ClickOnce application downloads instead of directly opening the app


When opening a ClickOnce app, the *.application file gets saved to my Downloads folder instead of directly opening it. Additionally, since the file is downloaded, then opened from Downloads, it loses the cookie information required for our app to function correctly.

44 Replies

@Vidmo didn't see that. I agree this should be on by default just like IE and MSEdge.


Thanks for the update, working perfectly for me after enabling the flag.

Our business would not be opposed to having to enable the option with it off by default if that decision is made for security or other purposes. It would be nice to have this available via Group Policy or other deployment options.



@CodeDJ , thanks for the feedback! We would definitely need to think through some interesting security implications here (it would be analagous to setting "Always run executables" for downloads).
@Vidmo , sorry I couldn't get back to you earlier; it looks like you were able to answer your question. We do not currently have plans to enable ClickOnce for ALL users, but you currently should have access to group policy to ensure that your organization has ClickOnce turned on by default if necessary. The policy is described here
@aclowe , please take a look at for the group policy to support exactly what you mentioned


As Eric mentioned, we will be looking into the vsto bug! Thanks everyone for your feedback!

Our customers have relied on Microsoft .NET ClickOnce support for a long time, and we are unclear how to document the path forward with Edge chromium.


  1. Will Edge chromium supplant existing Edge HTML installations via Windows Update?
  2. Will ClickOnce be disabled by default?
  3. Will there be a way for end users to enable ClickOnce support via settings, without having to resort to group policy or developer flags?
  4. Why is there now a mime-type dialog displayed asking the user to select an application for launching the ClickOnce application? Shouldn't Edge chromium be associated with .application files without an end user decision?

We obviously prefer to have ClickOnce enabled by default, but if not there should be a simple configuration option each user can toggle. We don't have any plans to retire our ClickOnce feature at this time, so continued support is critical.

1. Yes, the new Edge will start replacing the old Edge on Windows PCs next year.
2. ClickOnce is presently disabled by default.
3. ClickOnce support can be enabled via edge://flags and Group Policy. There's no option in edge://settings.
4. A screenshot and/or OS information should be helpful here. File associations are owned by Windows, not the browser. If you save a .application file to your desktop and open it on the machine in question, what happens?

I can't reproduce the mime issue anymore (Version 80.0.341.0 (Official build) canary (64-bit)). It only happened once after installing the nightly, and now it's fine. I wonder if it was due to having 3 different Edge versions running on the same system (Edge, Edge Beta, Edge Canary).


It's a Windows 10 system that had no prior ClickOnce issues with Edge or IE11. When attempting to open the .application file from the file system, the mime dialog shows it is associated with the "ClickOnce Application Deployment Support Library," which appears normal.

@Vidmo we believe that we have fixed the "vsto does not work with" issue in the latest Canary. Are you able to confirm this? It should work with 80.0.351.0.

@i-am-kentThanks, I can confirm that links for VSTO apps do now work in Version 80.0.361.9.

@ericlaw wrote:
4. A screenshot and/or OS information should be helpful here. File associations are owned by Windows, not the browser. If you save a .application file to your desktop and open it on the machine in question, what happens?

Per 4), in Version 80.0.361.40 (Official build) beta (64-bit) on Windows 10 Pro (1903) (64-bit), upon accessing a ClickOnce URL for the first time, the user is prompted to either open the file or cancel (as expected), but when the user clicks Open, a system app chooser is displayed and the user is forced to choose Edge to open the file, rather than Edge simply handing off to dfshim.dll or VSTOInstaller and letting ClickOnce do its thing.  After associating .application and .vsto manifests with Edge (selecting "Always use this app" is not necessary), the user is never subsequently prompted to choose applications.  The system's file association for these types is not altered, nor is it set to Edge, so this is not on the OS.  On Windows, it should be Edge's responsibility to provide the manifest URLs directly to the handler for each MIME type, and an appropriate association should not need to be established by the user.

Windows 10 Default App ChooserWindows 10 Default App Chooser



@i-am-kent Hi !


As noticed by @CodeDJ, my users too are being prompted each time they launch a daily ClickOnce application. Do you know the development's state of the security rules you mentioned few posts ago ?


