How to Unblock Modern Application Network Isolation in Win8

In Windows 8, we introduced the new WinRT platform to give users Modern Apps with dynamic tile and immersive user experience. If you are a corporate user, you have a company proxy server. Environment, or you are a developer, I believe you have found that all Modern Apps no longer have access to the network after the local connection replacement agent. This is due to the network isolation design of the new WinRT runtime.

In order to implement new security policies and make applications on the WinRT platform more secure, Modern Apps must be declared by the developer before using a feature. For example, to use a network connection, you need to declare, not only to declare that you need a network connection, but also to declare which type of connection is needed. Due to network isolation, all Modern Apps cannot use IP loopback addresses for interprocess communication by default. When we set up a proxy server for the LAN in the connection settings set by the Internet, Modern Apps can't access the Internet. Only the desktop application can access the Internet through the proxy server. (WinRT has the ability to detect the default proxy server on the local network so that Modern Apps can access the Internet, but after manually specifying the LAN proxy, it cannot be detected automatically.)

Sometimes, when the company When the default network proxy server is not working, the IT administrator may ask the user to manually specify another LAN proxy server. At this time, Modern Apps can't access the Internet, which is really depressed. In fact, we have two ways to remove the network isolation. Restrictions allow Modern Apps to access the Internet during special periods:

Method 1: Use Group Policy to specify an Internet proxy for a network isolated environment

Open the Local Group Policy Editor and expand "Computer Configuration" ;-"Management Templates"-"Network"-"Network Isolation", we can see the following settings:

We can edit "Application Internet Proxy Server", To specify an Internet proxy. Note that the proxy specified here is the same as the LAN proxy specified in your connection settings for the desktop IE option, so that Modern Apps can have access to the Internet. That's right, this is just a foundation, because if you only specify this one, the agent you added and the agent detected by the system are a union. Because the automatic detection takes precedence, after the LAN agent is specified on the desktop, it is automatically detected. The proxy is inconsistent with the manually specified LAN proxy, and the result is still not online. So in order for Modern Apps to be able to access the Internet, we also need to enable "Agent Definition Authority" to allow Modern Apps to use only the agents specified here.

Method 2: Adding Network Isolation for Specific App Using Win8's Built-in Debug Command Set

Windows 8 has a built-in command line tool for modern Apps developers to diagnose network problems. We can use it to add some Modern Apps to the network quarantine exclusion list:

Here we use the LoopbackExempt parameter to achieve our needs. For this parameter, its use also has specific secondary parameters that need to be specified.

The program help is very clear, so I won't go into details here. Here, I want to remind everyone that because the AppContainer or the SID of the package is hard to find (requires the registry), I personally recommend that you use –n=[Name] to operate the network through AppContainer or package name. Isolation exemption. Because the way to get the name is very simple, as long as you open the %LocalAppData%Packages path, the names of the following folders are the names of the various Modern Apps, which are available for easy copying and pasting.

As you can see from the figure, it is not difficult to identify which Modern App in the start screen corresponds to the App, because the part of the folder is the name of the program. For example, we can see the last one, "WinStore_cw5n1h2txyewy", which is undoubtedly the internal name of the application store.

Here, we assume that the default proxy server is broken now. I set up the LAN proxy in the desktop environment. At this time, I need to use the app store to update several of my applications, then I have to do it. Add a network quarantine exemption: Execute "CheckNetIsolation.exe LoopbackExempt -a -n=WinStore_cw5n1h2txyewy" to add the app store to the exempt list.

To verify the list of exemptions, we use the "CheckNetIsolation.exe LoopbackExempt -a -s" command:

To remove an exemption, the -a parameter in the exempted command will be added Change to -d, to quickly clear the contents of the list, execute "CheckNetIsolation.exe LoopbackExempt -c".

Comparing the above two methods, I personally recommend that you use the second method. There are two reasons:

First, in the Group Policy method, the proxy port of the proxy server cannot be specified for the isolated network. Therefore, applications that use non-80 ports may still not work properly. For example, when the app store is set up in this way, it can only browse the app, update the software, and download the software.

Second, the use of CheckNetIsolation allows you to easily control and review the exemption situation, and there is no port limitation, the program function is completely normal. Moreover, for IT professionals, this can be integrated into the code, and the code can be reused for automated control.

And in the second way, it is recommended that you use the form -n=[AppName] to add a delete exemption than to use -p=[AppSID] not only better than the convenience mentioned above, but also, like A special Modern App like Store, which has no corresponding SID displayed under the HKCUSoftwareClassesLocal SettingsSoftwareMicrosoftWindowsCurrentVersionAppContainerMappings in the registry. After adding the Store exemption by name and reviewing the exemption list, we found that the store's SID=S-1-15-2-2608634532-1453884237-1118350049-1925931850-670756941-1603938316-3764965493