Last active
March 18, 2025 09:41
-
-
Save PanosGreg/72017b42b49c0cc647c4b6c6201b3f40 to your computer and use it in GitHub Desktop.
Disable WinGet certificate pinning for the MS Store source
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Disable-WingetPinning { | |
| <# | |
| .SYNOPSIS | |
| It disables the Certificate Pinning option in WinGet for the MS Store source. | |
| This is usually required when there is a firewall on your network that inspects SSL traffic, | |
| where you might get an error 0x8a15005e back from WinGet, as it cannot access the msstore endpoint URL. | |
| .DESCRIPTION | |
| If you are behind a firewall that inspects SSL traffic, | |
| that means it decrypts & re-encrypts traffic on the fly in order to inspect it. | |
| This kind of certificate tampering might cause issues with some sites. | |
| Specifically the winget's msstore endpoint URL does not tolarate that. | |
| Even though it works fine for the winget source. | |
| Winget cli has introduced certificate pinning for the Microsoft Store source. | |
| Link: https://github.com/microsoft/winget-cli/issues/2879#issuecomment-1405435266 | |
| And to change the setting for the certificate pinning on the msstore source | |
| Link: https://github.com/microsoft/winget-cli/issues/2879#issuecomment-1411114420 | |
| This is the winGet error code: 0x8a15005e | |
| And then this issue manifests like so: | |
| You cannot install or find a winget package from the msstore source. | |
| For ex. cannot even find the DesiredStateConfiguration package (which exists only in msstore) | |
| .EXAMPLE | |
| Disable-WingetPinning -Verbose | |
| #> | |
| [OutputType([void],[bool])] # <-- default is void, and bool with -Quiet | |
| [cmdletbinding()] | |
| param ( | |
| [switch]$Quiet | |
| ) | |
| # make sure winget is available | |
| $HasWinget = (Get-Command -Name winget -ErrorAction Ignore) -as [bool] | |
| if (-not $HasWinget) { | |
| Write-Warning 'Could not find WinGet!' | |
| if ($Quiet) {return $false} | |
| else {return} | |
| } | |
| # get the current setting | |
| $Settings = (winget settings export | ConvertFrom-Json).adminSettings | |
| # change the setting if it's not disabled | |
| if (-not $Settings.BypassCertificatePinningForMicrosoftStore) { | |
| # to change the winget setting, admin rights are required, so we check if we're running elevated | |
| $CurrentId = [Security.Principal.WindowsIdentity]::GetCurrent() | |
| $AdminRole = [Security.Principal.WindowsBuiltinRole]::Administrator | |
| $IsAdmin = [Security.Principal.WindowsPrincipal]::new($CurrentId).IsInRole($AdminRole) | |
| if (-not $IsAdmin) { | |
| Write-Warning 'Please run this as admin!' | |
| if ($Quiet) {return $false} | |
| else {return} | |
| } | |
| # change the setting | |
| Write-Verbose 'Disable the setting for the Certificate Pinning on the MS Store source' | |
| $result = winget settings --enable BypassCertificatePinningForMicrosoftStore | |
| # now check again | |
| $Settings = (winget settings export | ConvertFrom-Json).adminSettings | |
| if (-not $Settings.BypassCertificatePinningForMicrosoftStore) { | |
| Write-Warning 'The setting was not changed !!' | |
| Write-Warning "Output from command was:`n$result" | |
| if ($Quiet) {$out = $false} | |
| else {throw [System.InvalidOperationException]::new('The operation failed')} | |
| } | |
| else {$out = $true} | |
| } | |
| else { | |
| Write-Verbose 'The setting for the Certificate Pinning on the MS Store source is already disabled.' | |
| $out = $true | |
| } | |
| if ($Quiet) {Write-Output $out} | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment