove and configure applications, and it can be used as a distribution channel for software packages containing tools and applications. Users should not have access to these types of development tools.

Solution

To establish the recommended configuration via GP, set the following UI path to Disabled :

Computer Configuration\Policies\Administrative Templates\Windows Components\Desktop App Installer\Enable App Installer

Note: This Group Policy path may not exist by default. It is provided by the Group Policy template DesktopAppInstaller.admx/adml that is included with the Microsoft Windows 11 Release 22H2 Administrative Templates v1.0 (or newer).

Impact:

Users will not have access to the command line tool, winget to discover, install, upgrade, remove, configure, or distribute applications.

See Also

https://workbench.cisecurity.org/benchmarks/17971