SOLVED

The ms-appinstaller protocol has been disabled.

Copper Contributor

I just found out that users can no longer install my MSIX from my website. This is a WPF application packaged with "Windows Application Packaging Project" (wapproj). When users click the "Get the app" button they now see the error below saying the protocol has been disabled. Why is this? Is this permanent? Is there a way to enable it?

 

There's a short mention of this in the docs but it doesn't mention why this is happening or how to enable it. 

Installing Windows 10 apps from a web page - MSIX | Microsoft Docs

 

Is this no longer supported?

 

<html>
    <body>
        <h1> MyApp Web Page </h1>
        <a href="ms-appinstaller:?source=http://mywebservice.azureedge.net/HubApp.msix"> Install app package </a>
        <a href="ms-appinstaller:?source=http://mywebservice.azureedge.net/HubAppBundle.msixbundle"> Install app bundle  </a>
        <a href="ms-appinstaller:?source=http://mywebservice.azureedge.net/HubAppSet.appinstaller"> Install related set </a>
    </body>
</html>

 

 

 

The ms-appinstaller protocol has been disabled. Please ask the vendor to update the weblink. For more information go to aka.ms/ms-appinstaller-disabled

 

appinstaller.png

 

 

57 Replies
What is link supposed to mean? I have the same issue and the app cannot be installed by our clients.

I also could not access Microsoft sites from the Firefox browser and had to disable OCSP settings, I think this is the same issue, it started yesterday.
For info, the Windows Store App Installer has alsobeen disabled, it cannotbe downloaded.
We are seeing the same issues within our company. Anybody on the old version of App Installer can launch ms-appinstaller just fine, anybody on the 12/14/2021 version it says the protocol has been disabled. Its creating quite a lot of problems right now and we have a support case in.
Thank you for your help. Let's hope it is fixed soon.

  This broke the installation and update process for my commercial Windows app overnight because some hacker used a legitimate, documented "this is how you publish Windows apps" to distribute malware?

 

How is this considered an acceptable mitigation?

 

I have a $3k Extended Identity certificate that I sign my installer packages with, but now it's illegitimate to install it because a malicious payload was discovered somewhere else?

I've reported this as a DoS to the Microsoft Security team:

https://msrc.microsoft.com/submission/VULN-058721
best response confirmed by bvenhaus (Copper Contributor)
Solution

@bvenhaus Thank you for your question. We removed the ms-appinstaller custom scheme due to a security vulnerability. We do intend to bring this back, and are working on it. For now, you can update the link on your website by removing 'ms-appinstaller:?source='

 

<html>
    <body>
        <h1> MyApp Web Page </h1>
        <a href="http://mywebservice.azureedge.net/HubApp.msix"> Install app package </a>
        <a href="http://mywebservice.azureedge.net/HubAppBundle.msixbundle"> Install app bundle  </a>
        <a href="http://mywebservice.azureedge.net/HubAppSet.appinstaller"> Install related set </a>
    </body>
</html>

 

 

@Aditi_Narvekar Do you have a timeframe on when it will come back?? Removing the ms-appinstaller prefix doesn't really work as it then asks the user to download the file. Once downloaded they have to chose to run it which is a complete deviation from what ms-appinstaller did. Also you can not pass parameters on to the application with a direct link, ms-appinstaller allowed for that. Unfortunatly this has completly brought down our distribution system.

Anyone found a workaround for the wapproj generated html? I dont love having to edit it every time I deploy a test build.

@Aditi_Narvekar could you please restore this functionality ASAP?  This was a major sweeping break of what must be thousands of apps, if not more.

 

If the issue is unsigned apps using ms-appinstaller and carrying a malicious payload, please mitigate by disabling unsigned apps.  If the issue is an EV certificate signed app using ms-appinstaller and carrying a malicious payload, please use certificate revocation to address the vulnerability.

I switched my application to use MSIX and an EV certificate because this is the best practice and most up to date tooling (via Visual Studio) for distributing a Windows app outside of the MS Store.  This action has revoked, without notification, the proper way to securely distribute non-public Windows apps.

The cure is more harmful than the disease in this case.

I wonder if @Aditi_Narvekar understands the implication for Microsoft customers with this issue? It would also be good for a reply to Jay Beavers' request.

It leaves our customers in a vulnerable situation by not being able to receive security updates to the framework, downloading the app is not a viable option - please restore this prootocol asap, we will all be losing business caused by this issue.


@Aditi_Narvekar - As MSIX is the flagship technology for deploying and updating Microsoft applications, I hope M$ is taking what amounts to a service outage as a very high priority. This issue has broken our entire devops workflow and is affecting user confidence in the solution. The additional manual steps required as a workaround at the moment are not appropriate for our user base.

I'm affected by this bas well. Can we have a timeline for when this is likely to be fixed?
This is a killer. Please provide an ETA for this fix.
Agreed, this is crazy, how can you break our devops workflow like this?

The security team declined to investigate the issue, citing this thread as the official guidance.

If you have a support channel through MSFT from your business, please open and escalate an issue.  It doesn't feel like the people engaged in this conversation realize the implication of their actions and I haven't yet found someone to take responsibility for fixing it.

---

Received via email:

Hello Jay,

Thank you for contacting the Microsoft Security Response Center (MSRC). We appreciate the time taken to submit this issue.

We are aware of the issue you have reported regarding the MSIX installer. While this issue doesn't meet the definition of a vulnerability that MSRC can help with, we are aware that the issue is being supported through the following resources:

<"https://docs.microsoft.com/en-us/windows/msix/app-installer/installing-windows10-apps-web"> -> "The ms-appinstaller scheme(protocol) has been disabled."

and

<"https://techcommunity.microsoft.com/t5/msix-deployment/the-ms-appinstaller-protocol-has-been-disable..."> where Aditi_Narvekar from Microsoft has replied.

and you may also contact support for more information:

Contact Us - Microsoft Support

We have also shared your feedback with the engineering team who own the ms-appinstaller scheme(protocol).

As such, this MSRC thread is being closed and no longer monitored. We apologize for any inconvenience this may have caused. More information on reporting a security vulnerability can be found at <"https://www.microsoft.com/msrc/faqs-report-an-issue.">

Regards,

Duncan 

MSRC

@Aditi_Narvekar Could you provide us any additional information on this?  This has serious implications on how we distribute certain apps.

 

Can you at least confirm at least if it will eventually be restored?  I understand if you cannot provide a timeline yet but we would like to know so we can plan accordingly.  I would hate to go through the trouble of implementing an alternative (albeit less effective) approach only to have it restored shortly afterwards.

 

Thanks.

Ernie

I've now opened a business support ticket on this from my company's support contract and set it to Sev-A, Critical Impact. I'll post here if I get traction.
1 best response

Accepted Solutions
best response confirmed by bvenhaus (Copper Contributor)
Solution

@bvenhaus Thank you for your question. We removed the ms-appinstaller custom scheme due to a security vulnerability. We do intend to bring this back, and are working on it. For now, you can update the link on your website by removing 'ms-appinstaller:?source='

 

<html>
    <body>
        <h1> MyApp Web Page </h1>
        <a href="http://mywebservice.azureedge.net/HubApp.msix"> Install app package </a>
        <a href="http://mywebservice.azureedge.net/HubAppBundle.msixbundle"> Install app bundle  </a>
        <a href="http://mywebservice.azureedge.net/HubAppSet.appinstaller"> Install related set </a>
    </body>
</html>

 

 

View solution in original post