Admin setting and group policy for configuration processor path argument

doc/admx/DesktopAppInstaller.admx

@@ -196,6 +196,16 @@
         <decimal value="0" />
       </disabledValue>
     </policy>
+    <policy name="EnableWindowsPackageManagerConfigurationProcessorPath" class="Machine" displayName="$(string.EnableWindowsPackageManagerConfigurationProcessorPath)" explainText="$(string.EnableWindowsPackageManagerConfigurationProcessorPathExplanation)" key="Software\Policies\Microsoft\Windows\AppInstaller" valueName="EnableWindowsPackageManagerConfigurationProcessorPath">
+      <parentCategory ref="AppInstaller" />
+      <supportedOn ref="windows:SUPPORTED_Windows_10_0_RS5" />
+      <enabledValue>
+        <decimal value="1" />
+      </enabledValue>
+      <disabledValue>
+        <decimal value="0" />
+      </disabledValue>
+    </policy>
     <policy name="WindowsPackageManagerDefaultProxy" class="Machine" displayName="$(string.WindowsPackageManagerDefaultProxy)" explainText="$(string.WindowsPackageManagerDefaultProxyExplanation)" presentation="$(presentation.WindowsPackageManagerDefaultProxy)" key="Software\Policies\Microsoft\Windows\AppInstaller">
       <parentCategory ref="AppInstaller" />
       <supportedOn ref="windows:SUPPORTED_Windows_10_0_RS5" />

doc/admx/en-US/DesktopAppInstaller.adml

@@ -133,6 +133,15 @@ If you disable this setting, users will not be able to use the Windows Package M
         If you enable or do not configure this setting, users will be able to use the Windows Package Manager's MCP server.
 
         If you disable this setting, users will not be able to to use the Windows Package Manager's MCP server.</string>
+      <string id="EnableWindowsPackageManagerConfigurationProcessorPath">Enable Windows Package Manager Configuration Processor Path</string>
+      <string id="EnableWindowsPackageManagerConfigurationProcessorPathExplanation">
+        This policy controls whether users can specify a custom DSC processor path via the --processor-path argument in Windows Package Manager configuration commands.
+
+        If you enable this setting, users will be able to specify a custom DSC processor path in configuration commands.
+
+        If you do not configure this setting, users will be able to specify a custom DSC processor path in configuration commands after enabling the related administrator setting.
+
+        If you disable this setting, users will not be able to specify a custom DSC processor path in configuration commands.</string>
       <string id="WindowsPackageManagerDefaultProxy">Set Windows Package Manager Default Proxy</string>
       <string id="WindowsPackageManagerDefaultProxyExplanation">This policy controls the default proxy used by the Windows Package Manager.
 

schemas/JSON/settings/settings.export.schema.0.1.json

@@ -32,6 +32,11 @@
           "type": "boolean",
           "default": false
         },
+        "ConfigurationProcessorPath": {
+          "description": "Enable specifying a custom DSC processor path in configuration commands.",
+          "type": "boolean",
+          "default": false
+        },
         "DefaultProxy": {
           "description": "Default proxy.",
           "type": "string"

src/AppInstallerCLICore/Argument.cpp

@@ -490,6 +490,8 @@ namespace AppInstaller::CLI
             return Argument{ type, Resource::String::ProxyArgumentDescription, ArgumentType::Standard, TogglePolicy::Policy::ProxyCommandLineOptions, BoolAdminSetting::ProxyCommandLineOptions };
         case Args::Type::NoProxy:
             return Argument{ type, Resource::String::NoProxyArgumentDescription, ArgumentType::Flag, TogglePolicy::Policy::ProxyCommandLineOptions, BoolAdminSetting::ProxyCommandLineOptions };
+        case Args::Type::ConfigurationProcessorPath:
+            return Argument{ type, Resource::String::ConfigurationProcessorPath, ArgumentType::Standard, Argument::Visibility::Help, TogglePolicy::Policy::ConfigurationProcessorPath, BoolAdminSetting::ConfigurationProcessorPath };
         case Args::Type::Family:
             return Argument{ type, Resource::String::FontFamilyNameArgumentDescription, ArgumentType::Positional, false };
         case Args::Type::Details:

