App capability declarations

[ Updated for UWP apps on Windows 10. For Windows 8.x articles, see the archive ]

Capabilities must be declared in your Universal Windows Platform (UWP) app's package manifest to access certain API or resources like pictures, music, or devices like the camera or the microphone.

You request access to specific resources or API by declaring capabilities in your app's package manifest. You can declare general capabilities by using the Manifest Designer in Microsoft Visual Studio, or you can add them manually. For more information, see How to specify capabilities in a package manifest. It is important to know that when customers get your app from the Store, they're notified of all the capabilities that the app declares. Avoid declaring capabilities that your app doesn't need.

Some capabilities provide apps with access to a sensitive resource. These resources are considered sensitive because they can access the user's personal data or cost the user money. Privacy settings, managed by the Settings app, let the user dynamically control access to sensitive resources. Thus, it's important that your app doesn't assume a sensitive resource is always available. For more info about accessing sensitive resources, see Guidelines for privacy-aware apps. Capabilities that provide apps with access to a sensitive resource are annotated by an asterisk (*) next to the capability scenario.

This article reviews four categories of capabilities described below.

  • General-use capabilities that apply to most common app scenarios.

  • Device capabilities that allow your app to access peripheral and internal devices.

  • Special-use capabilities that require a special company account for submission to the Store to use them. For more info about company accounts, see Account types, locations, and fees.

  • Restricted capabilities that are only available to Microsoft and its partners.

General-use capabilities

General-use capabilities apply to the most common app scenarios.

Capability scenario Capability usage
Music* The musicLibrary capability provides programmatic access to the user's Music, allowing the app to enumerate and access all files in the library without user interaction. This capability is typically used in jukebox apps that make use of the entire Music library.

The file picker provides a robust UI mechanism that lets users open files for use with an app. Declare the musicLibrary capability only when the scenarios for your app require programmatic access and can't be realized by using the file picker.

The musicLibrary capability must include the uap namespace when you declare it in your app's package manifest as shown below.
XML
<Capabilities><uap:Capability Name="musicLibrary"/></Capabilities>
Pictures* The picturesLibrary capability provides programmatic access to the user's Pictures, allowing the app to enumerate and access all files in the library without user interaction. This capability is typically used in photo apps that make use of the entire Pictures library.

The file picker provides a robust UI mechanism that lets users open files for use with an app. Declare the picturesLibrary capability only when the scenarios for your app require programmatic access and can't be realized them by using the file picker.

The picturesLibrary capability must include the uap namespace when you declare it in your app's package manifest as shown below.
XML
<Capabilities><uap:Capability Name="picturesLibrary"/></Capabilities>
Videos* The videosLibrary capability provides programmatic access to the user's Videos, allowing the app to enumerate and access all files in the library without user interaction. This capability is typically used in movie-playback apps that make use of the entire Videos library.

The file picker provides a robust UI mechanism that lets users open files for use with an app. Declare the videosLibrary capability only when the scenarios for your app require programmatic access and can't be realized by using the file picker.

The videosLibrary capability must include the uap namespace when you declare it in your app's package manifest as shown below.
XML
<Capabilities><uap:Capability Name="videosLibrary"/></Capabilities>
Removable Storage The removableStorage capability provides programmatic access to files on removable storage, like USB keys and external hard drives, filtered to the file-type associations declared in the package manifest. For example, if a document-reader app declares a .doc file-type association, it can open .doc files on the removable storage device, but not other types of files. Be careful when you declare this capability, because users may include a variety of info in their removable storage devices, and will expect your app to provide a valid justification for programmatic access to the removable storage for all files of the declared type.

Users will expect your app to handle any file associations that you declare. So don't declare file associations that your app cannot handle responsibly. The file picker provides a robust UI mechanism that lets users open files for use with an app.

Declare the removableStorage capability only when the scenarios for your app require programmatic access and can't be realized by using the file picker.

The removableStorage capability must include the uap namespace when you declare it in your app's package manifest as shown below.
XML
<Capabilities><uap:Capability Name="removableStorage"/></Capabilities>
Internet and public networks* There are two capabilities that provide different levels of access to the Internet and public networks.

The internetClient capability indicates that apps can receive incoming data from the Internet. Cannot act as a server. No local network access.
The internetClientServer capability indicates that apps can receive incoming data from the Internet. Can act as a server. No local network access.

