1

I'm trying to move our deployment method for enterprise desktop apps (WPF, UWP, WinForms) to MSIX deployment. We would like to avoid having to go through the Windows Store, since this is for internal, LOB-kind of apps.

We are worried about the security implications of opening up for side-loading in general. We do sign all our apps with a code-signing certificate (as required) - but if we enable side-loading, is there any way we can limit side-loading to only allow apps that are signed with a specific certificate?

(I'm aware that as of Windows Insider Build 18956 side-loading is enabled per default. That also worries our IT/ops guys, for the same reason as above).

Thomas
  • 558
  • 4
  • 14
  • Did you get an answer to this? – jdruid May 01 '20 at 00:34
  • If you don't trust a certificate, don't put it in the trusted root certificate store. If you allow users to install arbitrary certificates to the trusted root certificate store, then you have bigger problems. – Raymond Chen May 01 '20 at 02:45
  • @jdruid: no, but our Ops guys provided sort of a solution: We use an “installer link” for each app that links to the .appinstaller. They (Ops) can push out these links to everyone or a group of users. Once installed, the user now has both the installer link and the app itself in the Start menu. But launching the installer link just gives the built-in dialog where the app can be launched. So no problem there. And we avoid going through the Store. – Thomas May 02 '20 at 08:23
  • @Raymond: yes, I know. – Thomas May 02 '20 at 08:23
  • @Thomas - makes sense. However, you have to enable sideloading correct? – jdruid May 26 '20 at 17:08

0 Answers0