Security with Windows Applications and AppContainers

One of the common misconceptions of Windows applications are that they are inherently insecure and that it’s not possible to build and deploy applications that are secure by default. If you look at other platforms, such as iOS and Android, applications have restricted permissions and have to opt in (often requiring explicit user consent) to access system resources such as the camera, microphone, location etc. Windows applications built using WinForms or WPF, by default, are run with the security context of the current user. Applications that are run in AppContainers are isolated, limiting access to resources, unless they’re explicitly requested. UWP applications automatically run in AppContainers but what about applications created with the Windows App SDK? In this post we’ll look at how you can configure both Windows App SDK (Windows UI) applications and legacy (WinForms and WPF) applications to run in an AppContainer.

Windows App SDK Applications

Applications created using the Windows App SDK can be deployed as either packaged or unpackaged applications. Unpackaged applications are not to dissimilar to WinForms and WPF applications in that they run in the context of the user. Whilst it is possible to coerce an unpackaged application to run in an AppContainer, it’s much easier to simply change the deployment mode of the application to be packaged. This can be done from the run dropdown in the Standard toolbar.

If you don’t have both Packaged and Unpackaged options in the dropdown, you may need to adjust the launchsettings.json file for your Windows App SDK application. For example the following is the launchsettings.json file for the App1 application that has both packages (commandName = MsixPackage) and unpackaged (commandName = Project) options.

  "profiles": {
    "App1 (Package)": {
      "commandName": "MsixPackage"
    "App1 (Unpackaged)": {
      "commandName": "Project"

Unlike UWP, just because your Windows App SDK application is set to packaged, doesn’t mean that the application will be run in the AppContainer. By default Windows App SDK applications, created using the “Blank App, Packaged (WinUI 3 in Desktop)” template from Visual Studio will be set to run with the “runFullTrust” capability, not within an AppContainer. Ironically this doesn’t mean they run with full trust, it means that the application will run with MediumIL, which is less than High or System but is has more access than applications running with LowIL or running in an AppContainer.

Following the Microsoft documentation you can configure your Windows App SDK application run in an AppContainer:

  • Remove the <rescap:Capability Name="runFullTrust" /> capability from the packageappx.manifest file.
  • Adjust the Application element in the packageappx.manifest to use AppContainer
    • Option 1: Set EntryPoint="windows.partialTrustApplication"
    • Option 2: Leave EntryPoint="$targetentrypoint$" and add uap10:TrustLevel="appContainer" uap10:RuntimeBehavior="packagedClassicApp". This requires adding the XML namespace xmlns:uap10=""

WinForms and WPF Applications

For WinForms and WPF applications, setting them to run in an AppContainer can be done by using the Windows Application Packaging Project as set out in these instructions. Once the application is packaged, setting the application to run in an AppContainer can be done in the same way as for a packaged Windows App SDK application, as described above. However, Visual Studio allows this to be easily configured by setting the Trust Level property on the packaging project to Partial Trust (as per these instructions).


Once an application is configured to run within an AppContainer access to resources can be controlled by specifying capabilities in the packageappx.manfiest. Check out the Microsoft documentation for more information on capabilities.

1 thought on “Security with Windows Applications and AppContainers”

Leave a comment