Most apps that have a web service component will use internetClient. Apps that enable peer-to-peer (P2P) scenarios where the app needs to listen for incoming network connections should use internetClientServer. The internetClientServer capability includes the access that the internetClient capability provides, so you don't need to specify internetClient when you specify internetClientServer.
Homes and work networks* The privateNetworkClientServer capability provides inbound and outbound access to home and work networks through the firewall. This capability is typically used for games that communicate across the local area network (LAN), and for apps that share data across a variety of local devices. If your app specifies musicLibrary, picturesLibrary, or videosLibrary, you don't need to use this capability to access the corresponding library in a Home Group. On Windows, this capability does not provide access to the Internet.
Appointments The appointments capability provides access to the user’s appointment store. This capability allows read access to appointments obtained from the synced network accounts and to other apps that write to the appointment store. With this capability, your app can create new calendars and write appointments to calendars that it creates.

The appointments capability must include the uap namespace when you declare it in your app's package manifest as shown below.
XML
<Capabilities><uap:Capability Name="appointments"/></Capabilities>
Contacts* The contacts capability provides access to the aggregated view of the contacts from various contacts stores. This capability gives the app limited access (network permitting rules apply) to contacts that were synced from various networks and the local contact store.

The contacts capability must include the uap namespace when you declare it in your app's package manifest as shown below.
XML
<Capabilities><uap:Capability Name="contacts"/></Capabilities>
Code generation The codeGeneration capability allows apps to access the following functions which provide JIT capabilities to apps.

VirtualProtectFromApp
CreateFileMappingFromApp
OpenFileMappingFromApp
MapViewOfFileFromApp
AllJoyn The allJoyn capability allows AllJoyn-enabled apps and devices on a network to discover and interact with each other.

All apps that access APIs in the Windows.Devices.AllJoyn namespace must use this capability.
Phone calls The phoneCall capability allows apps to access all of the phone lines on the device and perform the following functions.

Place a call on the phone line and show the system dialer without prompting the user.
Access line-related metadata.
Access line-related triggers.
Allows the user-selected spam filter app to set and check block list and call origin information.

The phoneCall capability must include the uap namespace when you declare it in your app's package manifest as shown below.
XML
<Capabilities><uap:Capability Name="phoneCall"/></Capabilities>
The phoneCallHistoryPublic capability allows apps to read cellular and some VOIP call history information on the device. This capability also allows the app to write VOIP call history entries. This capability is required to access all members of the PhoneCallHistoryStore class.
Recorded Calls Folder* The recordedCallsFolder device capability allows apps to access the recorded calls folder.

The recordedCallsFolder capability must include the mobile namespace when you declare it in your app's package manifest as shown below.
XML
<Capabilities><mobile:Capability Name="recordedCallsFolder"/></Capabilities>
User Account Information* The userAccountInformation capability gives apps the ability to access the user's name and picture.

This capability is required to access some APIs in the Windows.System.UserProfile namespace.

The userAccountInformation capability must include the uap namespace when you declare it in your app's package manifest as shown below.
XML
<Capabilities><uap:Capability Name="userAccountInformation"/></Capabilities>
VOIP calling The voipCall capability allows apps to access the VOIP calling APIs in the Windows.ApplicationModel.Calls namespace.

The voipCall capability must include the uap namespace when you declare it in your app's package manifest as shown below.
XML
<Capabilities><uap:Capability Name="voipCall"/></Capabilities>
3D Objects The objects3D capability allows apps to have programmatic access to the 3D object files. This capability is typically used in 3D apps and games that need access to the entire 3D objects library.

This capability is required to access the folder that contains the 3D objects using APIs in the Windows.Storage namespace.

The objects3D capability must include the uap namespace when you declare it in your app's package manifest as shown below.
XML
<Capabilities><uap:Capability Name="objects3d"/></Capabilities>
Read Blocked Messages* The blockedChatMessages capability allows apps to read SMS and MMS messages that have been blocked by the Spam Filter app.

This capability is required to access the blocked messages using APIs in the Windows.ApplicationModel.Chat namespace.

The blockedChatMessages capability must include the uap namespace when you declare it in your app's package manifest as shown below.
XML
<Capabilities><uap:Capability Name="chat"/></Capabilities>
IoT Low-level Bus Hardware The lowLevelDevices capability allows apps that run on IoT devices to access low-level bus hardware such as GPIO, I2C, SPI, ADC, and PWM.

This capability is required to access some APIs in the Windows.Devices.Spi namespaces.

The lowLevelDevices capability must include the iot namespace when you declare it in your app's package manifest as shown below.
XML
<Capabilities><iot:Capability Name="lowLevelDevices"/></Capabilities>
IoT System Administration The systemManagement capability allows apps to have basic system administration privileges such as shutting down or rebooting, locale, and timezone.

This capability is required to access some of the APIs in the Windows.System namespace.

The systemManagement capability must include the iot namespace when you declare it in your app's package manifest as shown below.
XML
<Capabilities><iot:Capability Name="systemManagement"/></Capabilities>
Background Media Playback The backgroundMediaPlayback capability changes the behavior of the media-specific APIs like the MediaPlayer and AudioGraph classes to enable media playback while your app is in the background. All active audio streams will no longer mute, but will continue to be audible when an app transitions to the background. Additionally, app lifetime will be extended automatically while playback is occurring.
Remote System The remoteSystem capability allows apps to have access to a list of devices associated with the user's Microsoft Account. Access to the device list is necessary to perform any operations that persist across devices. This capability is required to access to all members of the following.

Windows.System.RemoteSystems namespace
Windows.System.RemoteLauncher namespace
AppServiceConnection.OpenRemoteAsync method

Device capabilities

Device capabilities allow your app to access peripheral and internal devices. Device capabilities are specified by using the DeviceCapability element in your app package manifest. This element may require additional child elements and some device capabilities need to be added to the package manifest manually. For more info, see How to specify device capabilities in a package manifest and DeviceCapability Schema reference.

Capability scenario Capability usage
Location* The location capability provides access to location functionality that is retrieved from dedicated hardware like a GPS sensor in the PC or is derived from available network info. Apps must handle the case in which the user has disabled location services from the Settings charm.
Microphone The microphone capability provides access to the microphone’s audio feed, which allows the app to record audio from connected microphones. Apps must handle the case in which the user has disabled the microphone from the Settings charm.
Proximity The proximity capability enables multiple devices in close proximity to communicate with one another. This capability is typically used in casual multi-player games and in apps that exchange information. Devices attempt to use the communication technology that provides the best possible connection, including Bluetooth, Wi-Fi, and the Internet. This capability is used only to initiate communication between the devices.
Webcam The webcam capability provides access to the video feed of a built-in camera or external webcam, which allows the app to capture photos and videos. On Windows, apps must handle the case in which the user has disabled the camera from the Settings charm.
The webcam capability only grants access to the video stream. In order to grant access to the audio stream as well, the microphone capability must be added.
USB The usb device capability enables access to APIs in the Updating the app manifest package for a USB device.
Human interface device (HID) The humaninterfacedevice device capability enables access to APIs in the How to specify device capabilities for HID.
Point of Sevice (POS) The pointOfService device capability enables access to APIs in the Windows.Devices.PointOfService namespace. This namespace lets your app access Point of Service (POS) barcode scanners and magnetic stripe readers. The namespace provides a vendor-neutral interface for accessing POS devices from various manufacturers from a Windows Store app.
Bluetooth The bluetooth device capability allows apps to communicate with already paired bluetooth devices over both Generic Attribute (GATT) or Classic Basic Rate (RFCOMM) protocol.
This capability is required to use some APIs in the Windows.Devices.Bluetooth namespace.
Wi-Fi Networking The wiFiControl device capability allows apps to scan and connect to Wi-Fi networks.
This capability is required to use some APIs in the Windows.Devices.WiFi namespace.
Radio state The radios device capability allows apps to toggle the Wi-Fi and Bluetooth radios.
This capability is required to use the APIs in the Windows.Devices.Radios namespace.
Optical disc The optical device capability allows apps to access functions on optical disk drives such as CD, DVD, and Blu-ray.
This capability is required to use some APIs in the Windows.Devices.Custom namespace.
Motion activity The activity device capability allows apps to detect the current motion of the device.
This capability is required to use some APIs in the Windows.Devices.Sensors namespace.
Serial communication The serialcommunication device capability provides access to APIs in the Windows.Devices.SerialCommunication namespace, which allows a Windows app to communicate with a device that exposes a serial port or some abstraction of a serial port. This capability is required to use the APIs in the Windows.Devices.SerialCommnication namespace.

Special and restricted capabilities

There are cases where such capabilities are necessary and appropriate, such as banking with two-factor authentication, where users provide a smart card with a digital certificate that confirms their identity. Other apps may be designed primarily for enterprise customers and may need access to corporate resources that cannot be accessed without the user’s domain credentials.

