Update Windows App SDK to 2.0.0-preview2 and related dependencies

[mattleibow]

Summary

Updates Windows App SDK and related Windows dependencies to their latest versions.

Package Updates

Package	Old Version	New Version
Microsoft.WindowsAppSDK	1.8.251106002	2.0.0-preview2
Microsoft.Web.WebView2	1.0.3179.45	1.0.3856.49 (latest stable)
Microsoft.Graphics.Win2D	1.3.2	1.4.0
Microsoft.Windows.SDK.BuildTools	10.0.26100.4654	10.0.26100.7705

NuGet.config

Enabled the nuget-only source (nuget.org) since Microsoft.WindowsAppSDK 2.0.0-preview2 is not yet mirrored in the dotnet-public ADO feed.

Local Build Verification (Windows)

• ✅ Microsoft.Maui.BuildTasks.slnf - Build succeeded
• ✅ Microsoft.Maui-windows.slnf - Build succeeded (no new errors)
• ✅ Core.DeviceTests - Build succeeded
• ✅ Controls.DeviceTests - Build succeeded
• ✅ Essentials.DeviceTests - Build succeeded
• ✅ BlazorWebView.Wpf (WebView2) - Build succeeded
• ✅ BlazorWebView.WinForms (WebView2) - Build succeeded

[github-actions]

🚀 Dogfood this PR with:

⚠️ WARNING: Do not do this without first carefully reviewing the code of this PR to satisfy yourself it is safe.

curl -fsSL https://github.com/dotnet/maui/main/eng/scripts/get-maui-pr.sh | bash -s -- 34791

Or

• Run remotely in PowerShell:

iex "& { $(irm https://github.com/dotnet/maui/main/eng/scripts/get-maui-pr.ps1) } 34791"

[MauiBot]

🤖 AI Summary

👋 @mattleibow — new AI review results are available. Please review the latest session below.

📊 Review Session — c871051 · Merge remote-tracking branch 'origin/main' into mattleibow/update-wasdk-2.0-preview2 · 2026-05-02 21:36 UTC

---

🚦 Gate — Test Before & After Fix

---

Gate Result: ⚠️ SKIPPED

No tests were detected in this PR.

Recommendation: Add tests to verify the fix using the write-tests-agent.

---

🧪 UI Tests — Category Detection

---

No UI test categories needed for this PR (no UI-relevant changes).

---

🔍 Regression Cross-Reference

---

🟢 No implementation files modified — skipping regression cross-reference.

---

🔍 Pre-Flight — Context & Validation

---

Issue: No linked issue — standalone dependency update
PR: #34791 - Update Windows App SDK to 2.0.0-preview2 and related dependencies
Platforms Affected: Windows only
Files Changed: 3 implementation (build/config), 0 test

Key Findings

• Updates MicrosoftWindowsAppSDKPackageVersion from 1.8.251106002 → 2.0.0-preview2 (major version preview bump)
• Updates MicrosoftWindowsSDKBuildToolsPackageVersion from 10.0.26100.4654 → 10.0.26100.7705
• Updates MicrosoftGraphicsWin2DPackageVersion from 1.3.2 → 1.4.0
• Updates MicrosoftWindowsWebView2PackageVersion from 1.0.3179.45 → 1.0.3856.49
• Adds nuget-org source (https://api.nuget.org/v3/index.json) to NuGet.config as an ENABLED source (not listed in disabledPackageSources) because WinAppSDK 2.0.0-preview2 is not yet in the internal dotnet-public ADO feed
• Adds global NoWarn for NU1603 (dependency version may differ from required) due to Microsoft.WindowsAppSDK.AI 2.0.24-preview resolving to a different version on some feeds
• PR is in draft state — author's local build verification passed for Windows targets
• All 31 CI checks passed ✅

Code Review Summary

Verdict: NEEDS_DISCUSSION
Confidence: high
Errors: 0 | Warnings: 2 | Suggestions: 2

Key code review findings:

