question

AndySchmidtandyschm-2969 avatar image
0 Votes"
AndySchmidtandyschm-2969 asked AndySchmidtandyschm-2969 commented

Why won't App Installer install signed MSIX?

I am developing a WinUI3 MSIX -based application. I have a valid code signing certificate that has signed the MSIX. When I double click the MSIX to install with App Installer, on the first screen it verifies the app as a Trusted App (see first attached screenshot). However, when I click the Install button, the installation fails with the error message "This app package is not supported for installation by App Installer because it uses certain restricted capabilities." (See the second attached screenshot) The install is being attempted on Windows 10 Enterprise 21H1 OS build 19043.1165.

  • Why won't the App Installer install this MSIX package? I thought the most recent Windows 10 release would install a properly signed MSIX without being denied for using so-called restricted capabilities.

  • Why does the first App Installer screen verify this package as a trusted app and indicate the package can be installed, only to abort the installation indicating that the package has not been verified?

  • To add more confusion, the MSIX installs successfully from PowerShell with the command Add-AppxPackage -Path '.\TrustedAccess-WinUI3 (Package)_1.0.0.0_x64.msix'. Why does App Installer fail, while PowerShell Add-AppxPackage succeeds?

127743-trusted-access-appinstaller-screen-1.png


127627-trusted-access-appinstaller-screen-2.png







windows-app-sdk-general
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

XiaopoYang-MSFT avatar image
0 Votes"
XiaopoYang-MSFT answered AndySchmidtandyschm-2969 commented

According to the issue, perhaps the MSIX is not signed from the Store yet and as such it must be sideloaded as a developer tool.

· 4
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

But according to Microsoft documentation, sideloading is enabled by default for MSIX apps with a valid code signature. MSIX packages with valid signatures no longer needed to go through the Microsoft Store. This documentation does not mention that MSIX apps with valid code signatures that also have the restricted capability of disabling registry write virtualization are disabled from sideloading. Also it does not explain the very peculiar behavior that while the App Installer fails to install the package, PowerShell Add-AppxPackage succeeds.

0 Votes 0 ·

This is an intentional limitation in the App Installer. The Installer will refuse to install a package that declares the unvirtualizedResources capability. You must install such packages using Add-AppxPackage in PowerShell. This was done to discourage use of that capability.

0 Votes 0 ·

Where does Microsoft document this? This is a major limitation. Especially since the claim "Uses all system resources" implies that this should not be the case.

0 Votes 0 ·

In fact, this Microsoft document specifically states

 Restricted capabilities are intended for very specific scenarios. The use of these capabilities is highly restricted and subject to additional Store onboarding policy and review. Note that you can sideload apps that declare restricted capabilities without needing to receive any approval. Approval is only required when submitting these apps to the Store.



0 Votes 0 ·
AndySchmidtandyschm-2969 avatar image
0 Votes"
AndySchmidtandyschm-2969 answered

This Microsoft documentation says that app with restricted capabilities can be sideloaded. So the App Installer should be able to install this MSIX package.


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.