8.6 KiB
title, description, ms.author, ms.localizationpriority, ms.topic, ms.prod, ms.technology, author, ms.date, ms.reviewer, manager
| title | description | ms.author | ms.localizationpriority | ms.topic | ms.prod | ms.technology | author | ms.date | ms.reviewer | manager |
|---|---|---|---|---|---|---|---|---|---|---|
| Policy CSP - ADMX_AppXRuntime | Policy CSP - ADMX_AppXRuntime | dansimp | medium | article | m365-security | windows-sec | manikadhiman | 11/10/2020 | dansimp |
Policy CSP - ADMX_AppXRuntime
Tip
This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see Understanding ADMX-backed policies.
You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to Enabling a policy.
The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.
ADMX_AppXRuntime policies
- ADMX_AppXRuntime/AppxRuntimeApplicationContentUriRules
- ADMX_AppXRuntime/AppxRuntimeBlockFileElevation
- ADMX_AppXRuntime/AppxRuntimeBlockHostedAppAccessWinRT
- ADMX_AppXRuntime/AppxRuntimeBlockProtocolElevation
ADMX_AppXRuntime/AppxRuntimeApplicationContentUriRules
| Edition | Windows 10 | Windows 11 |
|---|---|---|
| Home | No | No |
| Pro | No | No |
| Business | No | No |
| Enterprise | Yes | Yes |
| Education | Yes | Yes |
[!div class = "checklist"]
- Device
This policy setting lets you turn on Content URI Rules to supplement the static Content URI Rules that were defined as part of the app manifest and apply to all Windows Store apps that use the enterpriseAuthentication capability on a computer.
If you enable this policy setting, you can define additional Content URI Rules that all Windows Store apps that use the enterpriseAuthentication capability on a computer can use.
If you disable or don't set this policy setting, Windows Store apps will only use the static Content URI Rules.
ADMX Info:
- GP Friendly name: Turn on dynamic Content URI Rules for Windows store apps
- GP name: AppxRuntimeApplicationContentUriRules
- GP path: Windows Components\App runtime
- GP ADMX file name: AppXRuntime.admx
ADMX_AppXRuntime/AppxRuntimeBlockFileElevation
| Edition | Windows 10 | Windows 11 |
|---|---|---|
| Home | No | No |
| Pro | No | No |
| Business | No | No |
| Enterprise | Yes | Yes |
| Education | Yes | Yes |
[!div class = "checklist"]
- Device
- User
This policy setting lets you control whether Windows Store apps can open files using the default desktop app for a file type. Because desktop apps run at a higher integrity level than Windows Store apps, there is a risk that a Windows Store app might compromise the system by opening a file in the default desktop app for a file type.
If you enable this policy setting, Windows Store apps cannot open files in the default desktop app for a file type; they can open files only in other Windows Store apps.
If you disable or do not configure this policy setting, Windows Store apps can open files in the default desktop app for a file type.
ADMX Info:
- GP Friendly name: Block launching desktop apps associated with a file.
- GP name: AppxRuntimeBlockFileElevation
- GP path: Windows Components\App runtime
- GP ADMX file name: AppXRuntime.admx
ADMX_AppXRuntime/AppxRuntimeBlockHostedAppAccessWinRT
| Edition | Windows 10 | Windows 11 |
|---|---|---|
| Home | No | No |
| Pro | No | No |
| Business | No | No |
| Enterprise | Yes | Yes |
| Education | Yes | Yes |
[!div class = "checklist"]
- Device
This policy setting controls whether Universal Windows apps with Windows Runtime API access directly from web content can be launched.
If you enable this policy setting, Universal Windows apps which declare Windows Runtime API access in ApplicationContentUriRules section of the manifest cannot be launched; Universal Windows apps which have not declared Windows Runtime API access in the manifest are not affected.
If you disable or do not configure this policy setting, all Universal Windows apps can be launched.
Warning
This policy should not be enabled unless recommended by Microsoft as a security response because it can cause severe app compatibility issues.
ADMX Info:
- GP Friendly name: Block launching Universal Windows apps with Windows Runtime API access from hosted content.
- GP name: AppxRuntimeBlockHostedAppAccessWinRT
- GP path: Windows Components\App runtime
- GP ADMX file name: AppXRuntime.admx
ADMX_AppXRuntime/AppxRuntimeBlockProtocolElevation
| Edition | Windows 10 | Windows 11 |
|---|---|---|
| Home | No | No |
| Pro | No | No |
| Business | No | No |
| Enterprise | Yes | Yes |
| Education | Yes | Yes |
[!div class = "checklist"]
- Device
- User
This policy setting lets you control whether Windows Store apps can open URIs using the default desktop app for a URI scheme. Because desktop apps run at a higher integrity level than Windows Store apps, there is a risk that a URI scheme launched by a Windows Store app might compromise the system by launching a desktop app.
If you enable this policy setting, Windows Store apps cannot open URIs in the default desktop app for a URI scheme; they can open URIs only in other Windows Store apps.
If you disable or do not configure this policy setting, Windows Store apps can open URIs in the default desktop app for a URI scheme.
Note
Enabling this policy setting does not block Windows Store apps from opening the default desktop app for the http, https, and mailto URI schemes. The handlers for these URI schemes are hardened against URI-based vulnerabilities from untrusted sources, reducing the associated risk.
ADMX Info:
- GP Friendly name: Block launching desktop apps associated with a URI scheme
- GP name: AppxRuntimeBlockProtocolElevation
- GP path: Windows Components\App runtime
- GP ADMX file name: AppXRuntime.admx