18.10.18.5 (L1) Ensure 'Enable App Installer Microsoft Store Source Certificate Validation Bypass' is set to 'Disabled'

Information

This policy setting controls whether Windows Package Manager validates the Microsoft Store certificate hash to match a known Microsoft Store certificate when it initiates a connection to the Microsoft Store source.

The recommended state for this setting is: Disabled

It is important to validate that the Microsoft Store source is not spoofed.

Solution

To establish the recommended configuration via GP, set the following UI path to Disabled :

Computer Configuration\Policies\Administrative Templates\Windows Components\Enable App Installer Microsoft Store Source Certificate Validation Bypass

Note: This Group Policy path is provided by the Group Policy template DesktopAppInstaller.admx/adml that is included with the Microsoft Windows 11 Release 24H2 Administrative Templates (or newer).

Impact:

Source certificate validation by Windows Package Manager cannot be bypassed when a connection is initiated to the Microsoft Store.

See Also

https://workbench.cisecurity.org/benchmarks/21994

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6, 800-53|CM-7, CSCv7|9.2

Plugin: Windows

Control ID: 2598eafec88136c6c31f696f9c89e5ca04b8afe32d628767c4ef74291b678ec7