Disabling the MSIX ms-appinstaller protocol handler
Published Feb 04 2022 03:01 PM 20K Views
Microsoft

Update: August 5, 2022 – The fix to enable the ms-appinstaller protocol handler was rolled out to Windows 11 Insider Preview Build 25147 for the Dev Channel. We will provide updates on the availability of the fix when we have them.

Enterprise customers that would like to enable the ms-appinstaller protocol for MSIX can now do so by following these steps:

  • Update to the latest version of App Installer. (An offline version of App Installer is available for download from the Microsoft Download Center if needed.)
  • Download the Desktop App Installer policy, then enable the feature by navigating to policy through the Local Group Policy Editor (Computer Configuration > Administrative Templates > Windows Components > Desktop App Installer) and selecting “Enable App Installer ms-appinstaller protocol.”

We were recently notified that the ms-appinstaller protocol for MSIX can be used in a malicious way. Specifically, an attacker could spoof App Installer to install a package that the user did not intend to install. This spoofing vulnerability is being tracked by the Microsoft Security Resource Center (MSRC) and details on the current status can be found in CVE-2021-43890.

We are actively working to address this vulnerability. For now, we have disabled the ms-appinstaller scheme (protocol). This means that App Installer will not be able to install an app directly from a web server. Instead, users will need to first download the app to their device, and then install the package with App Installer. This may increase the download size for some packages.

Recommended actions

If you utilize the ms-appinstaller protocol on your website, we recommend that you update the link to your application, removing 'ms-appinstaller:?source=' so that the MSIX package or App Installer file will be downloaded to user's machine.

What is the ms-appinstaller protocol handler?

The MSIX app package format preserves the functionality of existing app packages and/or installation files in addition to enabling new, modern packaging and deployment features for Win32, Windows Presentation Foundation (WPF), and Windows Forms apps. MSIX is designed to make it easy for users to keep their applications up to date and ensure a smooth installation experience.

The ms-appinstaller protocol handler was introduced to enable users to seamlessly install an application by simply clicking a link on a website. What this protocol handler provides is a way for users to install an app without needing to download the entire MSIX package. This experience is popular, and we are thrilled that it has been adopted by so many people today.

When will you re-enable the protocol?

We recognize that this feature is critical for many enterprise organizations. We are taking the time to conduct thorough testing to ensure that re-enabling the protocol can be done in a secure manner. We are looking into introducing a Group Policy that would allow IT administrators to re-enable the protocol and control usage of it within their organizations.

Learn more

As mentioned above, we are working to enable this feature as soon as possible. This may require some changes on your part. In the meantime, please refer to the following resources for more information:

 

23 Comments
Co-Authors
Version history
Last update:
‎Sep 30 2022 02:31 PM
Updated by: