Enterprise admins can now re-enable the MSIX ms-appinstaller protocol handler that Microsoft earlier disabled after Emotet malware was used by threat actors to exploit the feature to deliver malicious Windows App Installer packages. This post describes how this protocol can be safely enabled again.
What is the ms-appinstaller protocol handler?
The ms-appinstaller protocol handler (AppX Installer) was introduced to enable users to seamlessly install an application by simply clicking a link on a website. Basically, this protocol handler provides a way for users to install Windows applications directly from a web server using an MSIX package or App Installer file without first downloading the installers to their computer.
The ms-appinstaller protocol has been disabled
Microsoft disabled the ms-appinstaller protocol following earlier reports of ongoing Emotet attacks exploiting a zero-day Windows AppX Installer spoofing vulnerability, forcing users to download the app packages to their device before installing them using App Installer.
However, coming on the heels of a recent announcement, it appears Microsoft has finally managed to resolve the issue, and IT admins can now safely re-enable the protocol. Microsoft had the following to say;
We recognize that this feature is critical for many enterprise organizations. We are taking the time to conduct thorough testing to ensure that re-enabling the protocol can be done in a secure manner. We are looking into introducing a Group Policy that would allow IT administrators to re-enable the protocol and control usage of it within their organizations.
How to enable ms-appinstaller protocol in Windows?
To enable the ms-appinstaller protocol for MSIX, you will need to download and install both the latest App Installer (as of this writing, version 1.17.10751.0) app and the Desktop App Installer Policy on your Windows machine, then enable the feature via Local Group Policy Editor. To perform this task, do the following:
If you’re running ms-appinstaller protocol on your website, you can update the link to your application by removing ‘ms-appinstaller:?source=’ so that the MSIX package or App Installer file can be downloaded to user’s machine.
- Download the latest App Installer (offline version).
- After the download, unzip the archive package.
- Now, run the MSIXBUNDLE File to update to the latest version of App Installer.
- Next, download the latest Desktop App Installer Policy (ADMX Templates).
- After the download, extract the content of the archive package and then deploy the Administrative Templates.
- Next, open Local Group Policy Editor.
- Inside the Local Group Policy Editor, use the left pane to navigate to the path below:
Computer Configuration > Administrative Templates > Windows Components > Desktop App Installer
- At the location, on the right pane, double-click on Enable App Installer ms-appinstaller protocol policy to edit its properties.
- In the policy window, set the radio button to Enabled.
- Click Apply > OK to save the changes.
- Exit Local Group Policy Editor.
- Restart PC.
How do I install Appinstaller on Windows 10?
To install Appinstaller on Windows 11/10, do the following:
- Download the app package file to a local folder.
- Install it using the Add-AppxPackage PowerShell command.
- Next, download the appinstaller file to a local folder on your drive.
- Install it using the Add-AppxPackage -Appinstaller PowerShell command.
What is MSIX app?
MSIX is a Windows app package format that provides a modern packaging experience to all Windows apps. The MSIX package format preserves the functionality of existing app packages and/or install files in addition to enabling new, modern packaging and deployment features to Win32, WPF, and Windows Forms apps.
Will MSIX replace MSI?
MSIX is Microsoft’s planned replacement for the MSI and AppX format. Starting with Windows 10 1809, MSIX will replace AppX as a Package-Format completely. MSIX is still undoubtedly the future of application packaging. Despite the tremendous benefits for large organizations, enterprise adoption will be slow until compatibility tools, ISV support and adequate packaging tooling gain critical mass.