Thank you by advance,

@aclowe We also need ClickOnce support for URL parameters for our product.


You are a lifesaver- thanks mate @soundman_ok 

@Vidmo Hi! How hace you made the parameters by URL work? I can only open the application but the parameter arrives empty.


Thank you vey much. 

@entuto : Have you enabled the flag in edge://flags? Do you see this UI prompt?



Do you see the URL Arguments at the bottom of the window if you select the "Install an .application via ClickOnce with URL arguments" link on this test page


@ericlaw Perfect, it works now, the flag had been disabled. Do you know if there is a way that the Open / Cancel window does not come out and directly open the desktop application?


I think I have the solution:

ClickOnce and DirectInvoke policies

There are two group policies that you can use to enable or disable ClickOnce and DirectInvoke for enterprise users. These two policies are ClickOnceEnabled and DirectInvokeEnabled. These two policies are labeled in the Group Policy Editor as "Allow users to open files using the ClickOnce protocol" and "Allow users to open files using the DirectInvoke protocol" respectively.

Sorry, no. For security reasons, Edge does not offer any configuration that allows exiting the browser sandbox without a prompt.

@CodeDJ This is still not working when the VSTO file (Word Addin) is hosted in a Document Library to distribute to users. Any solutions for this issue?


We have developed a few Word Addins (Word Taskpanes) and we host the click once installers (VSTO) files in a SharePoint Document Library. When click on it, it gets installed. It worked perfectly for us in IE until now. Unfortunately the VSTO file downloads locally instead of installing. 


We tried hosting the addins directly in IIS and tested with a simple HTML page using MS Edge. That works as expected. But the same VSTO files hosted in SP2013 Document Library fails. Any help would be much appreciated.



I am using Version 91.0.864.37 (Official build) (64-bit) of Edge and have enabled the ClickOnce flag; however, I am still just seeing the download behavior and am not able to click and run the .vsto add-in from the server url.  Am I missing something?


Thanks for your help!

@mjonestx: On which version of Windows are you having this problem? Is your server URL public, or can you otherwise see what `Content-Type` response header it's sending (using Fiddler or similar?) If you try the sample link at, does it pop the UI?





My client pc is running Windows 10 Pro, Version 1909, OS Build: 18363.1500


The Server that is hosting the .vsto Word add-in, is a Windows Server 2016 server running SharePoint 2016 on-prem.  


When I click on the url you provided in Edge, I see what is in the following screenshot.


When I click on the 'Launch' link in the "Otherwise, install HelloClickOnce via a setup.exe" section, I see what is in the following screenshot:





, which is not what I see when I click on a link to the .vsto file on my server, such as in the next screenshot:


Here is only download the file directly and does not give me an option to open/run it from the server.


The response header that I get when I click on the v.sto file name is:

HTTP/1.1 200 OK
Cache-Control: max-age=31536000
Content-Type: application/x-ms-vsto
Last-Modified: Wed, 16 Dec 2020 22:47:16 GMT
Accept-Ranges: bytes
ETag: "a1e2e366fdd3d61:0"
Server: Microsoft-IIS/10.0
X-SharePointHealthScore: 0
SPRequestGuid: bb05ce9f-cb20-90a6-2691-8f6809719a7f
request-id: bb05ce9f-cb20-90a6-2691-8f6809719a7f
SPRequestDuration: 8
SPIisLatency: 1
X-Powered-By: ASP.NET
X-Content-Type-Options: nosniff
X-MS-InvokeApp: 1; RequireReadOnly
Date: Wed, 02 Jun 2021 19:24:07 GMT
Content-Length: 6776


When I click on the 'launch' link on the site you posted, I get the following response header:

Accept-Ranges: bytes
Content-Length: 5915
Content-Type: application/x-ms-application
Date: Wed, 02 Jun 2021 22:00:52 GMT
ETag: "5bb16917add41:0"
Last-Modified: Tue, 15 Jan 2019 21:12:34 GMT
Server: Microsoft-IIS/8.5
X-Powered-By: ASP.NET


Any ideas?  Thanks again!