none
Vulnerability/Bug? Edge allows installation of certain apps even when store is blocked RRS feed

  • Question

  • It seems that normal users, even with access to the store blocked via Applocker or group policy, can install apps via Edge. Opening Edge and scrolling around under "My feed" will eventually get you to this:



    You also get the same thing under "Top sites" on a new tab in Edge:


    (Daily Mail.. really..)



    Anyhow, notice how you're able to "Install app".. clicking this then just, well, installs it on the machine without any route through the store, it seems, and I have no idea how to turn it off. You can click the link to see more apps to download and it takes you to the MS Store page - here, you can see loads more apps, but you can't install them, since it tries to open them in the Store app (which I have blocked).

    However, it seems as though the GPO to block the Store simply stops you opening the store app, but doesn't disable functionality to install apps on that machine. And, even if you enable the GPO to disable all Store apps, it doesn't stop you installing them as above (which means you can install the app, but you can't open it). We don't really want people randomly being able to install apps, but we need apps to work because the Calculator app is now the way to use a calculator in Windows now.

    Over on another forum, it was suggested to actually block write access to the Windows Apps folder which worked - but that seems excessive. In fact, it implies that - despite the store being blocked - the browser has actually bypassed my wish to block the store entirely and written data outside of the user's area. This makes me wonder; is this a potential security issue? I need to be able to justify not scrapping Edge entirely at this point if we can't stop this behaviour.

    Hope someone can shed light on this and share their strategies!



    Friday, May 5, 2017 1:58 PM

Answers

  • Hi TrevelyanUK,

    "I tried to disabled the service but haven't had much luck so far"
    Try to configure the following registry key:
    HKEY_LOCAL_MACHINE \System \CurrentControlSet \Services\Appsvc

    Change the "Start" value to "4" to disable that service.

    Best regards

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by TrevelyanUK Thursday, May 11, 2017 8:54 AM
    Thursday, May 11, 2017 2:07 AM
    Moderator

All replies

  • Hi TrevelyanUK,

    The main issue is to disable the ability to install the metro apps, right?

    I have tested the issue on my side. It shares the same symptom as yours. I tried to analyze the installing process. I found installing metro apps will use a service "appxsvc". We could try to disable that service as a workaround to block installing metro apps.

    As for the option installing metro apps from Microsoft Edge, I think it is by design and its main purpose is to make it easily to install metro apps. Anyway, I will submit a Feedback on my side with the internal tool. You could submit the issue with the "Feedback" hub. 

    Best regards


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.




    Monday, May 8, 2017 4:55 AM
    Moderator
  • Hi there and thanks for your reply!

    Yes, exactly. We're trying to stop people being able to install apps in Windows 10 and disabling the Windows Store would be the logical way to do this. But as you say, it appears that Edge has functionality that manages to invoke the "appxsvc" service even with the store disabled via GPO. 

    I tried to disabled the service but haven't had much luck so far; it seems that even running as Administrator I can't do that locally and even via GPO it doesn't want to be set to disabled (but other services apparently can be set to disabled)

    I don't disagree it might have been by design to allow Edge to install apps easily but it appears to only be on https://www.msn.com/spartan/dhp and https://www.msn.com/spartan/ntp that this functionality is seen - and even then, only in Edge. I was wondering if there's a library that Edge uses that allows this to happen because it just feels like an exploit waiting to happen (no user interaction or system confirmation is needed to install the app!)

    I want to be able to say we can nicely and easily stop this happening but if I can't find a fix for this before we roll Windows 10 out everywhere in the summer, this is likely going to result in me having to cut out Edge entirely. 

    Thanks again!


    Monday, May 8, 2017 10:18 AM
  • Hi TrevelyanUK,

    "I tried to disabled the service but haven't had much luck so far"
    Try to configure the following registry key:
    HKEY_LOCAL_MACHINE \System \CurrentControlSet \Services\Appsvc

    Change the "Start" value to "4" to disable that service.

    Best regards

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by TrevelyanUK Thursday, May 11, 2017 8:54 AM
    Thursday, May 11, 2017 2:07 AM
    Moderator
  • Thanks for that, seems to have done the trick! The behaviour now is that it says that it can't install the app and that it'll try again later. Which is can't, but let's see!
    Thursday, May 11, 2017 8:54 AM