• ⚠️ NuGet.config:18 — nuget-org added as always-enabled source (active in local dev, CI, and forks); deviates from repo's controlled-feed pattern; nuget-only placeholder (the canonical pattern) is left disabled
• ⚠️ Directory.Build.props:19 — NU1603 suppressed globally across all TFMs/platforms; cause is Windows-only (Microsoft.WindowsAppSDK.AI); should be scoped to Windows targets only, ideally with a tracking issue reference
• 💡 NuGet.config:18 — PR description says "enabled nuget-only source" but actually adds a new nuget-org key — description is inaccurate
• 💡 eng/Versions.props:82 — Major preview SDK bump (1.8 stable → 2.0.0-preview2) verified by build only; device tests evidence not provided

UI Test Categories

NONE — This PR only modifies build configuration and dependency version numbers. No UI controls, handlers, layouts, or platform rendering code is changed.

Fix Candidates

#	Source	Approach	Test Result	Files Changed	Notes
PR	PR #34791	Version bump Windows SDK deps + add nuget-org source + suppress NU1603	✅ CI PASSED (all 31 checks)	eng/Versions.props, NuGet.config, Directory.Build.props	Original PR; draft state

---

🔬 Code Review — Deep Analysis

---

Code Review — PR #34791

Update Windows App SDK to 2.0.0-preview2 and related dependencies

---

Independent Assessment

What this changes (from code alone):
Three build-infrastructure files modified:

1. eng/Versions.props — Four Windows-only package version bumps: WindowsAppSDK 1.8.251106002 → 2.0.0-preview2 (major version, preview), SDK Build Tools 10.0.26100.4654 → 10.0.26100.7705, Win2D 1.3.2 → 1.4.0, WebView2 1.0.3179.45 → 1.0.3856.49.
2. NuGet.config — Adds a new always-enabled nuget-org package source pointing directly to https://api.nuget.org/v3/index.json. The existing nuget-only placeholder (disabled, CI-substituted URL) is untouched.
3. Directory.Build.props — Globally suppresses NU1603 (NuGet version-resolution mismatch warning) across all projects and all platforms, citing a WinAppSDK transitive dependency as the reason.

Inferred motivation:
The WindowsAppSDK 2.0.0-preview2 package isn't available in the repo's normal ADO mirror feeds (dotnet-public), so nuget.org was added directly to get it. The NU1603 suppression exists because the new WinAppSDK pulls in Microsoft.WindowsAppSDK.AI 2.0.24-preview, which may not resolve at the exact requested version across all feeds.

Is the approach sound?
The version bump itself is fine for a repo targeting the main (trunk) branch. The two implementation choices — hardcoding nuget.org as a permanent enabled source, and suppressing NU1603 globally — are broader than necessary and create risks worth addressing before this graduates from Draft and lands in main.

---

Reconciliation with PR Narrative

Author claims: "Enabled the nuget-only source (nuget.org) since Microsoft.WindowsAppSDK 2.0.0-preview2 is not yet mirrored in the dotnet-public ADO feed." Local build verification listed (solution builds + BlazorWebView builds — no device tests).

Disagreement 1 — NuGet.config: The description says "enabled the nuget-only source" but the diff adds a brand-new nuget-org key with the live URL hardcoded, leaving nuget-only still disabled. This is a factual discrepancy. The repo already has an architectural pattern for nuget.org CI access (the nuget-only placeholder), and this PR doesn't use it — it adds a parallel permanently-enabled entry.

Agreement: The version bump rationale is sound (main branch, keeping Windows dependencies current). The CI fully passes (all required checks green). Build verification is appropriate for a draft-stage PR.

---

Findings

⚠️ Warning — Hardcoded nuget.org feed added as always-enabled source (NuGet.config:18)

The new nuget-org entry is active in every environment — local dev, CI, and contributor forks. All other sources in this repo route through pkgs.dev.azure.com/dnceng for supply-chain auditability. The repo already has a nuget-only placeholder that gets its URL substituted by the CI pipeline, keeping it inactive outside CI — the canonical pattern for controlled nuget.org access.

