18.9.6.2 Ensure 'Block launching Universal Windows apps with Windows Runtime API access from hosted content.' is set to 'Enabled'

Information

This policy setting controls whether Microsoft Store apps with Windows Runtime API access directly from web content can be launched.

The recommended state for this setting is: Enabled.

Rationale:

Blocking apps from the web with direct access to the Windows API can prevent malicious apps from being run on a system. Only system administrators should be installing approved applications.

Impact:

Universal Windows apps which declare Windows Runtime API access in the ApplicationContentUriRules section of the manifest cannot be launched (Universal Windows apps which have not declared Windows Runtime API access in the manifest will not be affected).

Solution

To establish the recommended configuration via GP, set the following UI path to Enabled:

Computer Configuration\Policies\Administrative Templates\Windows Components\App runtime\Block launching Universal Windows apps with Windows Runtime API access from hosted content.

Note: A reboot may be required after the setting is applied.

Note #2: This Group Policy path may not exist by default. It is provided by the Group Policy template AppXRuntime.admx/adml that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer).

Note #3: In older Microsoft Windows Administrative Templates, this setting was initially named Block launching Windows Store apps with Windows Runtime API access from hosted content., but it was renamed starting with the Windows 10 Release 1803 Administrative Templates.

Default Value:

Disabled. (All Universal Windows apps can be launched.)

See Also

https://workbench.cisecurity.org/files/3714