[GPO][MWB]Add policy to disable service mode (#37366)

* [MWB]Add policy to disable service mode

* Add restart note

* Tweak settings to disable setting

* Tweak infobars

* Policy should be machine only

Author: jaimecbernardo

src/common/GPOWrapper/GPOWrapper.cpp

@@ -200,6 +200,10 @@ namespace winrt::PowerToys::GPOWrapper::implementation
     {
         return static_cast<GpoRuleConfigured>(powertoys_gpo::getConfiguredMwbDisallowBlockingScreensaverValue());
     }
+    GpoRuleConfigured GPOWrapper::GetConfiguredMwbAllowServiceModeValue()
+    {
+        return static_cast<GpoRuleConfigured>(powertoys_gpo::getConfiguredMwbAllowServiceModeValue());
+    }
     GpoRuleConfigured GPOWrapper::GetConfiguredMwbSameSubnetOnlyValue()
     {
         return static_cast<GpoRuleConfigured>(powertoys_gpo::getConfiguredMwbSameSubnetOnlyValue());

src/common/GPOWrapper/GPOWrapper.h

@@ -56,6 +56,7 @@ namespace winrt::PowerToys::GPOWrapper::implementation
         static GpoRuleConfigured GetConfiguredMwbFileTransferEnabledValue();
         static GpoRuleConfigured GetConfiguredMwbUseOriginalUserInterfaceValue();
         static GpoRuleConfigured GetConfiguredMwbDisallowBlockingScreensaverValue();
+        static GpoRuleConfigured GetConfiguredMwbAllowServiceModeValue();
         static GpoRuleConfigured GetConfiguredMwbSameSubnetOnlyValue();
         static GpoRuleConfigured GetConfiguredMwbValidateRemoteIpValue();
         static GpoRuleConfigured GetConfiguredMwbDisableUserDefinedIpMappingRulesValue();

src/common/GPOWrapper/GPOWrapper.idl

@@ -60,6 +60,7 @@ namespace PowerToys
             static GpoRuleConfigured GetConfiguredMwbFileTransferEnabledValue();
             static GpoRuleConfigured GetConfiguredMwbUseOriginalUserInterfaceValue();
             static GpoRuleConfigured GetConfiguredMwbDisallowBlockingScreensaverValue();
+            static GpoRuleConfigured GetConfiguredMwbAllowServiceModeValue();
             static GpoRuleConfigured GetConfiguredMwbSameSubnetOnlyValue();
             static GpoRuleConfigured GetConfiguredMwbValidateRemoteIpValue();
             static GpoRuleConfigured GetConfiguredMwbDisableUserDefinedIpMappingRulesValue();

src/common/utils/gpo.h

@@ -79,6 +79,7 @@ namespace powertoys_gpo {
     const std::wstring POLICY_MWB_FILE_TRANSFER_ENABLED = L"MwbFileTransferEnabled";
     const std::wstring POLICY_MWB_USE_ORIGINAL_USER_INTERFACE = L"MwbUseOriginalUserInterface";
     const std::wstring POLICY_MWB_DISALLOW_BLOCKING_SCREENSAVER = L"MwbDisallowBlockingScreensaver";
+    const std::wstring POLICY_MWB_ALLOW_SERVICE_MODE = L"MwbAllowServiceMode";
     const std::wstring POLICY_MWB_SAME_SUBNET_ONLY = L"MwbSameSubnetOnly";
     const std::wstring POLICY_MWB_VALIDATE_REMOTE_IP = L"MwbValidateRemoteIp";
     const std::wstring POLICY_MWB_DISABLE_USER_DEFINED_IP_MAPPING_RULES = L"MwbDisableUserDefinedIpMappingRules";
@@ -558,6 +559,11 @@ namespace powertoys_gpo {
         return getConfiguredValue(POLICY_MWB_DISALLOW_BLOCKING_SCREENSAVER);
     }
 