A permanently-enabled nuget.org source broadens the resolution surface: any package in the controlled feeds can silently have a higher-versioned counterpart on nuget.org selected in contributor forks or offline builds. Before this lands in main, confirm with the .NET infrastructure team whether a direct nuget.org source is approved (e.g., check dotnet-public team policy), or prefer routing through the placeholder mechanism.

⚠️ Warning — NU1603 suppression is global, not Windows-scoped (Directory.Build.props:19)

NU1603 is suppressed at the repo root so it applies to every TFM and every platform (iOS, Android, macOS, Tizen, and Windows). The stated cause is a Windows-only transitive dep (Microsoft.WindowsAppSDK.AI 2.0.24-preview). This means version-resolution mismatches in non-Windows projects will now silently go unreported.

Suggested improvement: scope the suppression to Windows builds only (e.g., conditional on $(TargetOS) or a Windows-only .props file), and add a tracking issue number to the comment so the suppression has a clear removal trigger when WinAppSDK 2.0 ships stable.

💡 Suggestion — PR description doesn't match the actual diff (NuGet.config:18)

The description says "Enabled the nuget-only source" but the diff adds a new nuget-org key, leaving nuget-only disabled. The repo now has two conceptual nuget.org entries. Please update the description to accurately reflect what the diff does, to avoid confusion during review and future archaeology.

💡 Suggestion — Build-only verification for a major SDK preview bump (eng/Versions.props:82)

WinAppSDK 1.8 (stable) → 2.0.0-preview2 is a major version jump to a preview release. The PR lists build success only. Preview WinAppSDK releases have historically introduced behavioral regressions in Shell navigation, DispatcherQueue usage, WebView lifecycle, and Windows accessibility. Providing evidence that Core.DeviceTests, Controls.DeviceTests, and Essentials.DeviceTests run and pass on Windows would meaningfully reduce merge risk, particularly before this transitions from Draft.

---

Devil's Advocate

On the nuget.org finding: The CI is fully green, which means the PR didn't break anything. The nuget.org source is effectively already "in the wild" for this PR's branch. One could argue that since this is a temporary workaround (until the package is mirrored), the risk is bounded. Counter: "temporary" build-file changes have a long history of becoming permanent in this repo, and the supply-chain policy concern is real regardless of CI status.

On NU1603: NU1603 is an informational/warning-level diagnostic. Suppressing it globally is common practice during preview periods. However, the combination of TreatWarningsAsErrors=true (the very next line) and a blanket NU1603 suppression creates a category of issues that would normally be caught and silently disappear. This warrants at minimum a tracking issue.

On device tests: The PR is a Draft, so expecting full device-test evidence now is reasonable but not blocking. The suggestion is forward-looking.

---

CI Status

✅ All required CI checks pass (Windows debug/release builds, macOS builds, pack, Helix unit tests, integration tests across all platforms and template types).

---

Verdict: NEEDS_DISCUSSION

Confidence: high

Summary: The version bumps are appropriate for a trunk-targeting repo, and CI is entirely green. The two substantive concerns are the hardcoded nuget.org feed entry (which deviates from the repo's controlled-feed pattern and should be reviewed by the infra team) and the globally-scoped NU1603 suppression (which should be narrowed to Windows or have a removal mechanism). Neither is a blocking error, but both should be resolved or explicitly acknowledged before this exits Draft and merges.

---

🔧 Fix — Analysis & Comparison

---

Fix Candidates

#	Source	Approach	Test Result	Files Changed	Notes
PR	PR #34791	Version bumps + nuget-org always-enabled + global NU1603	✅ CI PASSED (31/31 checks)	eng/Versions.props, NuGet.config, Directory.Build.props	Draft; supply-chain and scoping concerns from code review
1	try-fix	nuget-only placeholder activated + TargetFramework.StartsWith('net10.0-windows')	✅ PASS	Same 3 files	Uses existing repo placeholder pattern; supply-chain compliant
2	try-fix	nuget-org + full packageSourceMapping + Directory.Build.targets + _MauiTargetPlatformIsWindows	✅ PASS	Same 3 files + Directory.Build.targets	Best supply-chain scoping; uses existing _MauiTargetPlatformIsWindows flag
3	try-fix	nuget-org + packageSourceMapping allowlist + TargetPlatformIdentifier condition in .props	✅ PASS	Same 3 files	packageSourceMapping prevents dependency confusion
4	try-fix	nuget-org disabled-by-default + CI opt-in + Contains('-windows10') condition	✅ PASS	Same 3 files	Cleanest for contributor forks; requires CI pipeline enablement step

