Using winget remotely behind proxy
Recently i started experimenting with win11 images and was surprised that microsoft added a linux style package manager that acted similar to apt, yum and others.
So i tried to use it to manage package on remote user workstatinos, and got into some problems.
Here i will try to recap the steps that I have done, to get it working in enterprise environment behind proxy.
Requirements:
- Make sure you have latest powershell on the admin workstation
- User workstation should have latest Windows 10/11
- Powershell Remoting should be set up using GPO or some other method.
So at this point winget is still relatively fresh and undergoing changes, which means this instruction can become invalid at any point.
Lets get started and open psremoting session on the user workstation
Enter-PSSession -ComputerName workstation.contoso.com
The first problem is that winget is built to operate in interactive session, so it doesn’t use the system proxy that we can set using the netsh winhttp set proxy command, and other PowerShell related proxy settings. The only working solution is to set proxy in registry, using the below script
function Set-Proxy($proxy, $bypassUrls){
$proxyBytes = [system.Text.Encoding]::ASCII.GetBytes($proxy)
$bypassBytes = [system.Text.Encoding]::ASCII.GetBytes($bypassUrls)
$defaultConnectionSettings = [byte[]]@(@(70,0,0,0,0,0,0,0,11,0,0,0,$proxyBytes.Length,0,0,0)+$proxyBytes+@($bypassBytes.Length,0,0,0)+$bypassBytes+ @(1..36 | % {0}))
$registryPath = "HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings"
Set-ItemProperty -Path $registryPath -Name ProxyServer -Value $proxy
Set-ItemProperty -Path $registryPath -Name ProxyEnable -Value 1
Set-ItemProperty -Path "$registryPath\Connections" -Name DefaultConnectionSettings -Value $defaultConnectionSettings
}
Set-Proxy "app-proxy.contoso.com:8080" "192.168.*;*.contoso.com"
So now we need to somehow allow the traffic from the user workstation to the winget repo and product repos. I didn’t find a possibility to implement proxy authentication in this scenario, so i just used the whitelisting based on the following User-Agent strings:
Microsoft-CryptoAPI/* - this is for repo certificate checking
winget-cli* - this is for software download/repo list
*WindowsPowerShell/* - this is for initial app download
This is a tricky question security-wise, but for testing you can just whitelist the workstation while you update/install packages
If the user workstation is a Windows 10, you’ll need two additional prerequisites installed before the main packages.
Invoke-WebRequest -Uri https://github.com/microsoft/microsoft-ui-xaml/releases/download/v2.7.3/Microsoft.UI.Xaml.2.7.x64.appx -OutFile $env:TEMP\Microsoft.UI.Xaml.2.7.x64.appx
Add-AppxPackage -Path $env:TEMP\Microsoft.UI.Xaml.2.7.x64.appx
Invoke-WebRequest -Uri https://aka.ms/Microsoft.VCLibs.x64.14.00.Desktop.appx -OutFile $env:TEMP\Microsoft.VCLibs.x64.14.00.Desktop.appx
Add-AppxPackage -path $env:TEMP\Microsoft.VCLibs.x64.14.00.Desktop.appx
Now we need to download and install winget (Microsoft.AppInstaller) and Windows Package Manager Source (winget) (Microsoft.Winget.Source_8wekyb3d8bbwe)
Invoke-WebRequest -Uri https://github.com/microsoft/winget-cli/releases/latest/download/Microsoft.DesktopAppInstaller_8wekyb3d8bbwe.msixbundle -OutFile $env:TEMP\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe.msixbundle
Add-AppxPackage -Path $env:TEMP\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe.msixbundle
Invoke-WebRequest -Uri https://cdn.winget.microsoft.com/cache/source.msix -OutFile $env:TEMP\source.msix
Add-AppxPackage -Path $env:TEMP\source.msix
The second one should be installed automatically, but for some reason it wont, possibly something related to non-interactive session again.
Now we can try to call to winget (don’t forget --accept-source-agreements first time you run it, interactive Y/N isn’t working on remote session)
winget list --accept-source-agreements
After this you should be able to install / update the needed software. If something is not working, it’s most likely proxy related.
yet another scripting blog 