question

Knox avatar image
0 Votes"
Knox asked ·

Trying to install my application but getting a Security Warning

I've created an application and built an installer via Publish in Visual Studio. I can install the application on my computer but I have to OK the install. However, other users in my company aren't able to install the application at all. They get a message that says: Your administrator has blocked this application because it potentially poses a security risk to your computer. With no option to accept or bypass.

These applications I'm making are only used within the company. Is there a way to publish my application so it isn't blocked by Windows?

vs-generalwindows-10-security
· 1
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

I am experiencing the same issue.

There must be some way of publishing an app in Visual Studio that doesn't require going to every machine and "prepping" it with registry updates or certificates before the SETUP.EXE will work.

0 Votes 0 ·
TianyuSun-MSFT avatar image
0 Votes"
TianyuSun-MSFT answered ·

Hello Knox,

Thank you for taking time to post this issue in Microsoft Q&A forum.

Please follow this document: How to: Configure the ClickOnce trust prompt behavior and try to change the Registry setting value of related Zone and Options, by pressing Windows Key + R > type regedit > find the following registry key: \HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\.NETFramework\Security\TrustManager\PromptingLevel (if the key does not exist, create it). Also, please note: registry is very important and modify it carefully without changing other registry items, you can make a backup before changing it.

Besides, if you try to use local administrator account to register the machines and install your application, will this issue disappear?

Sincerely,
Tianyu


If the answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.




· 1 ·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Is there no easy way to Publish an application so that users can install without getting the "Run anyway?" message or being blocked? Does the Registry have to be changed on every single computer that the application runs on? So when my application runs each time it has to check the Registry and update it to those particular settings?

Just seems like there has to be an easier way than this.

Edit: I've also updated the Registry on my PC and I still get the same messages.

0 Votes 0 ·
Knox avatar image
0 Votes"
Knox answered ·

I'm wanting to deploy an application on my company's intranet that will allow users to install the application and it will check for an update each time they run the application. All without getting annoying security messages popping up each time.

I've created the application, I've deployed it on our local intranet, the application updates when a new version is available, but the users are bombarded with security messages.

There has to be a tutorial or something that explains the whole process. I've seen some on Microsoft say "Obtain a certificate" but doesn't explain how. And then some refer to some EXE called MakeCert.exe but apparently it's depreciated.

I just don't feel this process should be so difficult. Any tips would be helpful. Thank you.

· 2 ·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi Knox, Thank you for sharing more information. First of all, did you try to reboot your machine after updating the Registry? I think what you mentioned was this: MakeCert, New-SelfSignedCertificate and ClickOnce and Authenticode. Of course you can make a certificate, and as a tip, before installing your application to other machines, you will also need to import this certificate to every machines.


0 Votes 0 ·

Besides, from the error message, it seems the issue is related to the Authority and Strategy. To narrow down this issue, could you please share some following information with me?

  1. Do the machines work in some domains and follow some strategies?

  2. Are there some permission restrictions which are related to security risk set in machines by administrator?

  3. Do all the machines have this issue except your machine?

  4. Will this issue disappear if you use different accounts to install your application?

  5. Will this issue disappear if you use administrator account to install your application on other machines?




0 Votes 0 ·
Brandon-0178 avatar image
1 Vote"
Brandon-0178 answered ·

I ran into this issue as well and was unable to find an answer that I was happy with. You can edit the registry to get the application to install, but that is not a reasonable deployment strategy and the registry settings are there to do exactly what they are doing. Prevent unauthorized click once applications from being installed.

We have a code signing certificate that we use to sign our custom applications. When I got the error the first time we noticed that the Publisher was not populated correctly. We had to correct how the signing certificate was used in the project and recompile. I still got the error, but the publisher information was correct this time.

73956-image.png

If I click on the publisher hyper link it prompted me to install the code signing certificate.

73930-image.png

You have the choice to store the cert in the Current User or Local Machine stores. If the app is specific to just one user then the Current User store is fine. Each user opening the application for the first time on each machine would have to go through this process. If all users using the machine would need the application then I would opt for Local Machine. You do need administrative rights to install the cert in the Local Machine store.

When installing the cert it gives you the option for Windows to choose where the cert goes or you can force it to place the cert in a specific store. I tried the automatic option first which did not work. It put the cert in the Other People store. I repeated the process and forced the cert into the Trusted Publishers store and then the application was able to open. I did not experiment with publishing the cert to other stores.

73982-image.png

73947-image.png

73992-image.png

My trust manager prompting level registry settings remain disabled.

73957-image.png

We proactively deploy our code signing certificate to the Local Machine Trusted Publisher store on all appropriate corporate workstations so that our in-house click once apps work for our employees. If you are creating apps for customers outside of your organization you will probably want to get a third party code signing cert. We only use our apps internal to our network so we used our internal certificate authority to create our code signing cert.


image.png (19.2 KiB)
image.png (19.4 KiB)
image.png (21.6 KiB)
image.png (18.0 KiB)
image.png (3.6 KiB)
image.png (21.7 KiB)
·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

69673825 avatar image
0 Votes"
69673825 answered ·

I used to sell software I wrote myself and anti virus and windows defender are a nightmare.
You have to get your software white listed.
On the pc your running on you have to register your software with windows defender to stop it complaining.
This is even after signing the software.

· 1 ·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Same Problem here, i want to sell my Software. I got still a code-signing cert,, but a few messages with defender stay. Can you explain how you did solve this?

0 Votes 0 ·