Cross-Pollination

Model	Round	New Ideas?	Details
claude-sonnet-4.6	2	Yes	RestoreAdditionalProjectSources conditioned on Windows TFM — NuGet.config untouched; source injected at MSBuild level. Not pursued as 5th attempt (winner.json schema supports only try-fix-1..4); noted as architectural variant of Attempt 4
claude-opus-4.6	2	No	Solution space exhausted — all combinations of source activation × package scoping × TFM detection covered

Exhausted: Yes (2 rounds)

Selected Fix: try-fix-2 (Attempt 2) — Uses Directory.Build.targets with the repo's native $(_MauiTargetPlatformIsWindows) flag for NU1603 scoping (no change to Directory.Build.props), and adds <packageSourceMapping> to restrict nuget-org to only WinAppSDK packages (strongest supply-chain protection). The approach follows the repo's existing pattern for per-platform build configuration.

Runner-up: try-fix-1 — Uses the canonical nuget-only placeholder mechanism which is the most architecturally consistent with the repo's design, but activates the nuget-only source globally rather than restricting to specific packages.

---

📋 Report — Final Recommendation

---

⚠️ Final Recommendation: REQUEST CHANGES

Phase Status

Phase	Status	Notes
Pre-Flight	✅ COMPLETE	No linked issue; 3 build-config files changed (Windows-only)
Code Review	NEEDS_DISCUSSION (high)	0 errors, 2 warnings, 2 suggestions
Gate	⚠️ SKIPPED	No tests detected in this PR
Try-Fix	✅ COMPLETE	4 attempts, 4 passing
Report	✅ COMPLETE

Code Review Impact on Try-Fix

Code review found two ⚠️ Warnings: (1) nuget-org added as always-enabled source bypassing the repo's controlled-feed supply-chain policy, and (2) NU1603 globally suppressed when the root cause is Windows-only. These warnings directly shaped the 4 try-fix candidates:

• Attempt 1 specifically addressed the nuget-org concern by using the nuget-only placeholder (the canonical repo pattern) instead of a new key, and scoped NU1603 via TargetFramework.StartsWith.
• Attempt 2 addressed both concerns simultaneously with the strongest supply-chain mitigation (<packageSourceMapping> restricting nuget-org to WinAppSDK packages) and moved NU1603 suppression to Directory.Build.targets using the repo's _MauiTargetPlatformIsWindows flag.
• Attempts 3 & 4 explored variations on the same two axes, confirming the fix space is well-covered.

All 4 candidates resolved both code-review concerns and compiled successfully.

Summary

PR #34791 updates Windows App SDK and companion packages (Win2D, WebView2, SDK Build Tools) from stable 1.8.x to 2.0.0-preview2 with a correct and CI-verified approach. All 31 CI checks pass. However, two implementation choices — a hardcoded always-enabled nuget-org source and a globally-scoped NU1603 suppression — deviate from repo conventions and introduce supply-chain and cross-platform diagnostic risks. Try-Fix found a superior approach (try-fix-2) that uses <packageSourceMapping> to restrict nuget-org to WinAppSDK packages only, and moves NU1603 suppression to Directory.Build.targets scoped via $(_MauiTargetPlatformIsWindows).

Root Cause

The PR is an intentional dependency update, not a bug fix. The nuget-org source is required because WinAppSDK 2.0.0-preview2 and its transitive Microsoft.WindowsAppSDK.AI 2.0.24-preview dependency are not yet mirrored to the dotnet-public ADO feed. The NU1603 warning is a side-effect of the preview AI package resolving at a different patch level than requested.