+    inline gpo_rule_configured_t getConfiguredMwbAllowServiceModeValue()
+    {
+        return getConfiguredValue(POLICY_MWB_ALLOW_SERVICE_MODE);
+    }
+
     inline gpo_rule_configured_t getConfiguredMwbSameSubnetOnlyValue()
     {
         return getConfiguredValue(POLICY_MWB_SAME_SUBNET_ONLY);

src/gpo/assets/PowerToys.admx

@@ -1,11 +1,11 @@
 <?xml version="1.0" encoding="utf-8"?>
 <!-- Copyright (c) Microsoft Corporation.
      Licensed under the MIT License. -->
-<policyDefinitions xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.15" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">
+<policyDefinitions xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.16" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">
   <policyNamespaces>
     <target prefix="powertoys" namespace="Microsoft.Policies.PowerToys" />
   </policyNamespaces>
-  <resources minRequiredRevision="1.15"/><!-- Last changed with PowerToys v0.88.0 -->
+  <resources minRequiredRevision="1.16"/><!-- Last changed with PowerToys v0.89.0 -->
   <supportedOn>
     <definitions>
       <definition name="SUPPORTED_POWERTOYS_0_64_0" displayName="$(string.SUPPORTED_POWERTOYS_0_64_0)"/>
@@ -24,6 +24,7 @@
       <definition name="SUPPORTED_POWERTOYS_0_85_0" displayName="$(string.SUPPORTED_POWERTOYS_0_85_0)"/>
       <definition name="SUPPORTED_POWERTOYS_0_86_0" displayName="$(string.SUPPORTED_POWERTOYS_0_86_0)"/>
       <definition name="SUPPORTED_POWERTOYS_0_88_0" displayName="$(string.SUPPORTED_POWERTOYS_0_88_0)"/>
+      <definition name="SUPPORTED_POWERTOYS_0_89_0" displayName="$(string.SUPPORTED_POWERTOYS_0_89_0)"/>
       <definition name="SUPPORTED_POWERTOYS_0_64_0_TO_0_87_1" displayName="$(string.SUPPORTED_POWERTOYS_0_64_0_TO_0_87_1)"/>
     </definitions>
   </supportedOn>
@@ -602,6 +603,16 @@
         <decimal value="0" />
       </disabledValue>
     </policy>
+    <policy name="MwbAllowServiceMode" class="Machine" displayName="$(string.MwbAllowServiceMode)" explainText="$(string.MwbAllowServiceModeDescription)" key="Software\Policies\PowerToys" valueName="MwbAllowServiceMode">
+      <parentCategory ref="MouseWithoutBorders" />
+      <supportedOn ref="SUPPORTED_POWERTOYS_0_89_0" />
+      <enabledValue>
+        <decimal value="1" />
+      </enabledValue>
+      <disabledValue>
+        <decimal value="0" />
+      </disabledValue>
+    </policy>
     <policy name="MwbSameSubnetOnly" class="Both" displayName="$(string.MwbSameSubnetOnly)" explainText="$(string.MwbSameSubnetOnlyDescription)" key="Software\Policies\PowerToys" valueName="MwbSameSubnetOnly">
       <parentCategory ref="MouseWithoutBorders" />
       <supportedOn ref="SUPPORTED_POWERTOYS_0_83_0" />

src/gpo/assets/en-US/PowerToys.adml

@@ -1,7 +1,7 @@
 <?xml version="1.0" encoding="utf-8"?>
 <!-- Copyright (c) Microsoft Corporation.
      Licensed under the MIT License. -->
-<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.15" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">
+<policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.16" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">
   <displayName>PowerToys</displayName>
   <description>PowerToys</description>
   <resources>
@@ -31,6 +31,7 @@
       <string id="SUPPORTED_POWERTOYS_0_85_0">PowerToys version 0.85.0 or later</string>
       <string id="SUPPORTED_POWERTOYS_0_86_0">PowerToys version 0.86.0 or later</string>
       <string id="SUPPORTED_POWERTOYS_0_88_0">PowerToys version 0.88.0 or later</string>
+      <string id="SUPPORTED_POWERTOYS_0_89_0">PowerToys version 0.89.0 or later</string>
       <string id="SUPPORTED_POWERTOYS_0_64_0_TO_0_87_1">From PowerToys version 0.64.0 until PowerToys version 0.87.1</string>
 
       <string id="ConfigureAllUtilityGlobalEnabledStateDescription">This policy configures the enabled state for all PowerToys utilities.
@@ -169,7 +170,14 @@ If you enable this policy, the user won't be able to enable the "block screensav
 
 If you disable or don't configure this policy, the user takes control over the setting and can block the screensaver.
 </string>
+      <string id="MwbAllowServiceModeDescription">This policy configures if the user is allowed to use Mouse Without Borders in Service Mode.
 
