Update: August 5, 2022 – The fix to enable the ms-appinstaller protocol handler was rolled out to Windows 11 Insider Preview Build 25147 for the Dev Channel. We will provide updates on the availability of the fix when we have them.
Enterprise customers that would like to enable the ms-appinstaller protocol for MSIX can now do so by following these steps:
We were recently notified that the ms-appinstaller protocol for MSIX can be used in a malicious way. Specifically, an attacker could spoof App Installer to install a package that the user did not intend to install. This spoofing vulnerability is being tracked by the Microsoft Security Resource Center (MSRC) and details on the current status can be found in CVE-2021-43890.
We are actively working to address this vulnerability. For now, we have disabled the ms-appinstaller scheme (protocol). This means that App Installer will not be able to install an app directly from a web server. Instead, users will need to first download the app to their device, and then install the package with App Installer. This may increase the download size for some packages.
If you utilize the ms-appinstaller protocol on your website, we recommend that you update the link to your application, removing 'ms-appinstaller:?source=' so that the MSIX package or App Installer file will be downloaded to user's machine.
The MSIX app package format preserves the functionality of existing app packages and/or installation files in addition to enabling new, modern packaging and deployment features for Win32, Windows Presentation Foundation (WPF), and Windows Forms apps. MSIX is designed to make it easy for users to keep their applications up to date and ensure a smooth installation experience.
The ms-appinstaller protocol handler was introduced to enable users to seamlessly install an application by simply clicking a link on a website. What this protocol handler provides is a way for users to install an app without needing to download the entire MSIX package. This experience is popular, and we are thrilled that it has been adopted by so many people today.
We recognize that this feature is critical for many enterprise organizations. We are taking the time to conduct thorough testing to ensure that re-enabling the protocol can be done in a secure manner. We are looking into introducing a Group Policy that would allow IT administrators to re-enable the protocol and control usage of it within their organizations.
As mentioned above, we are working to enable this feature as soon as possible. This may require some changes on your part. In the meantime, please refer to the following resources for more information:
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.