[GPO] Add GPO to disable per-user install (#25141)

* Add per user installer * Separate upgrade codes for per machine and per user installation Move per machine check to bootstrapper Move all defines to common.wxs Fix CI * Update installer/PowerToysSetup/generateFileList.ps1 Co-authored-by: Jeremy Sinclair <4016293+snickler@users.noreply.github.com> * Update installer/PowerToysSetup/generateAllFileComponents.ps1 Co-authored-by: Jeremy Sinclair <4016293+snickler@users.noreply.github.com> * Update installer/PowerToysSetup/generateFileList.ps1 Co-authored-by: Jeremy Sinclair <4016293+snickler@users.noreply.github.com> * expect.txt * Revert "Update installer/PowerToysSetup/generateFileList.ps1" This reverts commit 34545dab9c. * Update release CI to build both installers * Revert bundle name change It messes up app ID for per-user installation which ends up breaking winget update of the per-user PT * spellcheck * Fix bad merge * Add RegistryPreview * Include backup_restore_settings.json * Revert testing endpoint change * Add per-machine/per-user installation GPOs * Update doc/gpo/README.md * Update doc/gpo/README.md * spellcheck * Remove disable per-machine policy * Update doc/gpo/README.md Co-authored-by: Heiko <61519853+htcfreek@users.noreply.github.com> --------- Co-authored-by: Jeremy Sinclair <4016293+snickler@users.noreply.github.com> Co-authored-by: Heiko <61519853+htcfreek@users.noreply.github.com>
2023-03-31 14:31:45 +02:00 · 2023-03-31 14:31:45 +02:00 · 195f288492
--- a/.github/actions/spell-check/expect.txt
+++ b/.github/actions/spell-check/expect.txt
@ -283,7 +283,6 @@ CLIPCHILDREN
 CLIPSIBLINGS
 Cloneable
 clrcall
-clrcompression
 Cls
 CLSCTX
 clsid
@ -427,7 +426,6 @@ DCOM
 dcommon
 dcomp
 dcompi
-DCompiler
 DComposition
 DCR
 DCs
@ -581,7 +579,6 @@ EFDD
 EFE
 EFFEFC
 EFile
-egfile
 ekus
 emmintrin
 Emoji
@ -645,7 +642,6 @@ FAF
 FAFD
 fancymouse
 fancyzone
-fancyzones
 FANCYZONESDRAWLAYOUTTEST
 FANCYZONESEDITOR
 Farbraum
@ -746,6 +742,7 @@ GNumber
 google
 gpedit
 gpo
+GPOCA
 GPT
 gpu
 graphql
@ -893,7 +890,6 @@ IMAGERESIZEREXT
 imageresizerinput
 imageresizersettings
 imagingdevices
-Imc
 ime
 imeutil
 inetcpl
@ -1449,7 +1445,6 @@ pinfo
 pinvoke
 pipename
 PKBDLLHOOKSTRUCT
-Pkcs
 PKEY
 plib
 PLK
@ -1597,9 +1592,9 @@ REGFILTERPINS
 REGISTERCLASSFAILED
 REGISTRYHEADER
 registrypath
-registryroot
 registrypreview
 REGISTRYPREVIEWEXT
+registryroot
 regkey
 REGPINTYPES
 regroot
@ -1851,7 +1846,6 @@ stdcpplatest
 STDMETHODCALLTYPE
 STDMETHODIMP
 stefan
-stefansjfw
 Stereolithography
 STGM
 STGMEDIUM
@ -2211,7 +2205,6 @@ wox
 wparam
 wpf
 wpfdepsjsonpath
-wpfgfx
 wpftmp
 wpr
 wprp
--- a/doc/gpo/README.md
+++ b/doc/gpo/README.md
@ -44,6 +44,15 @@ If this setting is not configured, experimentation is allowed.

 ### Installer and Updates

+#### Disable per-user installation
+
+This policy configures whether PowerToys per-user installation is allowed or not.
+
+If enabled, per-user installation is not allowed.
+
+If disabled or not configured, per-user installation is allowed.
+
+You can set this policy only as Computer policy.
 #### Disable automatic downloads

 This policy configures whether automatic downloads of available updates are disabled or not. (On metered connections updates are never downloaded.)
--- a/installer/PowerToysSetup/Product.wxs
+++ b/installer/PowerToysSetup/Product.wxs
@ -148,6 +148,9 @@
      <Custom Action="RegisterPowerToysSchTask" After="InstallFiles">
        NOT Installed and CREATESCHEDULEDTASK = 1
      </Custom>
+      <Custom Action="CheckGPO" After="InstallInitialize">
+        NOT Installed
+      </Custom>
      <Custom Action="ApplyModulesRegistryChangeSets" After="InstallFiles">
        NOT Installed
      </Custom>
@ -413,6 +416,13 @@
                DllEntry="UnRegisterContextMenuPackagesCA"
                  />

+    <CustomAction Id="CheckGPO"
+                  Return="check"
+                  Impersonate="yes"
+                  BinaryKey="PTCustomActions"
+                  DllEntry="CheckGPOCA"
+                  />
+
    <!-- Close 'PowerToys.exe' before uninstall-->
    <Property Id="MSIRESTARTMANAGERCONTROL" Value="DisableShutdown" />
    <Property Id="MSIFASTINSTALL" Value="DisableShutdown" />
--- a/installer/PowerToysSetupCustomActions/CustomAction.cpp
+++ b/installer/PowerToysSetupCustomActions/CustomAction.cpp
@ -6,6 +6,7 @@
 #include <spdlog/sinks/base_sink.h>

 #include "../../src/common/logger/logger.h"
+#include "../../src/common/utils/gpo.h"
 #include "../../src/common/utils/MsiUtils.h"
 #include "../../src/common/utils/modulesRegistry.h"
 #include "../../src/common/updating/installer.h"
@ -50,6 +51,33 @@ HRESULT getInstallFolder(MSIHANDLE hInstall, std::wstring& installationDir)
 LExit:
    return hr;
 }
+
+UINT __stdcall CheckGPOCA(MSIHANDLE hInstall)
+{
+    HRESULT hr = S_OK;
+
+    hr = WcaInitialize(hInstall, "CheckGPOCA");
+    ExitOnFailure(hr, "Failed to initialize");
+
+    LPWSTR currentScope = nullptr;
+    hr = WcaGetProperty(L"InstallScope", &currentScope);
+
+    if(std::wstring{ currentScope } == L"perUser")
+    {
+        if (powertoys_gpo::getDisablePerUserInstallationValue() == powertoys_gpo::gpo_rule_configured_enabled)
+        {
+            PMSIHANDLE hRecord = MsiCreateRecord(0);
+            MsiRecordSetString(hRecord, 0, TEXT("The system administrator has disabled per-user installation."));
+            MsiProcessMessage(hInstall, static_cast<INSTALLMESSAGE>(INSTALLMESSAGE_ERROR + MB_OK), hRecord);
+            hr = E_ABORT;
+        }
+    }
+
+LExit:
+    UINT er = SUCCEEDED(hr) ? ERROR_SUCCESS : ERROR_INSTALL_FAILURE;
+    return WcaFinalize(er);
+}
+
 UINT __stdcall ApplyModulesRegistryChangeSetsCA(MSIHANDLE hInstall)
 {
    HRESULT hr = S_OK;
--- a/installer/PowerToysSetupCustomActions/CustomAction.def
+++ b/installer/PowerToysSetupCustomActions/CustomAction.def
@ -1,6 +1,7 @@
 LIBRARY "PowerToysSetupCustomActions"

 EXPORTS
+	CheckGPOCA
 	ApplyModulesRegistryChangeSetsCA
 	CreateScheduledTaskCA
 	CreateWinAppSDKHardlinksCA
--- a/src/common/utils/gpo.h
+++ b/src/common/utils/gpo.h
@ -51,6 +51,7 @@ namespace powertoys_gpo {
    const std::wstring POLICY_CONFIGURE_ENABLED_REGISTRY_PREVIEW = L"ConfigureEnabledUtilityRegistryPreview";

    // The registry value names for PowerToys installer and update policies.
+    const std::wstring POLICY_DISABLE_PER_USER_INSTALLATION = L"PerUserInstallationDisabled";
    const std::wstring POLICY_DISABLE_AUTOMATIC_UPDATE_DOWNLOAD = L"AutomaticUpdateDownloadDisabled";
    const std::wstring POLICY_SUSPEND_NEW_UPDATE_TOAST = L"SuspendNewUpdateAvailableToast";
    const std::wstring POLICY_DISABLE_PERIODIC_UPDATE_CHECK = L"PeriodicUpdateCheckDisabled";
@ -260,6 +261,12 @@ namespace powertoys_gpo {
    {
        return getConfiguredValue(POLICY_CONFIGURE_ENABLED_REGISTRY_PREVIEW);
    }
+
+    inline gpo_rule_configured_t getDisablePerUserInstallationValue()
+    {
+        return getConfiguredValue(POLICY_DISABLE_PER_USER_INSTALLATION);
+    }
+
    inline gpo_rule_configured_t getDisableAutomaticUpdateDownloadValue()
    {
        return getConfiguredValue(POLICY_DISABLE_AUTOMATIC_UPDATE_DOWNLOAD);
--- a/src/gpo/assets/PowerToys.admx
+++ b/src/gpo/assets/PowerToys.admx
@ -319,7 +319,17 @@
        <decimal value="0" />
      </disabledValue>
    </policy>
-	<policy name="DisableAutomaticUpdateDownload" class="Both" displayName="$(string.DisableAutomaticUpdateDownload)" explainText="$(string.DisableAutomaticUpdateDownloadDescription)" key="Software\Policies\PowerToys" valueName="AutomaticUpdateDownloadDisabled">
+	  <policy name="DisablePerUserInstallation" class="Machine" displayName="$(string.DisablePerUserInstallation)" explainText="$(string.DisablePerUserInstallationDescription)" key="Software\Policies\PowerToys" valueName="PerUserInstallationDisabled">
+      <parentCategory ref="InstallerUpdates" />
+      <supportedOn ref="SUPPORTED_POWERTOYS_0_69_0" />
+      <enabledValue>
+        <decimal value="1" />
+      </enabledValue>
+      <disabledValue>
+        <decimal value="0" />
+      </disabledValue>
+    </policy>
+	  <policy name="DisableAutomaticUpdateDownload" class="Both" displayName="$(string.DisableAutomaticUpdateDownload)" explainText="$(string.DisableAutomaticUpdateDownloadDescription)" key="Software\Policies\PowerToys" valueName="AutomaticUpdateDownloadDisabled">
      <parentCategory ref="InstallerUpdates" />
      <supportedOn ref="SUPPORTED_POWERTOYS_0_68_0" />
      <enabledValue>
@ -329,7 +339,7 @@
        <decimal value="0" />
      </disabledValue>
    </policy>
-	<policy name="SuspendNewUpdateToast" class="Both" displayName="$(string.SuspendNewUpdateToast)" explainText="$(string.SuspendNewUpdateToastDescription)" key="Software\Policies\PowerToys" valueName="SuspendNewUpdateAvailableToast">
+	  <policy name="SuspendNewUpdateToast" class="Both" displayName="$(string.SuspendNewUpdateToast)" explainText="$(string.SuspendNewUpdateToastDescription)" key="Software\Policies\PowerToys" valueName="SuspendNewUpdateAvailableToast">
      <parentCategory ref="InstallerUpdates" />
      <supportedOn ref="SUPPORTED_POWERTOYS_0_68_0" />
      <enabledValue>
--- a/src/gpo/assets/en-US/PowerToys.adml
+++ b/src/gpo/assets/en-US/PowerToys.adml
@ -30,6 +30,12 @@ If you enable this setting, the utility will be always enabled and the user won'
 If you disable this setting, the utility will be always disabled and the user won't be able to enable it.

 If you don't configure this setting, users are able to disable or enable the utility.
+</string>
+      <string id="DisablePerUserInstallationDescription">This policy configures whether per-user PowerToys installation is allowed or not.
+
+If enabled, per-user installation is not allowed.
+
+If disabled or not configured, per-user installation is allowed.
 </string>
      <string id="DisableAutomaticUpdateDownloadDescription">This policy configures whether automatic downloads of available updates are disabled or not. (On metered connections updates are never downloaded.)

@ -87,9 +93,10 @@ If this setting is disabled, experimentation is not allowed.
      <string id="ConfigureEnabledUtilityShortcutGuide">Shortcut Guide: Configure enabled state</string>
      <string id="ConfigureEnabledUtilityTextExtractor">Text Extractor: Configure enabled state</string>
      <string id="ConfigureEnabledUtilityVideoConferenceMute">Video Conference Mute: Configure enabled state</string>
-	  <string id="DisableAutomaticUpdateDownload">Disable automatic downloads</string>
-	  <string id="SuspendNewUpdateToast">Suspend Action Center notification for new updates</string>
-	  <string id="DisablePeriodicUpdateCheck">Disable automatic update checks</string>
+      <string id="DisablePerUserInstallation">Disable per-user installation</string>
+      <string id="DisableAutomaticUpdateDownload">Disable automatic downloads</string>
+      <string id="SuspendNewUpdateToast">Suspend Action Center notification for new updates</string>
+      <string id="DisablePeriodicUpdateCheck">Disable automatic update checks</string>
      <string id="AllowExperimentation">Allow Experimentation</string>
    </stringTable>
  </resources>