PowerToys/doc/devdocs/processes/gpo.md

# PowerToys GPO (Group Policy Objects) Implementation

Group Policy Objects (GPOs) allow system administrators to control PowerToys settings across an organization. This document describes how GPOs are implemented in PowerToys.

## GPO Overview

GPO policies allow system administrators to control PowerToys settings. PowerToys ships GPO files as part of the release zip, not installed directly.

## GPO File Structure

### ADMX File
- Contains policy definitions
- Defines which versions support each policy
- Sets up folder structure
- Defines each policy with:
  - Name
  - Class (user scope or machine scope)
  - Description
  - Registry location where policy is stored
  - Enabled/disabled values

### ADML File
- Contains localized strings for the ADMX file
- Contains revision number that must be updated when changes are made
- Stores strings for:
  - Folder names
  - Version definitions
  - Policy descriptions and titles
- Currently only ships English US version (no localization story yet)

## Installation Process

- Files need to be placed in: `C:\Windows\PolicyDefinitions\`
- ADMX file goes in the root folder
- ADML file goes in the language subfolder (e.g., en-US)
- After installation, policies appear in the Group Policy Editor (gpedit.msc)

## Registry Implementation

- Policies are stored as registry values
- Location: `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PowerToys` or `HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\PowerToys`
- Machine scope takes precedence over user scope
- Policy states:
  - Enabled: Registry value set to 1
  - Disabled: Registry value set to 0
  - Not Configured: Registry value does not exist

## Code Integration

### Common Files
- Policy keys defined in `common\utils\GPO.h`
- Contains functions to read registry values and get configured values
- WinRT C++ adapter created for C# applications to access GPO settings

### WPF Applications
- WPF applications cannot directly load WinRT C++ projects
- Additional library created to allow WPF applications to access GPO values

### Module Interface
- Each module must implement policy checking in its interface
- Runner checks this to determine if module should be started or not

## UI Implementation

- When a policy disables a utility:
  - UI is locked (cannot be enabled)
  - Settings page shows a lock icon
  - Dashboard hides the module button
  - If user tries to start the executable directly, it exits and logs a message

## Types of GPO Policies

### Basic Module Enable/Disable Policy
- Most common type
- Controls whether a module can be enabled or disabled
- Shared description text for these policies

### Configuration Policies
- Example: Run at startup setting
- Controls specific settings rather than enabling/disabling modules
- Custom description text explaining what happens when enabled/disabled/not configured

### Machine-Scope Only Policies
- Example: Mouse Without Borders service mode
- Only makes sense at machine level (not user level)
- Restricts functionality that requires elevated permissions

## Steps to Add a New Policy

1. Update ADMX file:
   - Increase revision number
   - Add supported version definition
   - Define the policy with registry location

2. Update ADML file:
   - Increase revision number
   - Add strings for version, title, description

3. Update code:
   - Add to GPO.h
   - Add to GPO wrapper for C# access
   - Update module interface
   - Modify settings UI to show lock when policy applied
   - Add checks in executable to prevent direct launching
   - Update dashboard helper to respect policy

4. Add to bug report tool to capture policy state

## Update-Related GPO Settings

- `disable automatic update download` - Prevents automatic downloading
- `disable new update toast` - Controls if toast notifications are shown
- `suspend new update toast` - Suspends toast notifications for 2 minor releases

## Testing GPO Settings

To test GPO settings locally:

1. Run `regedit` as administrator
2. Navigate to `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PowerToys`
3. Create a new DWORD value with the name of the policy
4. Set the value to 0 (disabled) or 1 (enabled)
5. Restart PowerToys to see the effect

For user-scope policies, use `HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\PowerToys` instead.
[DevDocs] More content and restructure (#40165) ## Summary of the Pull Request Accumulated information from internal transition about the modules development, and reworked it to be added in dev docs. Also the dev docs intself was restructured to be more organized. New pages was verified by transition team. ## PR Checklist - [x] Dev docs: Added/updated --------- Co-authored-by: Zhaopeng Wang (from Dev Box) <zhaopengwang@microsoft.com> Co-authored-by: Hao Liu <liuhao3418@gmail.com> Co-authored-by: Peiyao Zhao <105847726+zhaopy536@users.noreply.github.com> Co-authored-by: Mengyuan <162882040+chenmy77@users.noreply.github.com> Co-authored-by: zhaopeng wang <33367956+wang563681252@users.noreply.github.com> Co-authored-by: Jaylyn Barbee <51131738+Jaylyn-Barbee@users.noreply.github.com> 2025-07-01 14:27:34 +02:00			`# PowerToys GPO (Group Policy Objects) Implementation`