src/AppInstallerCLICore/Commands/ConfigureCommand.cpp

@@ -37,7 +37,7 @@ namespace AppInstaller::CLI
         return {
             Argument{ Execution::Args::Type::ConfigurationFile, Resource::String::ConfigurationFileArgumentDescription, ArgumentType::Positional },
             Argument{ Execution::Args::Type::ConfigurationModulePath, Resource::String::ConfigurationModulePath, ArgumentType::Positional },
-            Argument{ Execution::Args::Type::ConfigurationProcessorPath, Resource::String::ConfigurationProcessorPath, ArgumentType::Standard, Argument::Visibility::Help },
+            Argument::ForType(Execution::Args::Type::ConfigurationProcessorPath),
             Argument{ Execution::Args::Type::ConfigurationHistoryItem, Resource::String::ConfigurationHistoryItemArgumentDescription, ArgumentType::Standard, Argument::Visibility::Help },
             Argument{ Execution::Args::Type::ConfigurationAcceptWarning, Resource::String::ConfigurationAcceptWarningArgumentDescription, ArgumentType::Flag },
             Argument{ Execution::Args::Type::ConfigurationSuppressPrologue, Resource::String::ConfigurationSuppressPrologueArgumentDescription, ArgumentType::Flag, Argument::Visibility::Help },

src/AppInstallerCLICore/Commands/ConfigureShowCommand.cpp

@@ -16,7 +16,7 @@ namespace AppInstaller::CLI
             // Required for now, make exclusive when history implemented
             Argument{ Execution::Args::Type::ConfigurationFile, Resource::String::ConfigurationFileArgumentDescription, ArgumentType::Positional },
             Argument{ Execution::Args::Type::ConfigurationModulePath, Resource::String::ConfigurationModulePath, ArgumentType::Positional },
-            Argument{ Execution::Args::Type::ConfigurationProcessorPath, Resource::String::ConfigurationProcessorPath, ArgumentType::Standard, Argument::Visibility::Help },
+            Argument::ForType(Execution::Args::Type::ConfigurationProcessorPath),
             Argument{ Execution::Args::Type::ConfigurationHistoryItem, Resource::String::ConfigurationHistoryItemArgumentDescription, ArgumentType::Standard, Argument::Visibility::Help },
         };
     }

src/AppInstallerCLICore/Commands/ConfigureTestCommand.cpp

@@ -15,7 +15,7 @@ namespace AppInstaller::CLI
         return {
             Argument{ Execution::Args::Type::ConfigurationFile, Resource::String::ConfigurationFileArgumentDescription, ArgumentType::Positional },
             Argument{ Execution::Args::Type::ConfigurationModulePath, Resource::String::ConfigurationModulePath, ArgumentType::Positional },
-            Argument{ Execution::Args::Type::ConfigurationProcessorPath, Resource::String::ConfigurationProcessorPath, ArgumentType::Standard, Argument::Visibility::Help },
+            Argument::ForType(Execution::Args::Type::ConfigurationProcessorPath),
             Argument{ Execution::Args::Type::ConfigurationHistoryItem, Resource::String::ConfigurationHistoryItemArgumentDescription, ArgumentType::Standard, Argument::Visibility::Help },
             Argument{ Execution::Args::Type::ConfigurationSuppressPrologue, Resource::String::ConfigurationSuppressPrologueArgumentDescription, ArgumentType::Flag, Argument::Visibility::Help },
             Argument{ Execution::Args::Type::ConfigurationAcceptWarning, Resource::String::ConfigurationAcceptWarningArgumentDescription, ArgumentType::Flag },

src/AppInstallerCLICore/Commands/ConfigureValidateCommand.cpp

@@ -15,7 +15,7 @@ namespace AppInstaller::CLI
         return {
             Argument{ Execution::Args::Type::ConfigurationFile, Resource::String::ConfigurationFileArgumentDescription, ArgumentType::Positional, true },
             Argument{ Execution::Args::Type::ConfigurationModulePath, Resource::String::ConfigurationModulePath, ArgumentType::Positional },
-            Argument{ Execution::Args::Type::ConfigurationProcessorPath, Resource::String::ConfigurationProcessorPath, ArgumentType::Standard, Argument::Visibility::Help },
+            Argument::ForType(Execution::Args::Type::ConfigurationProcessorPath),
         };
     }
 

src/AppInstallerCLICore/ConfigureExportCommand.cpp

@@ -18,7 +18,7 @@ namespace AppInstaller::CLI
             Argument{ Execution::Args::Type::ConfigurationExportModule, Resource::String::ConfigureExportModule },
             Argument{ Execution::Args::Type::ConfigurationExportResource, Resource::String::ConfigureExportResource },
             Argument{ Execution::Args::Type::ConfigurationModulePath, Resource::String::ConfigurationModulePath },
-            Argument{ Execution::Args::Type::ConfigurationProcessorPath, Resource::String::ConfigurationProcessorPath, ArgumentType::Standard, Argument::Visibility::Help },
+            Argument::ForType(Execution::Args::Type::ConfigurationProcessorPath),
             Argument{ Execution::Args::Type::Source, Resource::String::ExportSourceArgumentDescription, ArgumentType::Standard },
             Argument{ Execution::Args::Type::IncludeVersions, Resource::String::ExportIncludeVersionsArgumentDescription, ArgumentType::Flag },
             Argument{ Execution::Args::Type::ConfigurationExportAll, Resource::String::ConfigureExportAll, ArgumentType::Flag },