Apps that declare special-use capabilities require a company account to submit them to the Store. In contrast, restricted capabilities do not require a special company account for the Store. Restricted capabilities are available for developers to use in their app, but require approval for store submission. For more information about company accounts, see Account types, locations, and fees.

All restricted capabilities must include the rescap namespace when you declare them in your app's package manifest differently than other capabilities. The following example shows you how to declare the appCaptureSettings capability.

<Capabilities>
    <rescap:Capability Name="appCaptureSettings"/>
</Capabilities>

You must also add the xmlns:rescap namespace declaration in the top of the Package.appxmanifest file as shown below.

<Package
    xmlns="http://schemas.microsoft.com/appx/manifest/foundation/windows10"
    xmlns:mp="http://schemas.microsoft.com/appx/2014/phone/manifest"
    xmlns:uap="http://schemas.microsoft.com/appx/manifest/uap/windows10"
    xmlns:rescap="http://schemas.microsoft.com/appx/manifest/foundation/windows10/restrictedcapabilities"
    IgnorableNamespaces="uap mp wincap rescap">

Important
Special and restricted capabilities are intended for very specific scenarios. The use of these capabilities is highly restricted and subject to additional Store onboarding policy and review. Follow the steps below to request access to a restricted capability before submitting your app to the store.

  1. Determine if you are eligible to submit your app to the store with a specific restricted capability by looking at the table below. If you are not eligible, any requests you make will be denied.
  2. If you are eligible visit the Windows Developer support page.
  3. Under Contact Us, select the Issue Type Applications and then Subcategory Other.
  4. Include the capability you are requesting access to and include a reason for your request. If you do not provide all the information necessary, your request will be denied. You may also be asked to provide more information.

Note We will be reviewing requests on a case-by-case basis, which will take 5 business days or longer to respond. We highly recommend you submit your request well in advance of submitting your app to the store.

Capability scenario Capability usage
Enterprise Windows domain credentials enable a user to log into remote resources using their credentials, and act as if a user provided their user name and password. The enterpriseAuthentication special capability is typically used in line-of-business apps that connect to servers within an enterprise.

You don't need this capability for generic communication across the Internet.

The enterpriseAuthentication special capability is intended to support common line-of-business apps. Don't declare it in apps that don't need to access corporate resources. The file picker provides a robust UI mechanism that enables users to open files on a network share for use with an app. Declare the enterpriseAuthentication special capability only when the scenarios for your app require programmatic access, and you cannot realize them by using the file picker.

The enterpriseAuthentication capability must include the uap namespace when you declare it in your app's package manifest as shown below.

XML
<Capabilities><uap:Capability Name="enterpriseAuthentication"/></Capabilities>
The enterpriseDataPolicy capability allows apps to define and use enterprise-specific policies for the device. This capability is required to use all members of the following classes.

Anyone may request access to this capability for store submission.
Shared user certificates The sharedUserCertificates special capability enables an app to add and access software and hardware-based certificates in the Shared User store, such as certificates stored on a smart card. This capability is typically used for financial or enterprise apps that require a smart card for authentication.

The sharedUserCertificates capability must include the uap namespace when you declare it in your app's package manifest as shown below.

XML
<Capabilities><uap:Capability Name="sharedUserCertificates"/></Capabilities>


No one may request access to this capability for store submission.
Documents* The documentsLibrary special capability provides programmatic access to the user's Documents, filtered to the file type associations declared in the package manifest, to support offline access to OneDrive. For example, if a DOC reader app declared a .doc file type association, it can open .doc files in Documents, but not other types of files.

Apps that declare the documentsLibrary special capability can't access Documents on Home Group computers. The file picker provides a robust UI mechanism that enables users to open files for use with an app. Declare the documentsLibrary special capability only when you cannot use the file picker.

To use the documentsLibrary special capability, an app must:
  • Facilitate cross-platform offline access to specific OneDrive content using valid OneDrive URLs or Resource IDs
  • Save open files to the user’s OneDrive automatically while offline
Apps that use the documentsLibrary special capability for these two purposes may also optionally use the capability to open embedded content within another document. Only the above uses of the documentsLibrary special capability are accepted.
  • Your app can't access the Documents library in the phone's internal storage. If another app creates a Documents folder on the optional SD card, however, your app can see that folder.
The documentsLibrary capability must include the uap namespace when you declare it in your app's package manifest as shown below.
XML
<Capabilities><uap:Capability Name="documentsLibrary"/></Capabilities>


Anyone may request access to this capability for store submission.
Game DVR Settings The appCaptureSettings restricted capability allows apps to control the user settings for the Game DVR.