Fix Quality

The version bumps in eng/Versions.props are correct and appropriate for a trunk-targeting repository. The two ancillary changes (nuget-org source, NU1603 suppression) solve the immediate problem but can be improved for better supply-chain hygiene and cross-platform diagnostic fidelity. The recommended alternative (try-fix-2) achieves the same outcome with:

1. <packageSourceMapping> on nuget-org — restricts resolution to only 3 WinAppSDK package patterns, closing the dependency-confusion surface entirely
2. NU1603 suppression in Directory.Build.targets using $(_MauiTargetPlatformIsWindows) — follows existing repo pattern (same file already has <NoWarn>NU1603;NU1702</NoWarn> at line 29) and avoids touching Directory.Build.props
3. Directory.Build.props unchanged for NU1603 — no regression risk to the root build configuration

Comparative Table

Candidate	Supply-Chain	NU1603 Scope	CI	Complexity
PR (original)	⚠️ nuget-org always-enabled, no mapping	❌ Global	✅ PASS	Low
pr-plus-reviewer	⚠️ nuget-org always-enabled, no mapping	✅ Windows-only (TargetPlatformIdentifier)	Build-verified	Low+
try-fix-1	✅ nuget-only placeholder (canonical)	✅ TargetFramework.StartsWith	✅ PASS	Low
try-fix-2 ⭐	✅✅ nuget-org + packageSourceMapping	✅ _MauiTargetPlatformIsWindows (targets)	✅ PASS	Medium
try-fix-3	✅ nuget-org + packageSourceMapping	✅ TargetPlatformIdentifier	✅ PASS	Medium
try-fix-4	✅ disabled-by-default nuget-org	✅ Contains('-windows10')	✅ PASS (build-only; needs CI step)	Medium

Winner: try-fix-2 — Strongest supply-chain protection with <packageSourceMapping> eliminating dependency confusion risk; NU1603 scoped to Windows via the repo's own _MauiTargetPlatformIsWindows flag (zero change to Directory.Build.props); precedent in Directory.Build.targets already exists.

Selected Fix: try-fix-2

---

[MauiBot]

🤖 Automated review — alternative fix proposed

The expert-reviewer evaluation compared the PR fix against #2 automatically generated candidates and selected try-fix-2 as the strongest fix.

Why: try-fix-2 wins because it simultaneously addresses both code-review concerns: it adds to restrict nuget-org to only WinAppSDK packages (eliminating dependency-confusion risk), and moves NU1603 suppression to Directory.Build.targets scoped via $(_MauiTargetPlatformIsWindows) — the repo's own existing flag — leaving Directory.Build.props untouched. All version bumps from the original PR are preserved, and the build passed with 0 warnings and 0 errors.

Please consider applying the candidate diff below (or use it as guidance). Once you push an update, this workflow will re-trigger and re-evaluate.

Candidate diff (`try-fix-2`)

diff --git a/Directory.Build.targets b/Directory.Build.targets
index 77feb5312b..05e1b42e09 100644
--- a/Directory.Build.targets
+++ b/Directory.Build.targets
@@ -56,6 +56,13 @@
     <TargetPlatformMinVersion>6.5</TargetPlatformMinVersion>
   </PropertyGroup>
 
