Elevation Support for Fully-Trusted UWP Apps

Universal Windows Platform (UWP) apps, also known as Windows Store apps, Modern apps, Immersive apps or UAP Universal Application Platform (UAP) apps, all refer to the same thing. UWP apps are obtained from the Windows Store, although some are pre-installed on Windows 10/11. These apps exist in a couple of different varieties, with two of them being the most frequently encountered.

The first type is the basic Windows Store application, which cannot be elevated. They are limited to using just the WinRT [Windows RunTime] API library and lack access to the Win32 API library. The Calculator app on Windows 10 and newer is a good example of a basic Windows Store app.

The easiest way to identify an app of this type is to find the pinned item for it on the modern Start menu or task bar, right-click and select Calculator. Note that Open is present but Run as administrator is not present. The lack of an option to run the app as an administrator indicates that the app cannot be run elevated.

Basic UWP Application

  The second type is the fully-trusted UWP app. These apps are also known as Centennial Desktop Bridge apps. Although they utilize the WinRT API library in order to use the modern UI styling, they also have full access to the Win32 API and are capable of being run elevated. As with basic apps, a fully-trusted UWP app can be identified by its pinned item on the modern Start menu or task bar Right-click, select the app and observe that both Open and Run as administrator are present. The presence Run as administrator indicates that the app can be run elevated and the PrivMan Agent for Windows 11.4.0 and newer, and you can apply an elevation policy to instances of the fully-trusted UWP app.

Basic UWP Application

Well-known fully-trusted UWP apps include WindowsTerminal on Windows 10 and newer, and Notepad on Windows 11, now a fully-trusted UWP app rather than a Win32 Desktop application.

There are additional types of UWP apps that fall somewhere in between basic and fully-trusted. Only Microsoft can publish a UWP app that is manifested and flagged as being fully-trusted. Fully-trusted UWP apps are also known as Inbox apps, rather than Windows Store apps. Certain third-party apps may also have programs that are intended to run elevated, but they are identified differently from how an Inbox fully-trusted UWP app published by Microsoft would be identified.

The “somewhere in between” category of UWP apps has primarily to do with an app package being installed that consists of multiple application programs, where the primary app in the package is a Basic Store app that cannot run elevated. However, there are also one or more application programs present in the package which can be run elevated. In this case, with these being third-party apps made available via the Windows Store, the package has the runFullTrust capability listed in the overall package manifest and then the per-application manifest for specific programs in the package will also contain the runFullTrust capability. Currently, the 11.4.0 version of the PrivMan Agent for Windows does not support elevating runFullTrust third-party UWP apps. Support for doing so will be added in a future release.

Please note that UWP apps must be installed on a per-user basis. Even though the Windows Trusted Installer will allow a non-privileged user to install a UWP application package, and the program files and related collateral will be located in a folder nested under C:\Program Files\WindowsApps, there are still some per-user installation tasks that get performed to make the app available in the user’s profile on that particular computer. Our agent does not check for, nor does it perform this per-user registration of UWP apps. However, if it detects that a fully-trusted UWP app has been launched, the agent will attempt to apply policies to it.