+If this setting is enabled or not configured, the user can enable and use Mouse Without Borders in Service Mode.
+
+If this setting is disabled, the user won't be able to enable or use Mouse Without Borders in Service Mode.
+
+Note: As most other PowerToys policies, a restart of PowerToys is required for a change in this policy to take full effect.
+</string>
       <string id="MwbSameSubnetOnlyDescription">This policy configures if connections are only allowed in the same subnet.
 
 If you enable this policy, the setting is enabled and only connections in the same subnet are allowed.
@@ -264,6 +272,7 @@ If you don't configure this policy, the user takes control over the setting and
       <string id="MwbFileTransferEnabled">File transfer enabled</string>
       <string id="MwbUseOriginalUserInterface">Original user interface is available</string>
       <string id="MwbDisallowBlockingScreensaver">Disallow blocking screensaver on other machines</string>
+      <string id="MwbAllowServiceMode">Allow Service Mode</string>
       <string id="MwbSameSubnetOnly">Connect only in same subnet</string>
       <string id="MwbValidateRemoteIp">Validate remote machine IP Address</string>
       <string id="MwbDisableUserDefinedIpMappingRules">Disable user defined IP Address mapping rules</string>

src/modules/MouseWithoutBorders/App/Class/Program.cs

@@ -92,6 +92,17 @@ private static void Main()
 
                 bool serviceMode = firstArg == ServiceModeArg;
 
+                if (PowerToys.GPOWrapper.GPOWrapper.GetConfiguredMwbAllowServiceModeValue() == PowerToys.GPOWrapper.GpoRuleConfigured.Disabled)
+                {
+                    if (runningAsSystem)
+                    {
+                        Logger.Log("Can't run as a service. It's not allowed according to GPO policy. Please contact your systems administrator.");
+                        return;
+                    }
+
+                    serviceMode = false;
+                }
+
                 // If we're started from the .dll module or from the service process, we should
                 // assume the service mode.
                 if (serviceMode && !runningAsSystem)

src/modules/MouseWithoutBorders/App/Class/Setting.cs

@@ -1090,6 +1090,11 @@ internal bool UseService
         {
             get
             {
+                if (GPOWrapper.GetConfiguredMwbAllowServiceModeValue() == GpoRuleConfigured.Disabled)
+                {
+                    return false;
+                }
+
                 lock (_loadingSettingsLock)
                 {
                     return _properties.UseService;
@@ -1098,6 +1103,11 @@ internal bool UseService
 
             set
             {
+                if (AllowServiceModeIsGpoConfigured)
+                {
+                    return;
+                }
+
                 lock (_loadingSettingsLock)
                 {
                     _properties.UseService = value;
@@ -1109,6 +1119,10 @@ internal bool UseService
             }
         }
 
+        [CmdConfigureIgnore]
+        [JsonIgnore]
+        internal bool AllowServiceModeIsGpoConfigured => GPOWrapper.GetConfiguredMwbAllowServiceModeValue() == GpoRuleConfigured.Disabled;
+
         // Note(@htcfreek): Settings UI CheckBox is disabled in frmMatrix.cs > FrmMatrix_Load()
         internal bool SendErrorLogV2
         {

src/modules/MouseWithoutBorders/App/Service/Program.cs

@@ -28,7 +28,8 @@ internal sealed class Program
         [STAThread]
         private static void Main()
         {
-            if (PowerToys.GPOWrapper.GPOWrapper.GetConfiguredMouseWithoutBordersEnabledValue() == PowerToys.GPOWrapper.GpoRuleConfigured.Disabled)
+            if (PowerToys.GPOWrapper.GPOWrapper.GetConfiguredMouseWithoutBordersEnabledValue() == PowerToys.GPOWrapper.GpoRuleConfigured.Disabled
+                || PowerToys.GPOWrapper.GPOWrapper.GetConfiguredMwbAllowServiceModeValue() == PowerToys.GPOWrapper.GpoRuleConfigured.Disabled )
             {
                 // TODO: Add logging.
                 // Logger.LogWarning("Tried to start with a GPO policy setting the utility to always be disabled. Please contact your systems administrator.");