			`Group Policy Objects (GPOs) allow system administrators to control PowerToys settings across an organization. This document describes how GPOs are implemented in PowerToys.`

			`## GPO Overview`

			`GPO policies allow system administrators to control PowerToys settings. PowerToys ships GPO files as part of the release zip, not installed directly.`

			`## GPO File Structure`

			`### ADMX File`
			`- Contains policy definitions`
			`- Defines which versions support each policy`
			`- Sets up folder structure`
			`- Defines each policy with:`
			`- Name`
			`- Class (user scope or machine scope)`
			`- Description`
			`- Registry location where policy is stored`
			`- Enabled/disabled values`

			`### ADML File`
			`- Contains localized strings for the ADMX file`
			`- Contains revision number that must be updated when changes are made`
			`- Stores strings for:`
			`- Folder names`
			`- Version definitions`
			`- Policy descriptions and titles`
			`- Currently only ships English US version (no localization story yet)`

			`## Installation Process`

			- Files need to be placed in: `C:\Windows\PolicyDefinitions\`
			`- ADMX file goes in the root folder`
			`- ADML file goes in the language subfolder (e.g., en-US)`
			`- After installation, policies appear in the Group Policy Editor (gpedit.msc)`

			`## Registry Implementation`

			`- Policies are stored as registry values`
			- Location: `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PowerToys` or `HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\PowerToys`
			`- Machine scope takes precedence over user scope`
			`- Policy states:`
			`- Enabled: Registry value set to 1`
			`- Disabled: Registry value set to 0`
			`- Not Configured: Registry value does not exist`

			`## Code Integration`

			`### Common Files`
			- Policy keys defined in `common\utils\GPO.h`
			`- Contains functions to read registry values and get configured values`
			`- WinRT C++ adapter created for C# applications to access GPO settings`

			`### WPF Applications`
			`- WPF applications cannot directly load WinRT C++ projects`
			`- Additional library created to allow WPF applications to access GPO values`

			`### Module Interface`
			`- Each module must implement policy checking in its interface`
			`- Runner checks this to determine if module should be started or not`

			`## UI Implementation`

			`- When a policy disables a utility:`
			`- UI is locked (cannot be enabled)`
			`- Settings page shows a lock icon`
			`- Dashboard hides the module button`
			`- If user tries to start the executable directly, it exits and logs a message`

			`## Types of GPO Policies`

			`### Basic Module Enable/Disable Policy`
			`- Most common type`
			`- Controls whether a module can be enabled or disabled`
			`- Shared description text for these policies`

			`### Configuration Policies`
			`- Example: Run at startup setting`
			`- Controls specific settings rather than enabling/disabling modules`
			`- Custom description text explaining what happens when enabled/disabled/not configured`

			`### Machine-Scope Only Policies`
			`- Example: Mouse Without Borders service mode`
			`- Only makes sense at machine level (not user level)`
			`- Restricts functionality that requires elevated permissions`

			`## Steps to Add a New Policy`

			`1. Update ADMX file:`
			`- Increase revision number`
			`- Add supported version definition`
			`- Define the policy with registry location`

			`2. Update ADML file:`
			`- Increase revision number`
			`- Add strings for version, title, description`

			`3. Update code:`
			`- Add to GPO.h`
			`- Add to GPO wrapper for C# access`
			`- Update module interface`
			`- Modify settings UI to show lock when policy applied`
			`- Add checks in executable to prevent direct launching`
			`- Update dashboard helper to respect policy`

			`4. Add to bug report tool to capture policy state`

			`## Update-Related GPO Settings`

			- `disable automatic update download` - Prevents automatic downloading
			- `disable new update toast` - Controls if toast notifications are shown
			- `suspend new update toast` - Suspends toast notifications for 2 minor releases

			`## Testing GPO Settings`

			`To test GPO settings locally:`

			1. Run `regedit` as administrator
			2. Navigate to `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PowerToys`
			`3. Create a new DWORD value with the name of the policy`
			`4. Set the value to 0 (disabled) or 1 (enabled)`
			`5. Restart PowerToys to see the effect`

			For user-scope policies, use `HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\PowerToys` instead.