This capability is required to use some APIs in the Windows.Media.Capture namespace.

No one may request access to this capability for store submission.
Cellular The cellularDeviceControl restricted capability allows apps to have control over the cellular device.

The cellularDeviceIdentity capability allows apps to access cellular identification data.

The cellularMessaging capability allows apps to make use of SMS and RCS.

These capabilities are required to use some APIs in the Windows.Devices.Sms namespaces.

Starting in Windows 10, apps calling AppIDList).

Anyone may request access to these capabilities for store submission.
Device Unlock The deviceUnlock restricted capability allows apps to unlock a device for developer and enterprise sideloading scenarios.

No one may request access to this capability for store submission.
Dual SIM Tiles The dualSimTiles restricted capability allows apps to create an additional app list entry on devices that have multiple SIMs.

This capability is required to use some APIs in the Windows.UI.StartScreen namespace.

Anyone may request access to this capability for store submission.
Enterprise Shared Storage The enterpriseDeviceLockdown restricted capability allows apps to use the device lock down API and access the enterprise shared storage folders.

No one may request access to this capability for store submission.
System Input Injection The inputInjection restricted capability allows apps to inject various forms of input such as HID, touch, pen, keyboard or mouse into the system programmatically. This capability is typically used for collaboration apps that can take control of the system.

Note For a PC, input injection from an app that has this capability will only be received by processes in the same App Container.


Anyone may request access to this capability for store submission.
Observe Input* The inputObservation restricted capability allows apps to observe various forms of raw input such as HID, touch, pen, keyboard, or mouse being received by the system regardless of its final destination.

Anyone may request access to this capability for store submission.
Suppress Input The inputSuppression restricted capability allows apps to suppress various forms of raw input such as HID, touch, pen, keyboard, or mouse from being received by the system.

Anyone may request access to this capability for store submission.
VPN App The networkingVpnProvider restricted capability allows apps to have full access to VPN features, including the ability to manage connections and provide VPN Plugin functionality.

This capability is required to use some APIs in the Windows.Networking.Vpn namespace.

Anyone may request access to this capability for store submission.
Other App Mangement The packageManagement restricted capability allows apps to manage other apps directly.

The packageQuery device capability allows apps to gather information about other apps.

These capabilities are required to access some methods and properties in the PackageManager class.

Anyone may request access to this capability for store submission.
Screen Projection The screenDuplication restricted capability allows apps to project the screen on another device.

This capability is required to use APIs in the DirectX namespace.

No one may request access to this capability for store submission.
User Principal Name The userPrincipalName restricted capability allows apps to modify and access the thumbnail cache from photos.

This capability is required to call the GetUserNameEx function.

No one may request access to this capability for store submission.
Wallet The walletSystem restricted capability allows apps to have full access to the stored wallet cards.

This capability is required to use APIs in the Windows.ApplicationModel.Wallet.System namespace.

No one may request access to this capability for store submission.
Location History The locationHistory restricted capability allows apps to access the location history of the device.

This capability is required to use APIs in the Windows.Devices.Geolocation namespace.

Anyone may request access to this capability for store submission.
App Close Confirmation The confirmAppClose restricted capability allows apps to close themselves, their own windows, and delay the closing of their app.

Anyone may request access to this capability for store submission.
Call History* The phoneCallHistory restricted capability allows apps to read the call history and to delete entries in the history.

This capability is required to use APIs in the Windows.ApplicationModel.Chat namespace.

No one may request access to this capability for store submission.
System Level Appointment Access The appointmentsSystem restricted capability allows apps to read and modify all appointments on the user's calendar.

This capability is required to use APIs in the Windows.ApplicationModel.Appointment namespace.

No one may request access to this capability for store submission.
System Level Chat Message Access* The chatSystem restricted capability allows apps to read and write all SMS and MMS messages.
This capability is required to use APIs in the Windows.ApplicationModel.Chat namespace.

No one may request access to this capability for store submission.
System Level Contact Access The contactsSystem restricted capability allows apps to read contact information that has been designated as restricted or sensitive and modify existing contact information.

This capability is required to use APIs in the Windows.ApplicationModel.Chat namespace.

No one may request access to this capability for store submission.
Email Access* The email restricted capability allows apps to read, triage, and send user emails.