src/modules/MouseWithoutBorders/ModuleInterface/dllmain.cpp

@@ -363,7 +363,11 @@ class MouseWithoutBorders : public PowertoyModuleIface
 
     void update_state_from_settings(const PowerToysSettings::PowerToyValues& values)
     {
-        const bool new_run_in_service_mode = values.get_bool_value(USE_SERVICE_PROPERTY_NAME).value_or(false);
+        bool new_run_in_service_mode = values.get_bool_value(USE_SERVICE_PROPERTY_NAME).value_or(false);
+        if (powertoys_gpo::getConfiguredMwbAllowServiceModeValue() == powertoys_gpo::gpo_rule_configured_disabled)
+        {
+            new_run_in_service_mode = false;
+        }
 
         if (new_run_in_service_mode != run_in_service_mode)
         {

src/settings-ui/Settings.UI/SettingsXAML/Views/MouseWithoutBordersPage.xaml

@@ -186,12 +186,19 @@
                     </tkcontrols:SettingsCard>
                 </controls:SettingsGroup>
                 <controls:SettingsGroup x:Uid="MouseWithoutBorders_ServiceSettings" IsEnabled="{x:Bind ViewModel.CanToggleUseService, Mode=OneWay}">
-                    <tkcontrols:SettingsCard x:Uid="MouseWithoutBorders_UseService">
-                        <ToggleSwitch
-                            x:Uid="MouseWithoutBorders_UseService_ToggleSwitch"
-                            IsEnabled="{x:Bind ViewModel.IsEnabled, Mode=OneWay}"
-                            IsOn="{x:Bind ViewModel.UseService, Mode=TwoWay}" />
+                    <tkcontrols:SettingsCard x:Uid="MouseWithoutBorders_UseService" IsEnabled="{x:Bind ViewModel.UseServiceSettingIsEnabled, Mode=OneWay}">
+                        <ToggleSwitch x:Uid="MouseWithoutBorders_UseService_ToggleSwitch" IsOn="{x:Bind ViewModel.UseService, Mode=TwoWay}" />
                     </tkcontrols:SettingsCard>
+                    <InfoBar
+                        x:Uid="GPO_SettingIsManaged"
+                        IsClosable="False"
+                        IsOpen="{x:Bind ViewModel.ShowPolicyConfiguredInfoForServiceSettings, Mode=OneWay}"
+                        IsTabStop="{x:Bind ViewModel.ShowPolicyConfiguredInfoForServiceSettings, Mode=OneWay}"
+                        Severity="Informational">
+                        <InfoBar.IconSource>
+                            <FontIconSource FontFamily="{StaticResource SymbolThemeFontFamily}" Glyph="&#xE72E;" />
+                        </InfoBar.IconSource>
+                    </InfoBar>
                     <InfoBar
                         x:Uid="MouseWithoutBorders_RunAsAdminText"
                         IsClosable="False"

src/settings-ui/Settings.UI/ViewModels/MouseWithoutBordersViewModel.cs

@@ -93,10 +93,23 @@ public bool ShowOriginalUI
 
         public bool UseService
         {
-            get => Settings.Properties.UseService;
+            get
+            {
+                if (_allowServiceModeGpoConfiguration == GpoRuleConfigured.Disabled)
+                {
+                    return false;
+                }
+
+                return Settings.Properties.UseService;
+            }
 
             set
             {
+                if (_allowServiceModeIsGPOConfigured)
+                {
+                    return;
+                }
+
                 var valueChanged = Settings.Properties.UseService != value;
 
                 // Set the UI property itself instantly
@@ -122,6 +135,8 @@ public bool UseService
             }
         }
 