src/AppInstallerCLIE2ETests/GroupPolicy.cs

@@ -278,5 +278,32 @@ public void EnableConfiguration()
             result = TestCommon.RunAICLICommand("configure show", TestCommon.GetTestDataFile("Configuration\\ShowDetails_TestRepo.yml"));
             Assert.AreEqual(Constants.ErrorCode.ERROR_BLOCKED_BY_POLICY, result.ExitCode);
         }
+
+        /// <summary>
+        /// Test that using a custom configuration processor path is disabled by policy.
+        /// </summary>
+        [Test]
+        public void EnableConfigurationProcessorPath()
+        {
+            GroupPolicyHelper.EnableConfigurationProcessorPath.Disable();
+
+            // --processor-path is rejected by policy at argument validation time across all configure subcommands.
+            var result = TestCommon.RunAICLICommand("configure", $"--processor-path C:\\dsc.exe {TestCommon.GetTestDataFile("Configuration\\ShowDetails_TestRepo.yml")}");
+            Assert.AreEqual(Constants.ErrorCode.ERROR_BLOCKED_BY_POLICY, result.ExitCode);
+
+            result = TestCommon.RunAICLICommand("configure show", $"--processor-path C:\\dsc.exe {TestCommon.GetTestDataFile("Configuration\\ShowDetails_TestRepo.yml")}");
+            Assert.AreEqual(Constants.ErrorCode.ERROR_BLOCKED_BY_POLICY, result.ExitCode);
+
+            result = TestCommon.RunAICLICommand("configure test", $"--processor-path C:\\dsc.exe {TestCommon.GetTestDataFile("Configuration\\ShowDetails_TestRepo.yml")}");
+            Assert.AreEqual(Constants.ErrorCode.ERROR_BLOCKED_BY_POLICY, result.ExitCode);
+
+            result = TestCommon.RunAICLICommand("configure validate", $"--processor-path C:\\dsc.exe {TestCommon.GetTestDataFile("Configuration\\ShowDetails_TestRepo.yml")}");
+            Assert.AreEqual(Constants.ErrorCode.ERROR_BLOCKED_BY_POLICY, result.ExitCode);
+
+            // When not configured, the argument is allowed by policy (admin setting governs).
+            GroupPolicyHelper.EnableConfigurationProcessorPath.SetNotConfigured();
+            result = TestCommon.RunAICLICommand("configure show", $"--processor-path C:\\dsc.exe {TestCommon.GetTestDataFile("Configuration\\ShowDetails_TestRepo.yml")}");
+            Assert.AreNotEqual(Constants.ErrorCode.ERROR_BLOCKED_BY_POLICY, result.ExitCode);
+        }
     }
 }

src/AppInstallerCLIE2ETests/GroupPolicyHelper.cs

@@ -128,6 +128,11 @@ private GroupPolicyHelper(string name, string elementId)
         /// </summary>
         public static GroupPolicyHelper EnableProxyCommandLineOptions { get; private set; } = new GroupPolicyHelper("EnableWindowsPackageManagerProxyCommandLineOptions");
 
+        /// <summary>
+        /// Gets the Enable Windows Package Manager Configuration processor path policy.
+        /// </summary>
+        public static GroupPolicyHelper EnableConfigurationProcessorPath { get; private set; } = new GroupPolicyHelper("EnableWindowsPackageManagerConfigurationProcessorPath");
+
         /// <summary>
         /// Gets the Enable auto update interval policy.
         /// </summary>
@@ -150,6 +155,7 @@ private GroupPolicyHelper(string name, string elementId)
             EnableWinGetCommandLineInterfaces,
             EnableConfiguration,
             EnableProxyCommandLineOptions,
+            EnableConfigurationProcessorPath,
         };
 
         /// <summary>

src/AppInstallerCLIPackage/Shared/Strings/en-us/winget.resw

@@ -2879,6 +2879,10 @@ Please specify one of them using the --source option to proceed.</value>
     <value>Enable Windows Package Manager proxy command line options</value>
     <comment>Describes a Group Policy that can enable the use of the --proxy option to set a proxy</comment>
   </data>
+  <data name="PolicyEnableConfigurationProcessorPath" xml:space="preserve">
+    <value>Enable Windows Package Manager Configuration processor path</value>
+    <comment>Describes a Group Policy that can enable the use of the --processor-path option in configuration commands</comment>
+  </data>
   <data name="ProxyArgumentDescription" xml:space="preserve">
     <value>Set a proxy to use for this execution</value>
   </data>

src/AppInstallerCLITests/AdminSettings.cpp

@@ -85,8 +85,49 @@ TEST_CASE("AdminSetting_AllSettingsAreImplemented", "[adminSettings]")
     }
 }
 
-TEST_CASE("AdminSetting_CorruptedVerificationFile", "[adminSettings]")
+TEST_CASE("AdminSetting_ConfigurationProcessorPath", "[adminSettings]")
 {
+    WHEN("Default state")
+    {
+        GroupPolicyTestOverride policies;
+        policies.SetState(TogglePolicy::Policy::ConfigurationProcessorPath, PolicyState::NotConfigured);
+
+        REQUIRE_FALSE(IsAdminSettingEnabled(BoolAdminSetting::ConfigurationProcessorPath));
+    }
+
+    WHEN("Group policy not configured - can enable and disable")
+    {
+        GroupPolicyTestOverride policies;
+        policies.SetState(TogglePolicy::Policy::ConfigurationProcessorPath, PolicyState::NotConfigured);
+
+        REQUIRE(EnableAdminSetting(BoolAdminSetting::ConfigurationProcessorPath));
+        REQUIRE(IsAdminSettingEnabled(BoolAdminSetting::ConfigurationProcessorPath));
+        REQUIRE(DisableAdminSetting(BoolAdminSetting::ConfigurationProcessorPath));
+        REQUIRE_FALSE(IsAdminSettingEnabled(BoolAdminSetting::ConfigurationProcessorPath));
+    }
+
+    WHEN("Group policy enabled - cannot disable")
+    {
+        GroupPolicyTestOverride policies;
+        policies.SetState(TogglePolicy::Policy::ConfigurationProcessorPath, PolicyState::Enabled);
+
+        REQUIRE(IsAdminSettingEnabled(BoolAdminSetting::ConfigurationProcessorPath));
+        REQUIRE_FALSE(DisableAdminSetting(BoolAdminSetting::ConfigurationProcessorPath));
+        REQUIRE(IsAdminSettingEnabled(BoolAdminSetting::ConfigurationProcessorPath));
+    }
+
+    WHEN("Group policy disabled - cannot enable")
+    {
+        GroupPolicyTestOverride policies;
+        policies.SetState(TogglePolicy::Policy::ConfigurationProcessorPath, PolicyState::Disabled);
+
+        REQUIRE_FALSE(IsAdminSettingEnabled(BoolAdminSetting::ConfigurationProcessorPath));
+        REQUIRE_FALSE(EnableAdminSetting(BoolAdminSetting::ConfigurationProcessorPath));
+        REQUIRE_FALSE(IsAdminSettingEnabled(BoolAdminSetting::ConfigurationProcessorPath));
+    }
+}
+
+TEST_CASE("AdminSetting_CorruptedVerificationFile", "[adminSettings]"){
     GroupPolicyTestOverride policies;
     policies.SetState(TogglePolicy::Policy::LocalManifestFiles, PolicyState::NotConfigured);
 

src/AppInstallerCLITests/GroupPolicy.cpp

@@ -404,6 +404,7 @@ TEST_CASE("GroupPolicy_AllEnabled", "[groupPolicy]")
     SetRegistryValue(policiesKey.get(), ConfigurationPolicyValueName, 1);
     SetRegistryValue(policiesKey.get(), ProxyCommandLineOptionsPolicyValueName, 1);
     SetRegistryValue(policiesKey.get(), McpServerValueName, 1);
+    SetRegistryValue(policiesKey.get(), ConfigurationProcessorPathValueName, 1);
 
     GroupPolicy groupPolicy{ policiesKey.get() };
     for (const auto& policy : TogglePolicy::GetAllPolicies())

src/AppInstallerCLITests/TestSettings.h

@@ -26,6 +26,7 @@ namespace TestCommon
     const std::wstring ConfigurationPolicyValueName = L"EnableWindowsPackageManagerConfiguration";
     const std::wstring ProxyCommandLineOptionsPolicyValueName = L"EnableWindowsPackageManagerProxyCommandLineOptions";
     const std::wstring McpServerValueName = L"EnableWindowsPackageManagerMcpServer";
+    const std::wstring ConfigurationProcessorPathValueName = L"EnableWindowsPackageManagerConfigurationProcessorPath";
 
     const std::wstring SourceUpdateIntervalPolicyValueName = L"SourceAutoUpdateInterval";
     const std::wstring SourceUpdateIntervalPolicyOldValueName = L"SourceAutoUpdateIntervalInMinutes";