This capability is required to use APIs in the Windows.ApplicationModel.Email namespace.

No one may request access to this capability for store submission.
System Level Email Access The emailSystem restricted capability allows apps to read, triage, and send user restricted or sensitive emails.

This capability is required to use APIs in the Windows.ApplicationModel.Email namespace.

No one may request access to this capability for store submission.
System Level Call History Access The phoneCallHistorySystem restricted capability allows apps to fully modify the call history by changing existing entries and writing new ones.

This capability is required to use APIs in the Windows.ApplicationModel.Calls namespace.

No one may request access to this capability for store submission.
Send Text Messages* The smsSend restricted capability allows apps to send SMS and MMS messages.

This capability is required to use APIs in the Windows.ApplicationModel.Chat namespace.

Anyone may request access to this capability for store submission.
System Level Access to All User Data The userDataSystem restricted capability allows apps to access the user data system datastore.

No one may request access to this capability for store submission.
Store Preview Features The previewStore restricted capability allows apps to retrieve and purchase SKUs of in-app products.

This capability is required to use certain APIs in the Windows.ApplicationModel.Store.Preview namespace.

Anyone may request access to this capability for store submission.
First-Time Sign-in Settings The firstSignInSettings restricted capability allows apps to access user settings that were set when the user first signed in to their device.

Anyone may request access to this capability for store submission.
Windows Team Experience The teamEditionExperience restricted capability allows apps to access internal APIs that control many experiential aspects of a Windows Team session. A Windows Team session is likely to be running on a team device such as a Microsoft Surface Hub.

No one may request access to this capability for store submission.
Remote Unlock The remotePassportAuthentication restricted capability allows apps to access credentials that can be used to unlock a remote PC.

No one may request access to this capability for store submission.
Preview Composition The previewUiComposition restricted capability allows apps to preview the Windows.UI.Composition namespace for their user interface so they can provide feedback on the API before it is completed. Please contact wincomposition@microsoft.com for more information.

Anyone may request access to this capability for store submission.
Secure Assessment Lockdown The secureAssessment restricted capability allows apps to lockdown Windows into a single app mode for secure assessments.

No one may request access to this capability for store submission.
Connection Manager Provisioning The networkConnectionManagerProvisioning restricted capability allows apps to define the policies that connect the device with WWAN and WLAN interfaces. Apps that use this capability are created by Mobile Operators to govern the devices that connect to their mobile network.

Anyone may request access to this capability for store submission.
Data Plan Provisioning The networkDataPlanProvisioning restricted capability allows apps to gather information about data plans on the device and read network usage. Apps that use this capability are created by Mobile Operators to integrate their customers’ actual data usage into the OS Data usage setting.

Anyone may request access to this capability for store submission.
Software Licensing The slapiQueryLicenseValue restricted capability allows apps to query software licensing policies.

No one may request access to this capability for store submission.
Extended Execution The extendedBackgroundTaskTime restricted capability prevents background tasks from being cancelled or terminated due to execution time limits. They are still subject to all other memory and energy usage limits. This capability can be restricted using the Battery Usage or Privacy Background Apps Settings. Note that consumers and administrators still have the ability to control background tasks through the Group Policy settings. Only for use with enterprise signed sideloaded apps.

The extendedExecutionBackgroundAudio restricted capability allows apps to play audio when the app is not in the foreground.

The extendedExecutionCritical restricted capability allows apps to begin a critical extended execution session.

The extendedExecutionUnconstrained restricted capability allows apps to begin an unconstrained extended execution session.

No one may request access to these capabilities for store submission.

See Run while minimized with extended execution for more information about using extended execution to postpone when your app is suspended.
Mobile Device Management The deviceManagementDmAccount restricted capability allows apps to provision and configure Mobile Operator Open Mobile Alliance - Device Management (MO OMA-DM) accounts.

The deviceManagementFoundation restricted capability allows apps to have basic access to the Mobile Device Management (MDM) configuration service provider (CSP) infrastructure on the device. Note that other capabilities are needed to access specific CSPs.

The deviceManagementWapSecurityPolicies restricted capability allows apps to configure Wireless Application Protocol (WAP)-based services such as MMs, Service Indication/Service Loading (SI/SL), and Open Mobile Alliance - Client Provisioning (OMA-CP).

The deviceManagementEmailAccount restricted capability allows apps created by Mobile Operators to add and manage an email account on devices they provision to users.

