Forum Discussion
The ms-appinstaller protocol has been disabled.
I just found out that users can no longer install my MSIX from my website. This is a WPF application packaged with "Windows Application Packaging Project" (wapproj). When users click the "Get the app" button they now see the error below saying the protocol has been disabled. Why is this? Is this permanent? Is there a way to enable it?
There's a short mention of this in the docs but it doesn't mention why this is happening or how to enable it.
https://docs.microsoft.com/en-us/windows/msix/app-installer/installing-windows10-apps-web
Is this no longer supported?
<html>
<body>
<h1> MyApp Web Page </h1>
<a href="ms-appinstaller:?source=http://mywebservice.azureedge.net/HubApp.msix"> Install app package </a>
<a href="ms-appinstaller:?source=http://mywebservice.azureedge.net/HubAppBundle.msixbundle"> Install app bundle </a>
<a href="ms-appinstaller:?source=http://mywebservice.azureedge.net/HubAppSet.appinstaller"> Install related set </a>
</body>
</html>
The ms-appinstaller protocol has been disabled. Please ask the vendor to update the weblink. For more information go to aka.ms/ms-appinstaller-disabled
bvenhaus Thank you for your question. We removed the ms-appinstaller custom scheme due to a security vulnerability. We do intend to bring this back, and are working on it. For now, you can update the link on your website by removing 'ms-appinstaller:?source='
<html> <body> <h1> MyApp Web Page </h1> <a href="http://mywebservice.azureedge.net/HubApp.msix"> Install app package </a> <a href="http://mywebservice.azureedge.net/HubAppBundle.msixbundle"> Install app bundle </a> <a href="http://mywebservice.azureedge.net/HubAppSet.appinstaller"> Install related set </a> </body> </html>
55 Replies
This broke the installation and update process for my commercial Windows app overnight because some hacker used a legitimate, documented "this is how you publish Windows apps" to distribute malware?
How is this considered an acceptable mitigation?
I have a $3k Extended Identity certificate that I sign my installer packages with, but now it's illegitimate to install it because a malicious payload was discovered somewhere else?
- I've reported this as a DoS to the Microsoft Security team:
https://msrc.microsoft.com/submission/VULN-058721The security team declined to investigate the issue, citing this thread as the official guidance.
If you have a support channel through MSFT from your business, please open and escalate an issue. It doesn't feel like the people engaged in this conversation realize the implication of their actions and I haven't yet found someone to take responsibility for fixing it.---
Received via email:
Hello Jay,
Thank you for contacting the Microsoft Security Response Center (MSRC). We appreciate the time taken to submit this issue.
We are aware of the issue you have reported regarding the MSIX installer. While this issue doesn't meet the definition of a vulnerability that MSRC can help with, we are aware that the issue is being supported through the following resources:
<"https://docs.microsoft.com/en-us/windows/msix/app-installer/installing-windows10-apps-web"> -> "The ms-appinstaller scheme(protocol) has been disabled."
and
<"https://techcommunity.microsoft.com/t5/msix-deployment/the-ms-appinstaller-protocol-has-been-disabled/m-p/3038361"> where Aditi_Narvekar from Microsoft has replied.
and you may also contact support for more information:
Contact Us - Microsoft Support
We have also shared your feedback with the engineering team who own the ms-appinstaller scheme(protocol).
As such, this MSRC thread is being closed and no longer monitored. We apologize for any inconvenience this may have caused. More information on reporting a security vulnerability can be found at <"https://www.microsoft.com/msrc/faqs-report-an-issue.">
Regards,
Duncan 
MSRC
- We are seeing the same issues within our company. Anybody on the old version of App Installer can launch ms-appinstaller just fine, anybody on the 12/14/2021 version it says the protocol has been disabled. Its creating quite a lot of problems right now and we have a support case in.
- Thank you for your help. Let's hope it is fixed soon.
- For info, the Windows Store App Installer has alsobeen disabled, it cannotbe downloaded.
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-43890
- What is link supposed to mean? I have the same issue and the app cannot be installed by our clients.
I also could not access Microsoft sites from the Firefox browser and had to disable OCSP settings, I think this is the same issue, it started yesterday.