+        public bool UseServiceSettingIsEnabled => _allowServiceModeIsGPOConfigured == false;
+
         public bool ConnectFieldsVisible
         {
             get => _connectFieldsVisible;
@@ -185,6 +200,8 @@ public string ConnectPCName
         private bool _useOriginalUserInterfaceIsGPOConfigured;
         private GpoRuleConfigured _disallowBlockingScreensaverGpoConfiguration;
         private bool _disallowBlockingScreensaverIsGPOConfigured;
+        private GpoRuleConfigured _allowServiceModeGpoConfiguration;
+        private bool _allowServiceModeIsGPOConfigured;
         private GpoRuleConfigured _sameSubnetOnlyGpoConfiguration;
         private bool _sameSubnetOnlyIsGPOConfigured;
         private GpoRuleConfigured _validateRemoteIpGpoConfiguration;
@@ -507,6 +524,8 @@ private void InitializePolicyValues()
             _disableUserDefinedIpMappingRulesIsGPOConfigured = _disableUserDefinedIpMappingRulesGpoConfiguration == GpoRuleConfigured.Enabled;
 
             // Policies supporting only disabled state
+            _allowServiceModeGpoConfiguration = GPOWrapper.GetConfiguredMwbAllowServiceModeValue();
+            _allowServiceModeIsGPOConfigured = _allowServiceModeGpoConfiguration == GpoRuleConfigured.Disabled;
             _clipboardSharingEnabledGpoConfiguration = GPOWrapper.GetConfiguredMwbClipboardSharingEnabledValue();
             _clipboardSharingEnabledIsGPOConfigured = _clipboardSharingEnabledGpoConfiguration == GpoRuleConfigured.Disabled;
             _fileTransferEnabledGpoConfiguration = GPOWrapper.GetConfiguredMwbFileTransferEnabledValue();
@@ -1231,6 +1250,14 @@ internal void UninstallService()
             SendCustomAction("uninstall_service");
         }
 
+        public bool ShowPolicyConfiguredInfoForServiceSettings
+        {
+            get
+            {
+                return IsEnabled && _allowServiceModeIsGPOConfigured;
+            }
+        }
+
         public bool ShowPolicyConfiguredInfoForBehaviorSettings
         {
             get
@@ -1248,7 +1275,7 @@ public bool ShowInfobarCannotDragDropAsAdmin
 
         public bool ShowInfobarRunAsAdminText
         {
-            get { return !CanToggleUseService && IsEnabled; }
+            get { return !CanToggleUseService && IsEnabled && !ShowPolicyConfiguredInfoForServiceSettings; }
         }
     }
 }

tools/BugReportTool/BugReportTool/ReportGPOValues.cpp

@@ -87,6 +87,7 @@ void ReportGPOValues(const std::filesystem::path &tmpDir)
     report << "getConfiguredMwbFileTransferEnabledValue: " << gpo_rule_configured_to_string(powertoys_gpo::getConfiguredMwbFileTransferEnabledValue()) << std::endl;
     report << "getConfiguredMwbUseOriginalUserInterfaceValue: " << gpo_rule_configured_to_string(powertoys_gpo::getConfiguredMwbUseOriginalUserInterfaceValue()) << std::endl;
     report << "getConfiguredMwbDisallowBlockingScreensaverValue: " << gpo_rule_configured_to_string(powertoys_gpo::getConfiguredMwbDisallowBlockingScreensaverValue()) << std::endl;
+    report << "getConfiguredMwbAllowServiceModeValue: " << gpo_rule_configured_to_string(powertoys_gpo::getConfiguredMwbAllowServiceModeValue()) << std::endl;
     report << "getConfiguredMwbSameSubnetOnlyValue: " << gpo_rule_configured_to_string(powertoys_gpo::getConfiguredMwbSameSubnetOnlyValue()) << std::endl;
     report << "getConfiguredMwbValidateRemoteIpValue: " << gpo_rule_configured_to_string(powertoys_gpo::getConfiguredMwbValidateRemoteIpValue()) << std::endl;
     report << "getConfiguredMwbDisableUserDefinedIpMappingRulesValue: " << gpo_rule_configured_to_string(powertoys_gpo::getConfiguredMwbDisableUserDefinedIpMappingRulesValue()) << std::endl;