Anyone may request access to these capabilities for store submission.
Package Policy Control The packagePolicySystem restricted capability allows apps to have control of system policies related to apps that are installed on the device.

No one may request access to this capability for store submission.
Games List The gameList restricted capability allows apps to get a list of known games installed on the system.

No one may request access to this capability for store submission.
Xbox Accessory The xboxAccessoryManagement restricted capability allows apps to directly manage Xbox devices that conform to the Xbox hardware specification.

No one may request access to this capability for store submission.
Speech Recognition for Accessories The cortanaSpeechAccessory restricted capability allows apps to invoke and pass commands to Cortana.

No one may request access to this capability for store submission.
Accessory Management The accessoryManager restricted capability allows apps to register as an accessory app and opt-in to specific app notifications so that they may be forwarded to accessories and display to the user.

Anyone may request access to this capability for store submission.
Driver access The interopServices restricted capability allows apps to interact directly with drivers.

Only Microsoft partners may request access to this capability for store submission.
Foreground observation The inputForegroundObservation restricted capability allows apps in the foreground to intercept keyboard input and byasses all non-app keyboard input processing. SAS combinations cannot be intercepted by this capability. This capability is required to access members of the KeyboardDeliveryInterceptor class.

Anyone may request access to this capability for store submission.
OEM and MO Partner apps The oemDeployment restricted capability allows apps that are created by Microsoft partners to install new apps and query currently installed apps on the device. Anyone may request access to this capability for store submission.

The oemPublicDirectory restricted capability allows apps that are created by Microsoft partners to have access to the shared app folder.

Only Microsoft partners may request access to this capability for store submission.
App Licensing The appLicensing restricted capability allows apps to run without the need of a license. You cannot submit your app to the store if you declare this capability in your manifest.

Any requests for access to this capability for store submission will always be denied.
Location System The locationSystem restricted capability allows apps to perform certain privileged location configurations like setting the default location for the device. You cannot submit your app to the store if you declare this capability in your manifest. Any requests for access to this capability for store submission will always be denied.

No one may request access to this capability for store submission.
User Data Accounts Provider The userDataAccountsProvider restricted capability allows apps to fully manage the mail, calendar, and contact accounts.

Anyone may request access to this capability for store submission.
Pen Workspace The previewPenWorkspace capability allows an app to access the Windows.ApplicationModel.Preview.Notes namespace to be hosted inside the pen workspace as the remember action handler.

Anyone may request access to this capability for store submission.
Secondary Authentication Factor The secondaryAuthenticationFactor capability allows an app to unlock a PC by passing the secrets store on a nearby companion authentication device. For example, a companion fitness band can be used to unlock the PC. This capability is required to access APIs in the Windows.Security.Authentication.Identity.Provider namespace.

Only Microsoft partners and those who work with a device vendor may request access to this capability for store submission.
Store License Management The storeLicenseManagement capability allows Microsoft partner hub-apps to manage store licenses on the device. This capability is required to access APIs in the Windows.ApplicationModel.Store.LicenseManagement namespace.

Anyone may request access to this capability for store submission.
User System ID The userSystemId capability allows apps to get a system identifier specific to the user. This identifier uniquely identifies the current user on a specific system and can be used to correlate information across apps. This capability is required to access the GetUserSpecificSystemId API in the Windows.System.Profile.SystemIdentification class.

Anyone may request access to this capability for store submission.
Targeted Content The targetedContent capability provides an application the ability to retrieve and use targeted subscription content provided by the Windows.Services.TargetedContent namespace.

This capability is required to use some APIs in the Windows.System.Profile.SystemIdentification namespace.

Anyone may request access to this capability for store submission.
UI Automation The uiAutomation capability allows a UI automation client, such as Narrator, to connect to a UI Automation server or provider.

This capability is required to use some APIs in the Windows.Xbox.Media.Capture.Broadcaster namespace.

Anyone may request access to this capability for store submission.
Game Bar Services The gameBarServices is restricted to 1st party store updatable inbox UWAs.

This capability is required to use the Windows.Media.Capture.GameBarsSrvices class.

Only Microsoft partners and those who work with a device vendor may request access to this capability for store submission.
App Capture Services The appCaptureServices capacity is limited to parties with which Microsoft has contractual relationships. These relationships are granted based on partner agreements, which are being driven with the help of Xbox Services and bizdev.

This capability is required to use the Windows.Media.Capture.AppCaptureServices class.

