Edit

Share via


App Installer Security Features

Build 1.24.1981 introduced the following App Installer security features:

  • Internet warning
  • Microsoft SmartScreen Reputation-based URL Validation
  • URL Security Zones

Internet Warning

App Installer displays a warning banner to the user whenever the user is installing a package from the internet. When the internet warning is shown, users should be careful to verify that the source listed on the dialog is trusted.

A screenshot showing a Microsoft SmartScreen internet warning. It's an installation confirmation dialog. At the bottom of the pane, a badge icon with an exclamation point is next to a warning that reads "Internet applications can potentially harm your computer. If you do not trust the source, do not install this software".

Installing software from an untrusted site on the internet can be risky and expose you to malware and other exploits. For more information, see Protect yourself from online scams and attacks

Microsoft SmartScreen Reputation-based URL Validation

The App Installer now takes advantage of Microsoft SmartScreen to help users make informed decsions before installing software. Prior to downloading a package from an Internet source, App Installer will consult Microsoft SmartScreen's URL Reputation service.

A screenshot showing a Microsoft SmartScreen reputation-based URL validation error. The title of the dialog is "SmartScreen validation unsuccessful!" and the explanation text below says "This application was blocked as unsafe by Microsoft Defender SmartScreen. If you choose to continue, this application may not be safe to install."

When presented with this error, the user can choose to Cancel or Continue (Not recommended).

Clicking continue will allow App Installer to open the package for installation.

URL Security Zones

In addition to enabling and disabling the MS-AppInstaller protocol, IT Professionals can now prevent users from installing apps from URIs that the enterprise does not allow. IT Pros can disable installation from specific URL Security Zones.

When a user attempts to open a blocked URL, they will be presented with the following dialog.

A screenshot of an URL Security Zone error. The title of the dialog says "Your internet security settings prevented this file from being opened". The explanation text below states "The application you are attempting to access has been blocked by your administrator."

Configuring App Installers Zone

EnableMSAppInstallerProtocol The entry EnableMSAppInstallerProtocol allows the IT Professionals to enable or disable the MS-AppInstaller protocol. Enabled: HKLM:\Software\Policies\Microsoft\Windows\AppInstaller EnableMSAppInstallerProtocol=1'

EnableMsixAllowedZones

If EnableMsixAllowedZones is enabled (set to "1"), you will have the option to override whether App Installer allows a Security Zone or not.

Enabled: 'HKLM:\Software\Policies\Microsoft\Windows\AppInstaller" EnableMsixAllowedZones=1'

MsixAllowedZones

When the EnableMsixAllowedZones is enabled, the App Installer will look to honor the restrictions specified in MsixAllowedZones. By default, the URLs in the UntrustedSites security zone will be rejected and all other zones will be allowed.

Allow zone: HKLM:\Software\Policies\Microsoft\Windows\AppInstaller\MsixAllowedZones" UntrustedSites=1

Zone data

Security Zone Default Detail
Local Machine Allow Setting to Blocked will prevent any local MSIX from being installed.
Intranet Allow Setting to Blocked will prevent files from enterprise servers from being downloaded and installed.
Trusted Sites Allow When set to Allow, allows the IT professional to allow specific Internet URIs.
Internet Allow When set to Allow, allows the IT professional to restrict installing apps from all Internet URIs.
Untrusted Sites Blocked When set to Blocked, allows the IT professional to block specific Internet URIs.

App Installer CSP Security Zones

The App Installer access to URL Security Zones is controlled by the DesktopAppinstaller CSP. If an App Installer attempts to load a URL from a zone that is blocked, the user will be presented with an error.

This image is identical to the URL Security Zone Error image earlier in the page. A screenshot of an URL Security Zone error. The title of the dialog says "Your internet security settings prevented this file from being opened". The explanation text below states "The application you are attempting to access has been blocked by your administrator."

IT Professionals can add sites to the Restricted or Trusted Sites Zone by use of the policy-csp-internetexplorer. If a URL appears in a zone that is blocked, the App Installer will block installation.