+  <!-- WindowsAppSDK 2.0.0-preview2 pulls in Microsoft.WindowsAppSDK.AI 2.0.24-preview which may
+       resolve to a different version on some feeds. Scoped to Windows TFMs since the mismatch is
+       Windows-specific (Microsoft.Windows.AI.MachineLearning transitive dep). -->
+  <PropertyGroup Condition="'$(_MauiTargetPlatformIsWindows)' == 'True'">
+    <NoWarn>$(NoWarn);NU1603</NoWarn>
+  </PropertyGroup>
+
   <!--
 diff --git a/NuGet.config b/NuGet.config
index 752fe77e32..b7eaefc735 100644
--- a/NuGet.config
+++ b/NuGet.config
@@ -15,6 +15,9 @@
     <add key="dotnet-libraries-transport" value="https://pkgs.dev.azure.com/dnceng/public/_packaging/dotnet-libraries-transport/nuget/v3/index.json" />
     <add key="dotnet-eng" value="https://pkgs.dev.azure.com/dnceng/public/_packaging/dotnet-eng/nuget/v3/index.json" protocolVersion="3" />
     <add key="dotnet-tools" value="https://pkgs.dev.azure.com/dnceng/public/_packaging/dotnet-tools/nuget/v3/index.json" protocolVersion="3" />
+    <!-- nuget-org: needed for WindowsAppSDK 2.0.0-preview2 packages not yet mirrored to dnceng feeds.
+         Re-disable once packages are available in dotnet-public. -->
+    <add key="nuget-org" value="https://api.nuget.org/v3/index.json" protocolVersion="3" />
   </packageSources>
   <activePackageSource>
     <add key="All" value="(Aggregate source)" />
@@ -23,4 +26,34 @@
     <add key="local" value="true" />
     <add key="nuget-only" value="true" />
   </disabledPackageSources>
+  <!-- Restrict nuget-org to only the WindowsAppSDK preview packages not yet on dnceng feeds,
+       preventing dependency confusion with the controlled internal feeds. -->
+  <packageSourceMapping>
+    <packageSource key="nuget-org">
+      <package pattern="Microsoft.WindowsAppSDK*" />
+      <package pattern="Microsoft.Windows.AI*" />
+      <package pattern="Microsoft.WindowsAppSDK.AI*" />
+    </packageSource>
+    <packageSource key="dotnet-public">
+      <package pattern="*" />
+    </packageSource>
+    <packageSource key="darc-pub-dotnet-dotnet-e17b0d0">
+      <package pattern="*" />
+    </packageSource>
+    <packageSource key="dotnet-libraries">
+      <package pattern="*" />
+    </packageSource>
+    <packageSource key="dotnet-libraries-transport">
+      <package pattern="*" />
+    </packageSource>
+    <packageSource key="dotnet-eng">
+      <package pattern="*" />
+    </packageSource>
+    <packageSource key="dotnet-tools">
+      <package pattern="*" />
+    </packageSource>
+    <packageSource key="benchmark-dotnet-prerelease">
+      <package pattern="*" />
+    </packageSource>
+  </packageSourceMapping>
 </configuration>
diff --git a/eng/Versions.props b/eng/Versions.props
index 2f87e0a130..d8aa6ca63e 100644
--- a/eng/Versions.props
+++ b/eng/Versions.props
@@ -79,10 +79,10 @@
     <!-- Samsung/Tizen.NET -->
     <SamsungTizenSdkPackageVersion>8.0.148</SamsungTizenSdkPackageVersion>
     <!-- wasdk -->
-    <MicrosoftWindowsAppSDKPackageVersion>1.8.251106002</MicrosoftWindowsAppSDKPackageVersion>
-    <MicrosoftWindowsSDKBuildToolsPackageVersion>10.0.26100.4654</MicrosoftWindowsSDKBuildToolsPackageVersion>
-    <MicrosoftGraphicsWin2DPackageVersion>1.3.2</MicrosoftGraphicsWin2DPackageVersion>
-    <MicrosoftWindowsWebView2PackageVersion>1.0.3179.45</MicrosoftWindowsWebView2PackageVersion>
+    <MicrosoftWindowsAppSDKPackageVersion>2.0.0-preview2</MicrosoftWindowsAppSDKPackageVersion>
+    <MicrosoftWindowsSDKBuildToolsPackageVersion>10.0.26100.7705</MicrosoftWindowsSDKBuildToolsPackageVersion>
+    <MicrosoftGraphicsWin2DPackageVersion>1.4.0</MicrosoftGraphicsWin2DPackageVersion>
+    <MicrosoftWindowsWebView2PackageVersion>1.0.3856.49</MicrosoftWindowsWebView2PackageVersion>
     <!-- Everything else -->