Anyone may request access to this capability for store submission.
App Broadcast Services The appBroadcastServices capability is limited to parties with which Microsoft has contractual relationships. These relationships are granted based on partner agreements, which are being driven with the help of Xbox Services.


This capability is required to use the Windows.Media.capture.AppBroadcastServices class.

Only Microsoft partners and those who work with a device vendor may request access to this capability for store submission.
Audio Device Configuration The audioDeviceConfiguration This capability allows an application to query, configure, enable, and disable audio effects exposed by the audio driver.

This capability is required to use the Windows.Media.Devices.AudioDeviceModulesManager class.

Only Microsoft partners and those who work with a device vendor may request access to this capability for store submission. This is because AudioDeviceModulesManager allows an application to access to all audio effects on a given system. Potentially, the audio effects can be set to negatively impact audio performance on the device. Therefore, apps that use AudioDevicesModulesManager are blocked from Store onboarding unless they 1) declare this capability, and 2) are authored from an approved DevCenter account.
Preview Ink Workspace The previewInkWorkspace capability allows an app to access the Preview Ink namespace hosted inside the ink workspace. Generally speaking, this is used by an OEM to replace the whiteboard application on a device.

This capability is required to the APIs in the Windows.ApplicationModel.Preview.InkWorkspace namespace.

Anyone may request access to this capability for store submission.
Start Screen Management The startScreenManagement capability allows apps to silently pin Tiles to the Start screen. Apps can also pin from the background. Not having the startScreenManagement capability does not block any APIs; rather, using startScreenManagement means that the Shell will not display any UI when an app uses the Pin API.

Anyone may request access to this capability for store submission.
Cortana Permissions The cortanaPermissions capability allows an app to enumerate the permissions that the user has granted Cortana on the device. The capability also allows an app to grant and revoke Cortana permissions on the device. Note that using cortanaPermissions requires that the device display legal text before granting permissions. As such, it is the responsiblity of the app to inform the user of the legal consequences of modifying permissions.


This capability is required to gain read access to the HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search(*) registry settings.

Only Microsoft partners and those who work with a device vendor may request access to this capability for store submission.
All App Mods The allAppMods capability allows an app to access the AppMods folder for all apps. Mod Management utilities use allAppMods to manage mods outside of the game or app that consume them.

Anyone may request access to this capability for store submission.
Expanded Resources The expandedResources capability allows an app access to the Game Mode resources. On Xbox, and on PCs that meet a sufficient bar, Game Mode resources represent a subset of the available CPU cores that are reserved for the app’s exclusive use. On Xbox, the app also has exclusive use of a memory partition of at least 4GB.

This capability is required to gain exclusive use of CPU and memory resources as defined above.

Anyone may request access to this capability for store submission.
Protected App The protectedApp capability grants an app the ability to be loaded into a procteded process by the store. When the app is ingested into the store, the store adds a blob to the executable. The store also page signs the executable with a Microsoft key. The process loader checks for this blob rather than the capability to enforce protected process, as the blob needs a Microsoft signature.

Only Microsoft partners and those who work with a device vendor may request access to this capability for store submission.
Game Monitor The gameMonitor capability causes the system to use active monitoring to detect game cheats by the app. Windows enabled the monitoring immediately, which persists across reboots. The hub of the monitoring is an NT service, which listens for Windows Defender events. The events are processed into signals, published to a cloud service, where they are consumed by partners.

Only Microsoft partners and those who work with a device vendor may request access to this capability for store submission.
App Diagnostics The appDiagnostics capability allows an app to get diagnostic information, (such as package information, memory usage, and account name) for any other running UWP app. The information returned includes the domain/machine account name under which the app is running; if the calling app is launched with Administrator rights then the app can retrieve a list of all running apps for all accounts on the machine.

This capability is required to use the Windows.System.AppDiagnosticInfo, Windows.System.AppDiagnosticInfo.RequestAppDiagnosticInfoAsync, and Windows.ApplicationModel.AppInfo classes.

Anyone may request access to this capability for store submission.
Device Portal Providers The devicePortalProvider restricted capability allows apps to call the Windows.System.Diagnostics.DevicePortal APIs, and serve as a webserver for diagnostic tooling while in Developer Mode.

Only Microsoft partners and those who work with a device vendor may request access to this capability for store submission.

Note
This article is for Windows 10 developers writing UWP apps. If you’re developing for Windows 8.x or Windows Phone 8.x, see the archived documentation.