SOLVED

MSIX Packaging Tool Firewall Rule Failure

MVP

The Microsoft MSIX Packaging Tool:

  • Does not detect firewall rules added by the installer and add them as Desktop2 manifest entries.
  • Does not capture HKLM\Software\Services\CurrentControlSet\Services\SharedAccess registry entries even though this key is not included in the registry filter list of the tool.

 

The former keeps the package as incomplete, but the latter keeps other tools from remediating the problem.

12 Replies
Thank you for the feedback, we will add this to our backlog of items for the next release.
Any idea already when this firewall adding is fixed in MSIX?

I tested the firewall in the manifest today and it was working fine. After installing several rules are created and when uninstalling they were removed.

Ok it was not captured, but manually added like we normally do also with app-v.

Did some more testing with the created MSIX package. When deploying using MSIX App Attach, the firewall rules are not added. This is probably due to the fact MSIX App Attach deploys the package using the user account and the user has by default no rights to modify firewall rules. Any idea how to get this resolved? Using policies is also not possible, since the mounted package had a random number in it 😞

@TIMOTHY_MANGAN: Can you share the app where you had this issue? We are trying to recreate the scenario.

@Aniket_Banerjee: The original was a customer owned app I can't share, so UltraVNC will do. Perhaps @Pollewops can share whatever app he was fixing up also.

Think as Timothy said, all apps will do if you create a firewall rule. I can do some testing myself if i do not forget to see if it is fixed. Just create a msix package and create a rule. Will it be captured?

Hi @TIMOTHY_MANGAN

 

We tried converting UltraVNC in a test environment. MPT does detect the firewall, but it adds firewall rules to registry:

Computer\HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules instead of registry location you mentioned - HKLM\Software\Services\CurrentControlSet\Services\SharedAccess.

Maybe try TeamViewer. The package created by MMPT 2023.118 did not include a firewall entry in the manifest, but after installation I do see an entry under CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{guid}

The native installer is adding in the firewall rule properly, and it works natively, but when captured by the MMPT the package does not contain either any values under any SharedAccess key, and it is not in the Manifest as an extension. The result is that when you run the application from the MSIX package the end user is prompted for adding the firewall in. This isn't all that bad of an impact, but just nor right either.
best response confirmed by TIMOTHY_MANGAN (MVP)
Solution
We tried Teamviewer, but it adds firewall rules as expected - in SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules

We tried, but couldn't find an app that writes firewall rules in:
SOFTWARE\Policies\Microsoft\WindowsFirewall\FirewallRules
OK. The original would have been against a much older MMPT, so it might have been addressed. Teamviewer is OK. It is not unheard of for an app developer to drop down local policies instead of direct configuration; I'll re-open if I run into it again with a publicly available app.
1 best response

Accepted Solutions
best response confirmed by TIMOTHY_MANGAN (MVP)
Solution
We tried Teamviewer, but it adds firewall rules as expected - in SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules

We tried, but couldn't find an app that writes firewall rules in:
SOFTWARE\Policies\Microsoft\WindowsFirewall\FirewallRules

View solution in original post